11384 questions

13563 answers

21250 comments

31888 members

0 votes
70 views 0 comments
by
Hello,

I am experiencing way more mobile data traffic on my RUT 550 router than expected.  I have about 60 RPI devices connected to it.  It looks like the traffic increased from about 10K a day to about 5 Gig in just one week.  I though it had something to do with problems or failure in the router or the mobile SIM card / net provider.

Using RUT tcpdebug and WireShark to analysis, I see high frequency of connections to the following addresses.  Can anyone tell me if this is normal, caused by standard services (time synch or something...) or have I perhaps been hacked. I don't understand why I should connect to so many addresses in China, Russia and Japan.  I am located in Iceland, and my remote IP address should be the only one connecting remotely. I don't understand all those connections.  My password is strong, I did not have open to remote ssh until after I saw this.  My remote http has alway been open.  Any info or help would be appreciated.  I was just thinking of block listing this, but before I am seeking more information.  I only have remote access to the router.

ip.dst == 101.207.148.137

ip.dst == 101.200.125.235

ip.dst == 101.254.100.83

ip.dst == 102.164.61.126

ip.dst == 103.41.213.70

ip.dst == 103.96.75.55

ip.dst == 104.248.199.34

ip.dst == 109.173.66.193

ip.dst == 112.120.29.171

ip.dst == 115.210.128.73

ip.dst == 115.210.128.73

ip.dst == 118.42.18.46

ip.dst == 119.156.81.36

ip.dst == 119.156.81.36

ip.dst == 120.196.115.131

ip.dst == 120.25.242.86

ip.dst == 121.199.5.141

ip.dst == 124.64.223.46

ip.dst == 128.199.163.55

ip.dst == 129.213.154.0

ip.dst == 130.208.87.149  // veðurstofan

ip.dst == 130.208.87.152

ip.dst == 130.255.81.9

ip.dst == 141.147.162.9

ip.dst == 183.195.121.197

ip.dst == 185.156.73.120

ip.dst == 34.92.176.182

Thanks in advance,
Ragnar

2 Answers

0 votes
by
Hello,

Looks like you have been hacked. From nslookup or whois a lot of ip.dst are from China but your description isn't enough to say which side is the originator of the TCP connection.

Best course of action: blacklist all those parasites.

Regards,
0 votes
by
Hello,
I have experienced the same on two RUT955 over the last 12-15 months. Running older firmware (3.5 and 5.03).
These units have been on 4G network and suddenly started using several GB per day.

Either there is some brute force / exploit that keeps connecting to use all the data, or it has been hacked and some scripts installed.
I did find something wierd under startup script
"
/sbin/keepaliver
/usr/sbin/ifconfig.conf
exit 0
"

Modem was running old 3.5 firmware. Not sure if that was something that belonged there then or if it was a script added by someone.. I had already upgraded the firmware so couldn't find the ifconfig.conf under that path..