Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread
Standard User Natty
(newbie) Sun 23-Aug-20 11:29:14
Print Post

Zyxel Security Log Attack?


[link to this post]
 
Hi, ive just noticed in the security log of my Zyxel XMG3927-B50A router over the past couple of weeks there are alerts for an attack (see link)
Screen Capture

Ive reset my router & changed the password but as you can see these logs still appear. Googling brings up an Zyxel announcement for brute force attacks Brute force attacks? Zyxel to tighten protection on routers and CPE

My Firewall is set to Medium (Recommended)

This is what i have enabled in Remote Management. I have enabled Ping on WAN to be able to run a TBB monitor.
Remote Management

Vodafone Superfast 2

Zyxel XMG3927-B50A Router

Edited by Natty (Sun 23-Aug-20 22:13:32)

Standard User Michael_Chare
(fountain of knowledge) Sun 23-Aug-20 23:34:07
Print Post

Re: Zyxel Security Log Attack?


[re: Natty] [link to this post]
 
Are you not able to configure the router to reject all remote access or perhaps only allow it from a particular subnet?

Michael Chare
Standard User Natty
(newbie) Mon 24-Aug-20 04:02:22
Print Post

Re: Zyxel Security Log Attack?


[re: Michael_Chare] [link to this post]
 
Its a pretty high end router with no end of features i could play with, much of which is beyond my understanding. I only needed the basic features to get it to work. I dont even need to set up port forwarding as i dont torrent or stream online games.

My main priority is what is that security log reporting? Is it something to be concerned about or is it mistaking pings for an attack? Having reset the router so far today that is the only attack log, whereas previously there were frequent log reports every 5 minutes. Im just a regular home user, im not a business so what is there to gain from attacking my router?

Vodafone Superfast 2
Zyxel XMG3927-B50A Router


Register (or login) on our website and you will not see this ad.

Standard User caffn8me
(eat-sleep-adslguide) Mon 24-Aug-20 09:30:15
Print Post

Re: Zyxel Security Log Attack?


[re: Natty] [link to this post]
 
It's probably logging connection attempts against a closed port. This is normal firewall behaviour because it allows administrators to see if there are persistent threats from a particular source and block that from other services which may be open to the outside world.

Edit: in this particular case the log shows a protocol of UDP, a source port of 5121 and a destination port of 4399. Port 5151 is associated with;

https://www.speedguide.net/port.php?port=5121

Are you a gamer? Is UPnP enabled?

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Mon 24-Aug-20 09:39:01)

Standard User BLaZiNgSPEED
(member) Mon 24-Aug-20 11:56:18
Print Post

Re: Zyxel Security Log Attack?


[re: caffn8me] [link to this post]
 
Yes, I also believe this to be the case with blocked port.

If indeed the original poster is a gamer and is playing certain games or using applications that require certain ports then this can show a false DDoS Attack alert.

We can see the log shows 9:58 assuming that's the time you were playing a game or using an application that lead to this alert.

Remember, you need port forwarding not necessarily for streaming online games. You need to open ports to join the online game servers and host servers from your end. You may get frequent server disconnections and lag issues if your ports are blocked.

This may be what's happening right now. If you don't know how to open ports, you can test by enabling DMZ to have all ports opened temporarily and test if the alert is occurring again. If that resolves it, it would mean port is unblocked and no longer signalling the Log Attack. Most likely this is a false positive caused by blocking of ports.
Standard User jabuzzard
(committed) Mon 24-Aug-20 19:40:38
Print Post

Re: Zyxel Security Log Attack?


[re: Natty] [link to this post]
 
Nothing to be worried about, you would expect to see this sort of behaviour all the time, by which I mean like practically every second of every day. Least ways I do on all the machines I have at work and at home.

In this case it appears to be coming from a cloud provider in the Netherlands. Probably a hacked machine so you might actually get some traction from their abuse team

[email protected]

To be fair the only time I have ever had any success on that is when the IP address was from some sort of incubator business park run by the University where I work. I got a surprise when I ran the whois is on the IP address as it was not from our standard class B block so I didn't immediately recognise it. Quick email to our cyber security ream and head of networks put a stop to things smile (to be clear the probes where on my home router)

Normally this stuff originates from China, or Russia so it's a complete waste of time doing anything. If I was not a a University I would just drop all Chinese and Russian IP addresses at the firewall and make them connect via VPN. However that won't fly yet. Another HPC hack from China though and it probably will.
Standard User Natty
(newbie) Tue 25-Aug-20 00:26:07
Print Post

Re: Zyxel Security Log Attack?


