Reply

Orbi connection to China

Proton68
Aspirant

Orbi connection to China

Hi,

 

I've upgraded my IPS system and it has begun to send me alerts notifying that my orbi device was connecting on port 80 to an address that seems to be in China, and it does so regularly. does anyone know why it does that ?

 

best regards

 

Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 10.1.1.16:52320, to: 203.205.142.208:80, protocol: TCP

 

Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 10.1.1.16:52230, to: 203.205.255.80:8080, protocol: TCP

Message 1 of 15

Re: Orbi connection to China


@Proton68 wrote:

 

I've upgraded my IPS system 

 


 

What's that? Google suggests Integrated Plumbing Systems.

 

203.205.142.208 is Tencent.

 

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 2 of 15
Proton68
Aspirant

Re: Orbi connection to China


@michaelkenward wrote:

@Proton68 wrote:

 

I've upgraded my IPS system 

 


 

What's that? Google suggests Integrated Plumbing Systems.

 

203.205.142.208 is Tencent.

 

 


:-)

 

Intrusion Prevention System

Message 3 of 15
ekhalil
Master

Re: Orbi connection to China


@Proton68 wrote:

Hi,

 

I've upgraded my IPS system and it has begun to send me alerts notifying that my orbi device was connecting on port 80 to an address that seems to be in China, and it does so regularly. does anyone know why it does that ?

 

best regards

 

Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 10.1.1.16:52320, to: 203.205.142.208:80, protocol: TCP

 

Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 10.1.1.16:52230, to: 203.205.255.80:8080, protocol: TCP


When you use the Orbi app and you login to your Netgear account, the app creates a VPN connection from your Netgear account on the cloud to Orbi to be able to manage your Orbi from the app. I think this is what your IPS sees.

This is only needed when using the app for Orbi management but not when you use the web GUI.

My Setup Internet Fiber ONT 250↓/250↑ISP Telenor | Wifi Router Orbi RBR850 + RBS850 + RBS750, AP Mode, Wired/Wireless Backhaul / Orbi RBR50 + 6x RBS50, Router Mode, Wired/Wireless Backhaul | Switches Netgear GS208Time Zone CET (Sweden)

Message 4 of 15
CrimpOn
Sensei

Re: Orbi connection to China

The WhoIs lookup on these IP's traces back to:

inetnum:        203.205.192.0 - 203.205.255.255
netname:        TENCENT-NET-AP
descr:          Shenzhen Tencent Computer Systems Company Limited
descr:          Tencent Building, Kejizhongyi Avenue,Hi-techPark,
descr:          NanshanDistrict, Shenzhen
country:        CN

 

inetnum:        203.205.128.0 - 203.205.159.255
netname:        TENCENT-NET-AP
descr:          Shenzhen Tencent Computer Systems Company Limited
descr:          Tencent Building, Kejizhongyi Avenue,Hi-techPark,
descr:          NanshanDistrict, Shenzhen
country:        CN

 This doesn't smell like "Netgear" to me.  If 10.1.1.16 is the Orbi's WAN port, you could use the debug page to capture the LAN traffic and see exactly which device on your Orbi is connecting to those IP's.

I love my Orbi.
Message 5 of 15

Re: Orbi connection to China


@CrimpOn wrote:

The WhoIs lookup on these IP's traces back to:

inetnum:        203.205.192.0 - 203.205.255.255
netname:        TENCENT-NET-AP
descr:          Shenzhen Tencent Computer Systems Company Limited
descr:          Tencent Building, Kejizhongyi Avenue,Hi-techPark,
descr:          NanshanDistrict, Shenzhen
country:        CN

 

inetnum:        203.205.128.0 - 203.205.159.255
netname:        TENCENT-NET-AP
descr:          Shenzhen Tencent Computer Systems Company Limited
descr:          Tencent Building, Kejizhongyi Avenue,Hi-techPark,
descr:          NanshanDistrict, Shenzhen
country:        CN

See above.

 


@CrimpOn wrote:

 This doesn't smell like "Netgear" to me.

 


Nor does it smell like the Chinese or Russian governments.

 

Many of these things tracks back to something else on the local network. Sometimes an IoT device. Who knows?

 

Don't immediately think Chinese IP address = nasty. Look under the hood for what is really going on.

 

This is the important bit:

 



...capture the LAN traffic and see exactly which device on your Orbi is connecting to those IP's.

