iPhone - iPad | NIGERIA IP ATTACK?

[K49 0]

Hi, I have noticed such multiple blockades from different IP addresses in my network protection registry. I was resetting the router and connecting to the network again and the attacks were still popping up. It wasn't until I started the computer that it disappeared. Can someone explain to me where this could come from? Has anyone tried to hack my computer? I will add that I didn't have any iPhone - iPad on the network.

[Marcos 5,090]

If you are not behind a router with NAT or a properly configured firewall, anyone on the Internet can attempt to attack on your machine. These attempts are subsequently blocked by EIS firewall.

[Nightowl 205]

7 hours ago, K49 said:

Hi, I have noticed such multiple blockades from different IP addresses in my network protection registry. I was resetting the router and connecting to the network again and the attacks were still popping up. It wasn't until I started the computer that it disappeared. Can someone explain to me where this could come from? Has anyone tried to hack my computer? I will add that I didn't have any iPhone - iPad on the network.

Your firewall/router should have a setting of :

Outgoing - ALLOW

Incoming - BLOCK/REJECT

Other than that you will have to keep blocking devices through your ESET and prevent them from trying to connect to your PC.

[K49 0]

Thanks for the answer. I use an LTE router, the firewall is turned on and from what I see it is not possible to enter from the outside. This is Huawei B525 and has NAT in the specification.

[Nightowl 205]

1 minute ago, K49 said:

Thanks for the answer. I use an LTE router, the firewall is turned on and from what I see it is not possible to enter from the outside. This is Huawei B525 and has NAT in the specification.

Try this test : https://www.grc.com/x/ne.dll?bh0bkyd2

Click proceed and then click all service posts , this website will test all common service ports against your router

If the iPhones were able to ping you or whatever they are trying against your PC then your firewall isn't protecting you I am afraid.

[K49 0]

I did this test and it looks fine. Is it possible that this attack is through some locally connected device. I will add that it happened to me on a freshly reinstalled windows system.

 

[Nightowl 205]

It seems your router is on REJECT mode which is why it's showing all as STEALTH which is good

but I wonder what is the remaining port that is still open and these iPhones are trying to connect to

Do you have a port in your ESET window? that is the connections are tried to this port

If it's through your local network then you should see some local IPs , but these coming at you aren't local , they are coming from nigeria

person:         Business Risk Management
address:        Golden Plaza Building, Falomo roundabout, ikoyi

I've tried 3 whois on 3 IPs they all come from Nigeria.

 

If one of your local devices was hacked and is attacking another local device in your network you would have seen the tries are coming from a local device IP and this Nigerian IPs you won't see them , because there would be a process in the iPhones that makes them do that attacks for them

As you are currently having which is BOTs are trying to do specific thing on your PC , maybe add you to the BOT network or whatever the reason was.

 

Edited April 15, 2020 by Nightowl

[Marcos 5,090]

Developers would like you to capture the network traffic with Wireshark when the communication with the above IP addresses occurs. Beforehand please temporarily disable network attack protection (IDS) as well as Botnet protection in the advanced setup.

When done, compress the log and upload it here.

[Nightowl 205]

31 minutes ago, Marcos said:

Developers would like you to capture the network traffic with Wireshark when the communication with the above IP addresses occurs. Beforehand please temporarily disable network attack protection (IDS) as well as Botnet protection in the advanced setup.

When done, compress the log and upload it here.

I believe that the router/firewall isn't closing all the inbound TCP ports. or somekind of an application is leaving a hole for them to come in.

@K49, Do you have any port whitelisted in your router ? or any portforward to your PC?

Do you have any iPhone in your internal network ? , shutting it down or cutting the internet from it can stop the attacks? or doesn't make any difference.

Edited April 15, 2020 by Nightowl

[K49 0]

Yes, I have an iPhone and iPad on the network, but I disconnected them from the network during these attacks. There is no firewall configuration in my LTE router, it is in the standard configuration from T-Mobile. And my computer is currently after a fresh installation of Windows - just now I did it again.

