× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: Root connections

vrspectre
Apprentice

Root connections

I was poking around and found the connections log. I found the attached screenshot. The first 3 are my local LAN IP. the bottom 4 root are not my IP. They are external IPs. What are these?

Model: RN51600|ReadyNAS 516 6-Bay Diskless
Message 1 of 26
Retired_Member
Not applicable

Re: Root connections

Hi @vrspectre, you might want to use WHOIS to find out. See example below for the ipv4 local loopback IP-address and kind regards.

https://www.whois.com/whois/127.0.0.1

Message 2 of 26
StephenB
Guru

Re: Root connections

FWIW, 5.x.x.x are used by the ReadyCloud VPN (whois will give a different answer),

 

https://community.netgear.com/t5/ReadyNAS-Cloud-Storage/ReadyCloud-replace-my-ReadyNAS-admin-page-wi...

Message 3 of 26
vrspectre
Apprentice

Re: Root connections

I looked at the whois 3 of the 4 are coming Amazon. Presumably something in AWS, and the 4th is form Huricane Electric. I would assume it's from one of those backu apps that comes installed with the readynas, but NONE of them are enabled. So why is their crap connecting to my box? 

Message 4 of 26
StephenB
Guru

Re: Root connections


@vrspectre wrote:

I looked at the whois 3 of the 4 are coming Amazon.


Which of course doesn't tell you anything (and neither does the hurricane electric one, since it's also a data center).

 

 

What apps and services are enabled?

 

NTP will of course make connections from time to time.  The system will also periodically connect to the firmware update server.

Message 5 of 26
Retired_Member
Not applicable

Re: Root connections

@StephenBwrote: "Which of course doesn't tell you anything".

Well, that seems to be somewhat wrong, because @vrspectre's question was: "...are external IPs. What are these?" and after using whois he seems to know more than before. He points out: "3 of the 4 are coming Amazon. Presumably something in AWS, and the 4th is form Huricane Electric". To me, that seems like his first question is answered.

 

@vrspectre's new and 2nd question: "So why is their crap connecting to my box?" I do not have an answer. But I have a suggestion how to continue:

1) With the information delivered by whois you could contact the owner of the ip address or domain behind it to ask what is going on.

2) If you cannot or do not want to do 1) you could block the concerned ip address or domain using a firewall in your router and investigate what is no longer working in your network. ...And do not block all suspicious ip addresses at the same time. Do one ip after the other to foster your decision to block or not to block. If all you need is working keep the blocked blocked, if not adjust as necessary.

Happy investigating and kind regards

 

Message 6 of 26
StephenB
Guru

Re: Root connections


@Retired_Member wrote:

@StephenBwrote: "Which of course doesn't tell you anything".

Well, that seems to be somewhat wrong, because @vrspectre's question was: "...are external IPs. What are these?" and after using whois he seems to know more than before. He points out: "3 of the 4 are coming Amazon. Presumably something in AWS, and the 4th is form Huricane Electric". To me, that seems like his first question is answered.

 


Don't be so pedantic.  It's not answered in a meaningful way.  Lots of services use AWS - Amazon has 32% share of the public cloud market - so whois isn't giving him any useful information on who/what is connecting to his NAS.  ReadyCloud happens to use AWS, it wouldn't surprise me if the Netgear update servers do also.   Plex also uses AWS.

 

Hurricane Electric is perhaps more useful, but it is a data center (offering CoLo services) - so like the AWS result, knowing the data center doesn't give any clues as to what service is being hosted there.  It could be a legit service that his NAS is using, or it could be something else.

 

I agree that following up with AWS and Hurricane Electric is a possible next step.

 


@Retired_Member wrote:

 

@vrspectre's new and 2nd question: "So why is their crap connecting to my box?"

1) With the information delivered by whois you could contact the owner of the ip address or domain behind it to ask what is going on.

