• September 20, 2020, 08:03:04 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Illicit LAN Machine SSH Connect from Gateway - DSR-250 A2 3.14_WW  (Read 484 times)

distantlightning

  • Level 1 Member
  • *
  • Posts: 1

I am having a strange issue where I have a LAN SSH Connection being repeatedly made at regular (intelligent) intervals. This is originating from my DSR-250. The SSH Server Log looks like this:

<event seq="479" time="2020-06-09 05:05:42.402922 -0400" app="BvSshServer 8.43" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
    <session id="1233" service="SSH" remoteAddress="192.168.0.1:40078"/>
    <parameters addressRule="AnyIP" listenAddress="192.168.0.xxx:xxxxx"/>
    <sessions ssh="1" sshAuth="0" ftp="0" ftpAuth="0"/>
  </event>

  <event seq="480" time="2020-06-09 05:05:42.406472 -0400" app="BvSshServer 8.43" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">
    <session id="1233" service="SSH" remoteAddress="192.168.0.1:40078"/>
    <parameters disconnectReason="EofReceived" socketBytesReceived="0" socketBytesSent="188" payloadBytesReceived="0" payloadBytesSent="43" channelBytesReceived="0" channelBytesSent="0"/>
    <sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>
    <help message="The client has disconnected the session by sending EOF."/>
  </event>

I have spent some hours troubleshooting this problem.  There are SSH ports expressed to the outside world which route via router services to specific LAN machines/ports. Every so often a bot someplace (external IP) will find one of these and start hammering away until I discover and block it (I get a notice of every attempted connection) These are pretty easy to control.  But, then, one of my machines started getting the the above SSH Connections from my DSR-250 Gateway. I also blocked this on that machine. But, it keeps hammering away, getting connection refused. It's smart. Each connection is from a different random port - 192.168.0.1:xxxxx. It was trying every six minutes. After a few hours of being blocked, it went to trying every Five minutes, then every two hours. It's only trying one machine, so far, though I pre-emptively blocked the connection on them all now.

I found that remote admin was enabled. I really don't know how, as I thought it was blocked. But, it is now. The password is pretty cryptic and long. But, it's possible for someone to guess it, I suppose. I looked at all of the installed drivers, etc. I looked at the routing table, VLAN, VPNs, etc. Everything looks good. I tried firewalling everything incoming to see if it stopped. It didn't. I restarted the router and after a few minutes the connection attempts resumed.

One other thing that is strange is that there are outgoing packets (11 of them) showing on my WAN2 on the bottom of the control panel. The routed doesn't have a WAN2 and everything to do with this is disabled. WAN2 is displayed as down in the chart, with no activity.

This is a pretty strange issue. The possible idea is that a bot is persistently installed itself on my router. But, if so, it's done so in a very sneaky way. I have not heard of or seen any security bulletins remotely close to this. But, if this problem exists it's a pretty serious issue. I wonder if someone could have installed a corrupt language pack. But, I am unsure if that could possibly install malware. There are no unusual drivers installed. The three default functional drivers have all been updated.

Does anyone have any ideas?
Logged