 


The router's log may be helpful. But it also had a habit for finding useless and misleading information.

 

But first check the plumbing.

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 6 of 15
Chuck_M
Mentor

Re: Orbi connection to China

You would figure Netgear armor would ID and take care of this Smiley Happy  LOL!

---------------
My Equipment: Cox Cable (350Mb/35Mb), Orbi AX6000 (RBR850, 3 x RBS850) (2xWired backhaul), NG GS116PP Gigabit Smart Switch, Synology DS1019+ NAS
Message 7 of 15
CrimpOn
Sensei

Re: Orbi connection to China

I had not realized that Netgear Armor was available for the Orbi product line.  Everything I have seen mentions the Nighthawk line.

 

With our houses filling up with devices that can be controlled using smartphone apps, pretty soon we'll have dozens of open ports.  In my case, nearly everything connects back to Amazon Web Services (AWS). 

 

It would be fascinating to know which Internet Protection System you have and how it fits into the modem->router environment.

I love my Orbi.
Message 8 of 15
Proton68
Aspirant

Re: Orbi connection to China

thanks for the suggestion, will try to do that ! :-)

Message 9 of 15
JoeCymru
Virtuoso

Re: Orbi connection to China

Personally I would be concerned and not about Orbi. Tencent is the largest social gaming company on earth and also has an instant messaging service. Port 80 traffic to tencent could be worm or trojan utilizing one of your devices to try to hook up for fraudulent purposes.

Message 10 of 15
CrimpOn
Sensei

Re: Orbi connection to China

Once the connection is traced to a specific device, the next step may be to determine which app on that device is opening the connection.

I love my Orbi.
Message 11 of 15

Re: Orbi connection to China


@CrimpOn wrote:

Once the connection is traced to a specific device, the next step may be to determine which app on that device is opening the connection.


To help to home in on this excellent suggestion, in the past there have been references to devices like IoT cameras and other cloud connected widgets. They make a lot of those in China!

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 12 of 15
CrimpOn
Sensei

Re: Orbi connection to China

I don't know if it matters whether the Orbi is in "router" or "AP" mode (my Orbi is in router), but @ekhalil showed me how to display all the "open ports".

Browse to the Orbi debug page, usually 192.168.1.1/debug.htm

Check the box "Enable Telnet"

User your favorite telnet application to telnet to the Orbi and log in with the same "admin" and password

 

Enter the command  cat /proc/net  ip_conntrack

 

It is sort of tedious to locate the IP you want in the telnet window, so I save the telnet session to a file and use a text editor to find what I want, sort the entries, etc.  Every time I used the Windows telnet client, I would forget to save the session to a file, so I changed over to Putty and created a script that always saves the session to a unique text file.

 

After closing the telnet session, remember to go back to the debug page and turn off telnet access.

 

Once the device which has opened that IP connection has been located, I believe there are similar commands to display which application has the port open.

I love my Orbi.
Message 13 of 15
Chuck_M
Mentor

Re: Orbi connection to China

This should be an option to "Log Open Ports" for debugging.

---------------
My Equipment: Cox Cable (350Mb/35Mb), Orbi AX6000 (RBR850, 3 x RBS850) (2xWired backhaul), NG GS116PP Gigabit Smart Switch, Synology DS1019+ NAS
Message 14 of 15
ekhalil
Master

Re: Orbi connection to China


@CrimpOn wrote:

......

Enter the command  cat /proc/net  ip_conntrack

......


Thanks @CrimpOn . Yes, the ip_conntrack table is a good way to find which devices connected to a specific destination.

Please note that that the ip_conntrack table contains historical information, so this table remembers recent connections for some time after they expire.

On the other hand the netstat command shows only real-time information and does not have any historical information.

That's why you will notice that the number of connections in the ip_conntrack table are more than what in netstat.

 

My Setup Internet Fiber ONT 250↓/250↑ISP Telenor | Wifi Router Orbi RBR850 + RBS850 + RBS750, AP Mode, Wired/Wireless Backhaul / Orbi RBR50 + 6x RBS50, Router Mode, Wired/Wireless Backhaul | Switches Netgear GS208Time Zone CET (Sweden)

Message 15 of 15
Top Contributors
Discussion stats
  • 14 replies
  • 2180 views
  • 4 kudos
  • 6 in conversation
Announcements

Orbi WiFi 6E