2) If you cannot or do not want to do 1) you could block the concerned ip address or domain using a firewall in your router and investigate what is no longer working in your network. ...And do not block all suspicious ip addresses at the same time. Do one ip after the other to foster your decision to block or not to block. If all you need is working keep the blocked blocked, if not adjust as necessary.

 


Though it is concerning that the account is root, I'm not convinced that blocking the addresses will help - if there is an underlying security issue, then blocking specific addresses won't solve it.  Perhaps also enable the audit log.

 

Reverse DNS might be another thing to try (ping -a ip-address or nslookup ip-address in the case of Windows).  It could be enough to resolve the question of who is hosting the services.

 

 

It would be useful to know what ports are being forwarded to the NAS from the router (if any), and what services they are used for.  If the NAS is set up as the DMZ of the router, then that should certainly be changed right away - that's not a good idea.

 

Getting a better idea of what apps and services are enabled on the NAS might also allow us to provide more help - particularly if ssh is enabled.  Not sure why @vrspectre chose to mask the IP addresses (there shouldn't be any privacy issues, and they after all aren't under his control).  Seeing the actual addresses might also allow us (or Netgear) to give more help.

 

 

If the NAS has been hacked, then after closing off the attack vector you might need to do a factory reset (restoring data from backup).

Message 7 of 26
Retired_Member
Not applicable

Re: Root connections

@StephenBwrote: "Don't be so pedantic. It's not answered in a meaningful way".

 

Being "pedantic" (as you call it) helped to grab Ariadne's threat in this case as you were so kind to shed a light on the event space of potential causes and solutions @vrspectre  can now start to evaluate (of cause you were not ehausting it completely :-). And whois was the starter. Thanks for your valuable contribution and kind regards

 

https://en.wikipedia.org/wiki/Ariadne%27s_thread_(logic)

 

 

Message 8 of 26
StephenB
Guru

Re: Root connections


@Retired_Member wrote:

And whois was the starter.

 


Running whois was a good first step.  It just didn't give much useful information in this particular case.

Message 9 of 26
schumaku
Guru

Re: Root connections


@StephenB wrote:

Running whois was a good first step.  It just didn't give much useful information in this particular case.


All blacked out IP addresses, no information of other active services (non-backup) like ReadyShare [Creating typically at least three established connections _to_ the Internet, mostly Amazon AFAIK], a regular check for firmware updates, ....

We might want (and have!) to dispute why these are all happen under root (respectively UID:0)!


Message 10 of 26
StephenB
Guru

Re: Root connections


@schumaku wrote:
All blacked out IP addresses, no information of other active services (non-backup) like ReadyShare [Creating typically at least three established connections _to_ the Internet, mostly Amazon AFAIK], a regular check for firmware updates, ....

I think you must have meant ReadyCloud?

 

FWIW, I don't see these connections on my own NAS (which doesn't use ReadyCloud, ClamAV or any of the cloud services).

Message 11 of 26
schumaku
Guru

Re: Root connections

Of course, yes - ReadyCloud it is about. Temporarily disabling does get rid of these three connections. Location Switzerland - so different AWS hosts for different regions.

 

RN 6.10.1 ReadyCloud On - location central Europe.PNG

 

 

Message 12 of 26
StephenB
Guru

Re: Root connections


@schumaku wrote:

Of course, yes - ReadyCloud ...

 


The connection page would be more useful if it showed the port and also the program that was listening on the port.

Message 13 of 26
schumaku
Guru

Re: Root connections

Ey that would be to complex for the GUI makers

 

root@RN628X:~# lsof -i | grep ESTABLISHED
xagent 3725 root 7u IPv4 4890919 0t0 TCP RN628X:43836->ec2-52-18-224-100.eu-west-1.compute.amazonaws.com:https (ESTABLISHED)
leafp2p 3726 root 4u IPv4 4890987 0t0 TCP RN628X:42498->ec2-52-8-235-19.us-west-1.compute.amazonaws.com:https (ESTABLISHED)
leafp2p 3726 root 10u IPv4 4890983 0t0 TCP RN628X:42942->ec2-54-183-41-114.us-west-1.compute.amazonaws.com:https (ESTABLISHED)
sshd 16738 root 3u IPv6 4977966 0t0 TCP RN628X:ssh->[fe80::5925:547b:3c3c:c027]:45244 (ESTABLISHED)

