Remote administration?

fairb · ‎11-02-2019

No wifi this morning and router needed to be restarted. Checked the event logs on the router. At 22:51 last night the log started filling up with Remote administration events. This went on until 07:51 this morning at which point the router started repeatedly disassociating / associating devices. It would appear that my router locked-up because of the remote access? Who's accessing it?

fairb · ‎11-02-2019

Sorry, I should have read other threads and saw that the firewall seemed to be blocking malicious attempts to get in. Only thing is that looking up the IP addresses it would seem that the attack is coming from many places around the world. (Or is the attacker just prox'ing in?) Also, my router died in the end?

MasterOfReality · ‎26-03-2018

Hi @fairb

Looks like the router was doing it's job and blocking any unwanted access.

If they are proxying then it would explain the various locations yes.

I can see that the connection is back up and running - have you noticing anything akin to this since?

Thanks,

MoR

fairb · ‎11-02-2019

Yes, it’s running good now thanks. It’s been pretty solid since one of you guys upgraded the firmware so I was just a bit surprised it had gone down this morning. That’s why I had a look through the event log. It had been blocking all night and then it started disconnecting devices. Hopefully this is a one off. Thanks for getting back to me.

Nautoshark · ‎27-03-2019

I got the same as this today. Lots of Remote Access being blocked which seems to result in my Internet / Router dropping out and me not being able to access the internet.

It seems to happen most days in the early afternoon.

Anything we can do to improve this? (ie not lose internet)

14:14:24, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [149.129.50.37]:40832->[46.208.222.183]:8080 on ppp3)
14:11:22, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [62.231.7.220]:61063->[46.208.222.183]:22 on ppp3)
14:05:13, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [176.57.70.76]:40654->[46.208.222.183]:22 on ppp3)
14:00:11, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [185.244.25.136]:40126->[46.208.222.183]:8080 on ppp3)
13:50:09, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [185.208.208.144]:56319->[46.208.222.183]:80 on ppp3)
13:49:37, 10 Jun.	BLOCKED 2 more packets (because of ICMP replay)
13:49:35, 10 Jun.	OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 46.208.222.183->52.213.206.42 on ppp3)
13:45:16, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [42.56.89.100]:51281->[46.208.222.183]:22 on ppp3)
13:42:34, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [184.105.139.112]:35467->[46.208.222.183]:8080 on ppp3)
13:35:54, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [185.244.25.136]:49068->[46.208.222.183]:8080 on ppp3)
13:31:41, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [110.90.72.125]:57213->[46.208.222.183]:22 on ppp3)
13:21:38, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [201.221.140.146]:19560->[46.208.222.183]:8080 on ppp3)
13:13:30, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [180.249.56.229]:35476->[46.208.222.183]:80 on ppp3)
12:52:30, 10 Jun.	BLOCKED 2 more packets (because of ICMP replay)
12:52:29, 10 Jun.	OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 46.208.222.183->40.100.175.146 on ppp3)
12:50:40, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [112.245.223.173]:8330->[46.208.222.183]:22 on ppp3)
12:49:22, 10 Jun.	ath10: STA 30:07:4d:e7:c5:d1 IEEE 802.11: WiFi registration failed
12:48:33, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [125.227.31.186]:36500->[46.208.222.183]:80 on ppp3)
12:43:29, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [80.82.70.118]:60000->[46.208.222.183]:8080 on ppp3)
12:30:05, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [93.95.190.126]:58915->[46.208.222.183]:80 on ppp3)
12:29:59, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [216.243.31.2]:41923->[46.208.222.183]:80 on ppp3)
12:23:49, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [89.248.169.12]:52117->[46.208.222.183]:80 on ppp3)
12:21:08, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [185.244.25.136]:48520->[46.208.222.183]:8080 on ppp3)
12:07:53, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [39.91.5.150]:39636->[46.208.222.183]:22 on ppp3)
11:50:13, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [177.198.69.42]:10134->[46.208.222.183]:8080 on ppp3)
11:49:47, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [173.208.232.48]:45817->[46.208.222.183]:22 on ppp3)
11:49:47, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [173.208.232.48]:45816->[46.208.222.183]:22 on ppp3)
11:47:51, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [175.138.87.102]:28671->[46.208.222.183]:22 on ppp3)
11:43:52, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [134.209.82.3]:33363->[46.208.222.183]:22 on ppp3)
11:35:40, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [58.242.82.3]:49825->[46.208.222.183]:22 on ppp3)
11:29:33, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [185.244.25.136]:36766->[46.208.222.183]:8080 on ppp3)
11:27:18, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [103.133.105.35]:42322->[46.208.222.183]:22 on ppp3)
11:26:30, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [191.115.74.63]:28852->[46.208.222.183]:8080 on ppp3)
11:25:42, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [58.39.15.18]:60489->[46.208.222.183]:22 on ppp3)
11:24:11, 10 Jun.	ath00: STA 30:07:4d:e7:c5:d1 IEEE 802.11: WiFi registration failed
11:24:08, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [60.180.1.135]:13333->[46.208.222.183]:22 on ppp3)
11:22:32, 10 Jun.	(3606924.520000) NTP synchronization success!

Nautoshark · ‎27-03-2019

Dropped again, seems like constant attack:

14:57:34, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [208.93.152.17]:50234->[46.208.222.183]:443 on ppp3)
14:55:09, 10 Jun.	(3619679.030000) Admin login successful by 192.168.1.64 on HTTP
14:54:44, 10 Jun.	(3619653.910000) New GUI session from IP 192.168.1.64
14:52:49, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [103.133.105.35]:54506->[46.208.222.183]:22 on ppp3)
14:48:12, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [106.118.18.171]:41029->[46.208.222.183]:22 on ppp3)
14:46:37, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [103.133.105.35]:54191->[46.208.222.183]:22 on ppp3)
14:40:55, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [112.111.170.179]:16650->[46.208.222.183]:22 on ppp3)
14:37:35, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [138.255.186.19]:53171->[46.208.222.183]:8080 on ppp3)
14:29:50, 10 Jun.	IN: BLOCK [16] Remote administration (TCP [162.243.140.86]:59169->[46.208.222.183]:443 on ppp3)
14:28:23, 10 Jun.	(3618072.760000) New GUI session from IP 192.168.1.64

RandallFlagg · ‎11-01-2018

Hi @Nautoshark

Thanks for sharing this - I've checked your account and there are no physical drops (externally).

Unfortunately, as per the above, there's not a great deal we can do in terms of the remote connections - the router is doing what it should to block these and we have no control over 3rd parties attempting to access your router.

When you're seeing a loss of connectivity, does the router change in any way (lights etc)? Do the drops occur via both wired and a wifi connection?

Best wishes

Dave

Remote administration?

Remote administration?

Re: Remote administration?

Re: Remote administration?

Re: Remote administration?

Re: Remote administration?

Re: Remote administration?

Re: Remote administration?