[re: caffn8me] [link to this post]
 
No im not a gamer. UPnP was enabled so i have now turned that off. I should also note i do use Cloudfare DNS rather than Vodafones in case its relevant.

Ive contacted Zyxel support with that log, i had many others this past few weeks but i lost them due to resetting my router & forgetting to save them. But so far today there have been no more security logs.

Vodafone Superfast 2
Zyxel XMG3927-B50A Router

Edited by Natty (Tue 25-Aug-20 03:26:50)

Standard User Natty
(newbie) Tue 25-Aug-20 03:17:27
Print Post

Re: Zyxel Security Log Attack?


[re: Natty] [link to this post]
 
I was a bit premature. More logs just came through.

(Edit)
1 Aug 25 08:11:13 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=45.148.121.28 DST=84.64.*. * LEN=432 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=5120 DPT=4399 LEN=412 MARK=0x10000000

# Time Facility Level Category Messages
1 Aug 25 04:48:47 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=45.143.220.66 DST=84.64.*. * LEN=441 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=5200 DPT=5080 LEN=421 MARK=0x10000000
2 Aug 25 04:48:47 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=45.143.220.66 DST=84.64.*. * LEN=439 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=5200 DPT=5070 LEN=419 MARK=0x10000000
3 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*. * LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3353 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
4 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*. * LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3354 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
5 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*. * LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3356 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
6 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*.* LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3361 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
7 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*.* LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3352 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000

(Edit) The first two attacks via
Port 5200 Details


known port assignments and vulnerabilities threat/application/port search:

search
Port(s) Protocol Service Details Source
5200 tcp,udp targus-getdata TARGUS GetData, Echolink, EchoMac (TCP)

Siemens SpeedStream 5200 with NetPort Software 1.1 allows remote attackers to bypass authentication via an invalid Host header, possibly involving a trailing dot in the hostname.
References: [CVE-2008-6916], [BID-32203]
https://www.speedguide.net/port.php?port=5200

(Edit) It appears Zyxel are no strangers to these botnet attacks. I wonder if other Zyxel router users are experiencing this? Zyxel security advisory for the recent botnet attacks targeting PK5001Z

Vodafone Superfast 2
Zyxel XMG3927-B50A Router

Edited by Natty (Tue 25-Aug-20 08:46:48)

Standard User caffn8me
(eat-sleep-adslguide) Thu 26-Nov-20 11:50:58
Print Post

Re: Zyxel Security Log Attack?


[re: Natty] [link to this post]
 
A long time after the event but....

...mentions of 87.251.75.124 are a Russian based scanning network trying to find open ports which can then be exploited.

The 45.143.220.66 IP address is listed as belonging to voniq.eu in the Netherlands, with a map location here;

colombia:~$ whois -h whois.ripe.net 45.143.220.66
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '45.143.220.0 - 45.143.220.255'

% Abuse contact for '45.143.220.0 - 45.143.220.255' is '[email protected]'

inetnum:        45.143.220.0 - 45.143.220.255
netname:        VONIQ-NL-DSRV
descr:          VONIQ SERVER HOSTING LTD
country:        NL
geoloc:         52.6921234 6.1937187
admin-c:        VN3508-RIPE
tech-c:         VN3508-RIPE
org:            ORG-VSHL1-RIPE
status:         ASSIGNED PA
mnt-by:         VONIQ-MNT
remarks:        Send all abuse complaints to [email protected]
created:        2019-10-13T10:27:10Z
last-modified:  2020-09-12T12:16:22Z
source:         RIPE

organisation:   ORG-VSHL1-RIPE
org-name:       VONIQ SERVER HOSTING LTD
org-type:       OTHER
address:        98409 Marty Corner, Borermouth, Seychelles
geoloc:         -4.6574977 55.4540146
abuse-c:        VN3508-RIPE
mnt-ref:        VONIQ-MNT
mnt-by:         VONIQ-MNT
created:        2020-09-12T11:58:29Z
last-modified:  2020-11-05T16:53:39Z
source:         RIPE # Filtered

role:           VONIC NOC
address:        29442 Ronaldo Drive, Stann Creek District, Belize, BZ
abuse-mailbox:  [email protected]
nic-hdl:        VN3508-RIPE
mnt-by:         VONIQ-MNT
created:        2020-09-12T11:54:56Z
last-modified:  2020-09-12T11:58:24Z
source:         RIPE # Filtered

% Information related to '45.143.220.0/24AS213371'

route:          45.143.220.0/24
origin:         AS213371
mnt-by:         VONIQ-MNT
created:        2020-05-18T02:50:33Z
last-modified:  2020-09-12T12:16:44Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.98 (HEREFORD)

There isn't a website for voniq.eu and there seems to be no record of the company "VONIQ SERVER HOSTING LTD" existing anywhere - other than as a name attached to IP addresses. You can see that they're trying to hide something with addresses in Belize and the Seychelles.