Message 14 of 26
StephenB
Guru

Re: Root connections


@schumaku wrote:

... that would be to complex for the GUI makers

 


Hopefully you are joking Smiley Frustrated

Message 15 of 26
Retired_Member
Not applicable

Re: Root connections

@StephenBwrote: "

@schumaku wrote:

... that would be to complex for the GUI makers

Hopefully you are joking "

 

I fear, he is not.

Message 16 of 26
StephenB
Guru

Re: Root connections


@Retired_Member wrote:

@StephenBwrote: "

@schumaku wrote:

... that would be to complex for the GUI makers

Hopefully you are joking "

 

I fear, he is not.


Netstat shows the info I was thinking about.

Message 17 of 26
vrspectre
Apprentice

Re: Root connections

The only app I had enabled was Plex. I went ahead and turne it off and rebooted. 

 

the three IPs showing as connected now are

13.56.8.161

54.183.41.114

54.201.185.63

 

all are AWS and the PTR record is just AWS. 😞

 

All show root and Misc. To be clear I have 0 cloud enabled service and 0 apps enabled. For services I have SMB, HTTP, HTTPs, and File Search. That's it. 

 

I can't think of any reason for me to be connecting to anything at AWS. 

Message 18 of 26
schumaku
Guru

Re: Root connections

Some posts above I've shown an example command to figure out process names with established IP connections. Can't be difficult to run on the ReadyNAS root shell (once enabled SSH access). Username is root, password is the admin one.
Message 19 of 26
StephenB
Guru

Re: Root connections


@vrspectre wrote:

 

All show root and Misc. To be clear I have 0 cloud enabled service and 0 apps enabled. For services I have SMB, HTTP, HTTPs, and File Search. That's it. 

 


If no cloud services are enabled, then I agree that you shouldn't see those connections.  My own system doesn't show them.

 

Do you have any ports forwarded to your NAS in your router?  If so which ones?  If there is a DMZ setting in the router, is the NAS set as the DMZ?

 

 

Message 20 of 26
schumaku
Guru

Re: Root connections

To me these IPs look like ReadyCloud is enabled and active. Only checking the process names related might give some insight.

Message 21 of 26
vrspectre
Apprentice

Re: Root connections

ok, i checked the process names. 

 

The culprits seem to be leafp2 and xagent. 

 

I found this old thread about leafep2p being fixed in 6.5. Maybe it became a bug agin? I'm runing 6.10.1

 

I have no idea what xagent is. 

Message 22 of 26
schumaku
Guru

Re: Root connections


@vrspectre wrote:

The culprits seem to be leafp2 and xagent.  


xagent and leafp2p are related to ReadyCloud as repeatedly stated above and serve for Ready Remote and Replicate, too. These processes go away reliable here if temporarily disabling ReadyCloud by moving the slider to Off, also on all my V6.10.1 (x86-64) systems here, including an RN516..

Message 23 of 26
vrspectre
Apprentice

Re: Root connections

ReadyCloud, Ready Remote, and Replicate have never been turned on. Are you saying I need to turn them on and off again to fix it? 

Message 24 of 26
StephenB
Guru

Re: Root connections


@vrspectre wrote:

ReadyCloud, Ready Remote, and Replicate have never been turned on. Are you saying I need to turn them on and off again to fix it? 


I don't think you should see either Remote or Replicate on your RN516.

 

But you might try turning ReadyCloud on, and then off again.  If you do see the other two, then do the same with them.  If the connections don't disappear, then try rebooting the NAS.

Message 25 of 26
Top Contributors
Discussion stats
  • 25 replies
  • 3316 views
  • 2 kudos
  • 4 in conversation
Announcements