• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Router / VNC being hacked?

mxnerd

mxnerd

Diamond Member
Just found one machine constantly have VNC traffic from remote PC with an unknown IP.

The problem is, I don't have any port open to the outside world, and don't have any ports forwarded, how in the world the outsider can reach the machine?

Router is TP-LINK DD-WRT, UPNP is off.

The VNC server port is 5900. Event log showing this 223.xx.xx.xx IP constantly wants to be authenticated by my TightVNC server.

What gives? Why outside traffic can penetrate the router when no ports are open?

Scanned the machine, no malware was found.

119bdjq.png



Simple Wireshark capture showing outside traffic trying to reach VNC server at 192.168.1.10.

29yfpqb.png
 
Last edited:
Closing and opening ports has nothing to do with the WAN (Internet) side.

When a port is not opened the Local Network is closed to this port.

There is a lot of pinging and noise going through the Interment to any connection especially probing known standard ports (like VNC 5900).

If you want to increase security do Not use the standart port change it to something higher up like 60981.

Then when you need to connect from the out side you put the port in the Adrees.

Like www.myvnc:60981



😎
 
If you have Dynamic IP with your ISP then change the MAC address in DD-WRT (Setup > MAC Address Clone) and reboot both the modem and router. That will give you a new IP address and the attack should cease. If the attack continues then it's originating from your machine.
 
I shut down the machine whole night and the attack disappears, for now.

I know that internet is full of machines that's constantly looking for weakness of any routers/machines on the net.

What I don't understand is this:

The router is in NAT mode, no port forwarding to any LAN machines.

So if any machine on the internet running VNC viewer, specifying myrouterpublicip as destination, wouldn't the packets stop at router's WAN side?

Why would the VNC packets reached the LAN side switch and arrived at one of the machine?
 
mxnerd said:
Why would the VNC packets reached the LAN side switch and arrived at one of the machine?
Click to expand...

If the attack originated from your machine the router will pass the response packets to the destination. That's just how NAT works. You don't need a port to be opened if your program requests return packets on a specific port. A firewall, though, can block those packets regardless of who initiates the exchange.
 
AnonymouseUser you are right.

It looks like the machine is compromised.

I forgot that I disabled the Windows firewall rules for TightVNC before shutting down. When I re-enabled the rules the attacks start again, from multiple external IPs.

I ran Microsoft Process Explorer, CurrPorts from NirSoft and MalwareBytes and still can't find the offending process. Guess have to erase the machine and reinstall, Oh well.
 
Last edited:
That IP traces back to iconpln.net. An ISP in Indonesia. Some router firewalls have common ports opened by default.
 
Squeetard said:
That IP traces back to iconpln.net. An ISP in Indonesia. Some router firewalls have common ports opened by default.
Click to expand...

Yep, I traced it back to Indonesia last night. The world is all connected. 😳

2v3kkzr.png


The only ports that can passthrough this router is VPN traffic -> IPSec, PPTP & L2TP.
 
Last edited:
Doesn't UPnP allow your computer to automatically open ports in the router?

I don't think you'll see a port forwarding rule in your router either.

[edit]
Oh. I see that UPnP is off.
 
😎[/QUOTE]

Can you elaborate that "Closing and opening ports has nothing to do with the WAN (Internet) side" &" When a port is not opened the Local Network is closed to this port."
JackMDS said:
Closing and opening ports has nothing to do with the WAN (Internet) side.

When a port is not opened the Local Network is closed to this port.

There is a lot of pinging and noise going through the Interment to any connection especially probing known standard ports (like VNC 5900).

If you want to increase security do Not use the standart port change it to something higher up like 60981.

Then when you need to connect from the out side you put the port in the Adrees.

Like www.myvnc:60981



😎
Click to expand...
Jack, can you elaborate this? I know changing port number makes it safer, but it's not the point I tried to figure out here.

My question is not only for VNC, but how port forwarding really works.

You said Closing and opening ports has nothing to do with the WAN (Internet) side" &" When a port is not opened the Local Network is closed to this port."

So does that mean traffic from the internet (WAN side) will always arrives at LAN side? But without port forwarding, how does traffic that originate from internet know which LAN IP to go to?

I did a remote desktop test from WAN last night, to my surprise, it works! I don't have any port forwarding, but it reached internal LAN.

So does that mean NAT router will forward all WAN traffic to LAN? even without port forwarding and specifying any LAN IP? If I have 2 machines A & B with remote desktop enabled, how does the external traffic know which IP it has to reach?

My test showed that Remote Desktop client always goes to machine A, I reboot the DD-WRT router, and result is the same, why is that? both machines' RDP ports were 3389.

====

I shutdown A yet keep B running and tried remote desktop again, this time it won't reach either A or B
 
Last edited:
JackMDS said:
WAN side is like the traffic on street in front of our homes.

You look through the Windows you see it and that it. I.e., it is not under our control.

The street traffic will come in if you wide open the doors and invite them in.

http://portforward.com/help/portforwarding.htm

http://www.ezlan.net/vnc.html


😎
Click to expand...

So even without port forwarding being configured, all ports are open on WAN side? Even with DD-WRT's SPI firewall turned on?

Even if that's true, what I am asking is that why my test succeed with one machine and not the other. A is Server 2008, B is server 2003. Both can be remote desktop in from LAN side. But when I run remote desktop from WAN side, only specifying public IP, I automatically reached machine A and was greeted with login diaglog with machine A, never machine B. How did the router pick whcih machine to respond to?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top