If we look at the bottom we see 'origin: AS213371' - this tells us who is responsible for this block of IP addresses and it turns out to be;

aut-num:        AS213371
as-name:        SQUITTER-NETWORKS
org:            ORG-SQTR1-RIPE

role:           SQUITTER NETWORKS
address:        Krzhizhanovskogo Ul., bld. 15/39, appt. 52, Sankt-Peterburg
abuse-mailbox:  [email protected]
nic-hdl:        SN8949-RIPE
mnt-by:         SQUITTER-MNT
created:        2020-04-13T10:51:05Z
last-modified:  2020-04-15T06:26:49Z
source:         RIPE # Filtered

So not very EU at all - it seems to be a grim residential apartment block in St. Petersburg, Russia.

The Russians are actively scanning to try to find a way in but your router is blocking it because the ports are closed - which is good.

I see about 4-5,000 attempted connections overtly from Russia in the course of a week and 6-7,000 from China. The stats for Russia are under-representing the true number because the Russians frequently register their IP addresses in other countries as in the example above.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User camieabz
(sensei) Thu 26-Nov-20 12:59:39
Print Post

Re: Zyxel Security Log Attack?


[re: caffn8me] [link to this post]
 
It would seem that GRC's old 'Shields Up' test might still be useful. Just to see how your router's ports react to probes, although if WAN ping is enabled, it'll always be seen from that 'direction'.
Standard User caffn8me
(eat-sleep-adslguide) Thu 26-Nov-20 13:07:47
Print Post

Re: Zyxel Security Log Attack?


[re: camieabz] [link to this post]
 
Yes, it's definitely worth checking. It's better than assuming that a router isn't opening anything up to the outside world.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Natty
(newbie) Thu 26-Nov-20 15:32:21
Print Post

Re: Zyxel Security Log Attack?


[re: caffn8me] [link to this post]
 
I submitted some logs to Zyxel & they told me its not an attack & that its nothing to worry about.

Why would Russian hackers want to get into my router? Im not a corporation or government department. Can they be stopped?

I reset my router last week because i was changing the wifi settings & for some reason it wouldn't accept my password. So i had to reset the router.

BTW i cannot get the log settings to work in my router, it did this before but i dont know what i did in the log settings. How do i get it working again?

Log
Log Settings

Vodafone Superfast 2
Zyxel XMG3927-B50A Router
Standard User Natty
(learned) Thu 26-Nov-20 15:37:07
Print Post

Re: Zyxel Security Log Attack?


[re: caffn8me] [link to this post]
 
I went to the GRC Shield website & ran their test.

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)

Vodafone Superfast 2
Zyxel XMG3927-B50A Router
Standard User camieabz
(sensei) Thu 26-Nov-20 15:59:02
Print Post

Re: Zyxel Security Log Attack?


[re: Natty] [link to this post]
 
In reply to a post by Natty:
Why would Russian hackers want to get into my router?


It's nothing personal. They want to get into everyone's router. If you reset the router, I hope you changed any default passwords. I suggest this site, and be sure to make it 30 characters (router being kinda important and all that).

If a hacker can potentially control a router they can use it to bounce their traffic, and it makes you look like the source of attacks. Or, they can use it with others to attempt DoS attacks on bigger targets. Having said all that, they'll be happy to take any of your personal data they can get from hacking your router.
Standard User caffn8me
(eat-sleep-adslguide) Thu 26-Nov-20 17:40:20
Print Post

Re: Zyxel Security Log Attack?


[re: Natty] [link to this post]
 
In reply to a post by Natty:
I submitted some logs to Zyxel & they told me its not an attack & that its nothing to worry about.
Strictly speaking it's a reconnaissance for an attack but they didn't get in this time. Interestingly, had they got in, there would have been zero evidence in the logs as the router isn't logging allowed traffic.

As for logging settings, they appear to be correct. If you've only just enabled logging again it may be a while before anything is there to see. Sometimes routers hold log file information in memory and only dump it to a file after a set period of time or they may not display it when the log file is below a certain size. Try again later to see if there's anything new.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Thu 26-Nov-20 17:41:24)

Standard User Natty
(learned) Fri 27-Nov-20 01:37:40
Print Post

Re: Zyxel Security Log Attack?


[re: caffn8me] [link to this post]
 
So what can be done about these attacks? Report it to my ISP? Zyxel support?

