Chinese hacking?


#1

Hi, not sure if this is a fixable security issue but i only allow remote connections when i need it and have been getting this multiple times a day for the last 3 days from the same IP

ISP is China Unicom Beijing Province Network

https://www.abuseipdb.com/whois/221.218.106.98


#2

Hi,
Someone have your external IP, scanned for open ports on the router, found 8100 open and is now trying to connect. That´s nothing we can do about. Important is to have strong username and password so they give up. Depending on the router it is sometimes possible to only allow connections from certain IP numbers, but that works for static IP´s. Usually, they scan for lower port numbers. Yes, it is an interesting warning.


#3

hi,
thanks for the quick reply.
that is what i was wondering, my home connection is dynamic so i have reboot router to change IP will wait and see if it happens again

i am not sure if i can limit what IP can connect so will need to investigate that

by username/password i presume you mean credentials to log into router settings?


#4

If you have a dynamic IP I assume you use a DDNS service like dyndns.com or equivalent. How the hackers connect your ddns to the IP number or if they just scan for IP numbers I don´t know. Often they use PING and test if they get a response from a router and if they get this response they start to scan for open ports.
Since you have dynamic IP it is difficult to block a specific IP. Check in your router if you can make sure that the router do not respond to a PING request.

Yes, I mean the credentials and the problem as I see it is NCS. They have the IP and the port so they can start to scan username and password to get into NCS.

The router is probably not an issue as long as you have that login to the router only can be done from LAN.

The program you have that blocked this was interesting. I have to check that one out. What is it?


#5

the router i have was free from my ISP when i signed up but i have disabled any kind of remote connections in router settings and does not respond to any outside requests so i think maybe just random IP scanning

all my passwords consist of 12-20 random upper/lowercase letters and numbers to minimize risk of them being hacked

program is ESET smart security, have used ESET products since late 90s and never had an infection or successful hack


#6

That´s all we can do to protect us I think. Your passwords are way better than mine and probably saved you this time.
I check eset.com.
Thanks,
Henrik


#7

Hnerik is correct. Its very common to have connection attempts to your machine, but unless you have have a monitoring protection app you’d never see the notifications. I use MalwareBytes, and I’ll go through periods when I get similar attempts, sometimes for weeks. Eventually they stop. I’ve noticed that at least with Spectrum (formerly brighthouse), I’ll have the same IP for what seems like forever, even through router reboots. I suspect when you’re a nearly “stationary target”, so to speak, anyone attempting to find open ports to connect to will keep trying for a while. There are always people looking for things like cameras with remote access capability or FTP applications open to anonymous logins. Just having a router protects you a great deal, and avoids any CPU load from your PC needing to screen a lot of traffic. Set up an FTP server with logging sometime, and then look at your logs after a week. You’d think people believed you had the keys to Fort Knox. :slight_smile:


#8

Hi,

In relation to this, I think NCS security could be improved. For persons that know what they are doing, this isn’t a big issue. But some people (with lower IT knowledge) must sometimes be protected against themselves :slight_smile: .

2 suggestions that I think that should be included:

Since a lot of NCS installs are public exposed (on the default port), they could be a heaven for brute force attacks. If you then don’t have any of the above, you’ll end up quickly on insecam.org ;).


#9

Hi Mitch,
Yes, I agree with you. From the beginning it was mainly used on the LAN, but know as you say many expose it to “the dark side” :slight_smile: so security could be improved. We have had some of this discussion internally so it is the pipeline. Thanks for your suggestion and also we have had a discussion how to disable the name admin from the WAN side. I forward this to @Steve.
Thanks,
Henrik


#10

so i have disabled DDNS (no-ip.com) and port forwarding, rebooted router several times to change IP yet i am still getting several attacks a day, different IP addresses but always same chinese ISP

i used both https://www.grc.com/x/ne.dll?bh0bkyd2 and https://campaigns.f-secure.com/router-checker/
both of which say everything is fine and a complete virus scan is also clean

i use google (4.4.8.8 and 8.8.8.8) for primary/secondary DNS


#11

Hi,
There is not much more to do. Do you really get a new IP? You can contact that ISP and tell them what is going on and/or contact your own ISP and ask for help.
-Henrik


#12

What is your issue ? I also have many such attempts on many servers.

But if a few things to know :

If there is no server listening to a specific TCP/UDP port you don’t see connexion’s attemps and beleieve me, hackers try to connect to a wide range of TCP/UDP ports when they do their scans so when your ESET warn you about this TCP port cnx attempt your router may have received tons of attempts on other ports you didn’t see.

If you access a server protected by a strong login/password AND the server that answer to this port has no security flaw then you risk nothing (expect may be some DDoS).

If you really want security then do not expose any server/port with a NAT but create a VPN that will be the only way to access your local network.

regards.


#13

Hi Henrik,

my IP is a dynamic IP and does change every time i reboot router.
i checked each reboot to make sure it changed but i did discover after my last post that port forwarding had not saved when i disabled the setting, i am unsure why it never saved but after i realized it was still forwarding the port i disabled it again, rebooted router and checked to make sure it was disabled

the attacks have stopped getting to my laptop now as i have not had the warning since, i have now turned logging on in the router and if it continues i will contact my ISP, thank you for your help anyway


#14

Works well. Thanks @Henrik and @Steve!