« Back to all recent discussions

NBG6617 - many TLS sessions to AWS

Paran0idParan0id Posts: 6  Junior Member
edited October 2018 in Discussions
Is it normal for a NGB6617 router to have many (about 1 per second) TLS data transfer sessions to something in the AWS cloud?
I can understand it wanting to check firmware status, but this seems ridiculous and I'm wondering if it is hacked?

Thanks,
Paran0id
#Router_Oct_2018
«1

Comments

  • HillHill Posts: 138  Warrior Member
    edited October 2018
    What is the firmware version of your NGB6617?

    Can you share how do you check this behavior?
    Is possible to provide the steps and some screenshots?

    Can you provide the system information? (Telnet/SSH to NGB6617, type "atsh" command to get.)

  • Paran0idParan0id Posts: 6  Junior Member
    Well it seems it has been totally hacked by a rather sophisticated actor. I captured the traffic and used wireshark to analyze.
    First it does a whole load of dns to find e.root-servers.net, which doesn't exist (though root-server.net does), does the same for br-lan, also l.gtld-servers.net, eventually finds a dns service that tells it where addgadgets.com is.
    It does some http with addgadgets.com.
    Then it does reams and reams of dns with ICANN, which could possibly be botched ddns.
    Eventually it settles down to do its once-per-second TLS with 54.165.139.227.
    In the mean time, it does a plaintext ftp check for new firmware with ftp2.zyxel.com, which is perfectly reasonable.

    What is NOT reasonable, is that once-per-second TLS data transfer.

    I've ditched this router, replaced it with another - and lo! The suspicious encrypted traffic vanishes.

    I bought this router a few weeks ago, flashed it with the latest firmware.

    You have been warned!



  • Zyxel_StevenZyxel_Steven Posts: 247  Zyxel Moderator
    @Paran0id,
    In order to provide you with a better assistance, we have contacted you via private message.
    Please kindly check your message box.
  • Paran0idParan0id Posts: 6  Junior Member
    @Zyxel_Steven: I PMed an offer of PCAP capture and the entire compromised router filesystem on October 26, but have not heard back.
  • Paran0idParan0id Posts: 6  Junior Member
    Judging by the behaviour of the router I believe it to be a version of the most recent VPNfilter.
  • Zyxel_StevenZyxel_Steven Posts: 247  Zyxel Moderator
    edited November 2018
    @Paran0id,
    Please receive the private message in order to provide you the better service.
  • Paran0idParan0id Posts: 6  Junior Member
    Zyxel_Steven - I have replied.
  • Paran0idParan0id Posts: 6  Junior Member
    Zyxel_Steven has kindly resolved what the issue is, AWS is used for https://mycloud.zyxel.com/ .

    Many thanks,

    Paran0id


  • Zyxel_StevenZyxel_Steven Posts: 247  Zyxel Moderator
    edited November 2018
    The behavior is:
    NBG6617 supports ZYXEL cloud feature (https://mycloud.zyxel.com/), we have to make sure that function works, so it would connect to server (That server is built in Amazon.) every 30 seconds.
  • sitrositro Posts: 20  Junior Member
    Hello,
    I get the same connection on the adress 54.165.139.227 (ec2-54-165-139-227.compute-1.amazonaws.com) with my NAS542. 

    but I also have another host disturbing :
    I installed Darkstat and I see a connection with the host  :193.253.155.25 .
    between my NAS542 and this host there is a upload to the host of 5,682,517,256 bytes
    how can that be?

  • EdwardcEdwardc Posts: 51  Warrior Member
    Hi sitro,

    Does your NAS542 use PPPoE?
    Can share your network topology and details information about Darkstat report?

    I checked the IP: 193.253.155.25, it seems belong to France Telecom (now Orange S.A.).
    https://en.wikipedia.org/wiki/Orange_S.A.

  • sitrositro Posts: 20  Junior Member
    edited May 2019
    Hi,
    no, the nas doesn't use PPPoE
    I reboot the nas , so i don't have anymore the stat about orange I got a new one see below
    Orange is my Provider (FAI)
    the new one is somethin like this :

    193.253.155.253 (none) d4:60:e3:c8:1f:36 0 3,958,219,796 3,958,219,796 15 hrs, 23 mins, 46 sec:smile:

    in detail
    193.253.155.253
    Hostname: (none)
    MAC Address: d4:60:e3:c8:1f:36
    Last seen: 2019-05-02 20:29:27 UTC+0000 (15 hrs, 28 mins, 57 secs ago)

    In: 0
    Out: 3,958,219,796
    Total: 3,958,219,796
    TCP ports on this host
    The table is empty.

    TCP ports on remote hosts
    The table is empty.

    UDP ports on this host
    (1-1 of 1)
    Port    |Service | In | Out                  |Total
    49152 |             | 0  | 3,958,219,796 | 3,958,219,796
    UDP ports on remote hosts
    (1-2 of 2)
    Port | Service | In                     | Out | Total
    8200 |             | 3,672,393,780 | 0     | 3,672,393,780
    8202 |             | 285,826,016    | 0     | 285,826,016
    IP protocols
    (1-1 of 1)
    # Protocol | In | Out                   |Total
    17             |0    | 3,958,219,796 | 3,958,219,796

    (edit : delete previous table )
  • sitrositro Posts: 20  Junior Member
    up after edit previous message
  • sitrositro Posts: 20  Junior Member
    Recently I changed my provider.

    Now I get network connection with : 81.253.237.117
    Last seen: 2020-05-09 09:47:17 UTC+0000 (2 hrs, 23 mins, 42 secs ago)

    In: 0
    Out: 185,073,997,412
    Total: 185,073,997,412
    UDP ports on this host (1-1 of 1)
    Port      Service              In               Out                     Total
    49152                     0            185,073,997,412   185,073,997,412

    UDP ports on remote hosts (1-2 of 2)
    Port      Service              In                Out                    Total
    8200                    171,711,231,912      0          171,711,231,912
    8202                     13,362,765,500       0            13,362,765,500

    no idea what it might be ?
  • KevinZEKevinZE Posts: 22  Junior Member
    Is IP: 81.253.237.117 the WAN IP of your Modem?
    What is your topology? How do you connect your NAS in your Network
Sign In or Register to comment.