Vodafone Superfast 2
Zyxel XMG3927-B50A Router
Standard User caffn8me
(eat-sleep-adslguide) Fri 27-Nov-20 10:26:42
Print Post

Re: Zyxel Security Log Attack?


[re: Natty] [link to this post]
 
These reconnaissance probes/attacks affect every single device which faces the internet with a real IP address; routers and firewalls or devices behind a modem or bridge mode router. You can't do anything to stop them, short of disconnecting your router from the internet completely.

What your router logs are showing you is that these attacks are being stopped, which is good. They're more of academic interest rather than something you can do anything about.

If you want to make something on your home network available to the internet at large, such as a file server, Windows Remote Desktop or CCTV camera, the router logs serve to remind you that attackers are trying to compromise your network and they will find your open ports which they can then directly target with carefully crafted attacks.

Anyone running a service on their home network which is available to the outside world should take extra precautions to ensure it is protected. This includes things like using software to detect and prevent intrusions, logging access attempts and reviewing the logs, using strong password protection and multifactor authentication, and ensuring that the server software or device firmware is fully up to date with recommended security settings.

Above all, you've disabled UPnP, so let the logs reassure you that things aren't getting through.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Fri 27-Nov-20 10:28:58)

Standard User longedge
(experienced) Fri 27-Nov-20 11:22:56
Print Post

Re: Zyxel Security Log Attack?


[re: caffn8me] [link to this post]
 
As an aside, I've been amazed in the past when I've read reports of how quickly 'honeypots' got compromised but that's going back to the late 90's early 00's. I wonder if the default security of current routers has been largely successful in keeping intruders out?

plusnet FTTC
Standard User jabuzzard
(committed) Fri 27-Nov-20 11:26:28
Print Post

Re: Zyxel Security Log Attack?


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
[SNIP]

Anyone running a service on their home network which is available to the outside world should take extra precautions to ensure it is protected. This includes things like using software to detect and prevent intrusions, logging access attempts and reviewing the logs, using strong password protection and multifactor authentication, and ensuring that the server software or device firmware is fully up to date with recommended security settings.


The last one of that list is by far the most important. Every device on your network needs to be patched in a timely manner. Further unfortunately the manufactures of most consumer grade routers are appallingly bad at supplying any updates and if they do generally for a couple of years at most. Which is why I steer clear of them and pay the premium for kit from vendors like Ubiquiti, Mikrotik and Draytek that provide security updates for many years after product launch.

Another important trick is to have your firewall/router/server rate limit connection attempts, especially if the connection is unsuccessful. Apart from anything else it can free up a surprising amount of bandwidth on your connection.
Standard User ian72
(eat-sleep-adslguide) Fri 27-Nov-20 11:37:10
Print Post

Re: Zyxel Security Log Attack?


[re: jabuzzard] [link to this post]
 
The vast majority of known compromises of home networks/kit is leaving default passwords on Internet facing devices. Things like cameras, smart door bells, connected toys, etc are almost always compromised due to poor password security - either because bad passwords are baked in or because they have a default that doesn't get changed.

There are few compromises that I have seen reported where a 3rd party has actually actively hacked a home network using more advanced techniques - and mostly little benefit to them doing so.

EDIT : Just to add the other most likely way of being "hacked" is by visiting dodgy links that install malware on the device - passwords and users following dodgy links are by far the most likely way a home user will be compromised.

Edited by ian72 (Fri 27-Nov-20 11:41:35)

Standard User camieabz
(sensei) Fri 27-Nov-20 11:37:49
Print Post

Re: Zyxel Security Log Attack?


[re: jabuzzard] [link to this post]
 
In reply to a post by jabuzzard:
Another important trick is to have your firewall/router/server rate limit connection attempts, especially if the connection is unsuccessful. Apart from anything else it can free up a surprising amount of bandwidth on your connection.


Also disable guest access, limit number of wifi users to a realistic limit and so on. All sensible little tweaks that can't hurt.
Standard User caffn8me
(eat-sleep-adslguide) Fri 27-Nov-20 17:09:42
Print Post

Re: Zyxel Security Log Attack?


[re: jabuzzard] [link to this post]
 
In reply to a post by jabuzzard:
Further unfortunately the manufactures of most consumer grade routers are appallingly bad at supplying any updates and if they do generally for a couple of years at most.
The Home Router Security Report 2020 [pdf] makes interesting reading.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User jchamier
(eat-sleep-adslguide) Fri 27-Nov-20 19:48:34
Print Post

Re: Zyxel Security Log Attack?


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
The Home Router Security Report 2020 [pdf] makes interesting reading.
Thank you, it certainly does!

21 years of broadband connectivity since 1999 trial - Live BQM
Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread

Jump to