@Marcos I will try to intercept the transmissions in the next situation of this type, however I do not know when it will happen, because at the moment it stopped.

@Nocna sowa  I had a situation that a device with an external IP appeared in my local network, which after checking did not exist, and the device normally used SSDP using the svchost.exe process.

[Nightowl 205]

2 hours ago, K49 said:

Yes, I have an iPhone and iPad on the network, but I disconnected them from the network during these attacks. There is no firewall configuration in my LTE router, it is in the standard configuration from T-Mobile. And my computer is currently after a fresh installation of Windows - just now I did it again.

@Marcos I will try to intercept the transmissions in the next situation of this type, however I do not know when it will happen, because at the moment it stopped.

@Nocna sowa  I had a situation that a device with an external IP appeared in my local network, which after checking did not exist, and the device normally used SSDP using the svchost.exe process.

I believe it's better if you try to go with a better LTE router that has a firewall capabilities but as far as I see with your test your router is rejecting all of these tries , but still remains lot of ports

But the iphone tries is interesting, maybe because it's an LTE connection? , there are other iPhones on the network with you

Or you can buy a router and connect it as DHCP mode to LTE Router and then connect to the internet through your second router and make sure that it has a firewall or if you have an old router with dust over it , maybe you can flash OPENWRT for it and can be back a good router/firewall

In firewall it should be like this

Outgoing - Allow

Incoming - Block or Drop - depending what you want

 

Edited April 15, 2020 by Nightowl

[itman 1,668]

Huawei routers and overall all products associated with the company have numerous security issues and vulnerabilities. Their routers have been banned from sale in a number of countries: https://www.theverge.com/2019/4/30/18523701/huawei-vodafone-italy-security-backdoors-vulnerabilities-routers-core-network-wide-area-local . Since 2007, there are 536 recorded vulnerabilities with their products: https://www.cvedetails.com/vendor/5979/Huawei.html .

[itman 1,668]

My recommendation in regards to Huawei routers is if you must use one; e.g. ISP requires it, is to do the following. Purchase a secure router w/firewall, NAT, and statefull inspection features to handle your local network traffic. Then connect the Huawei router to the purchased router setting the Huawei to bridge mode to the purchased router.

Edited April 15, 2020 by itman

[itman 1,668]

9 hours ago, K49 said:

Yes, I have an iPhone and iPad on the network, but I disconnected them from the network during these attacks.

This has absolutely noting to do with network traffic originating from the router. There are connections for these obviously previously created on the router. Otherwise, no Internet traffic could be routed to them. Assume one or both of these connection setups within the router have been hacked in some fashion allowing the hacker to direct his inbound traffic through them.

As far as the GRC Shield Up test goes and to begin, it only tests ports 0 - 1055 by default. It also only tests unsolicited incoming traffic on those ports. If the router has been internally hacked or has an unpatched/unknown firmware vulnerability, this test is worthless for all practical purposes.

[K49 0]

Hi. Thanks for the answers. The problem stopped and it was related to connecting to the magent link via a torrent network.

However, I am interested in the situation when in my field of blocked addresses, there are still various messages and even from some common websites that I visit. Is this a normal phenomenon?

In each, both the port and the protocol are unknown.

[itman 1,668]

1 hour ago, K49 said:

However, I am interested in the situation when in my field of blocked addresses, there are still various messages and even from some common websites that I visit. Is this a normal phenomenon?

With that many blocked outbound DNS connections, I am surprised you can connect to anything on the Internet. In your Eset firewall settings under Advanced -> Zones, what is present within Trusted zone?

Also have you modified any of Eset's default rules in regards to DNS; i.e. outbound port 53?

 

 

[K49 0]

@itman, thank you for your response. ESET is in standard settings. I only changed the DNS network card to 1.1.1.1

 

[itman 1,668]

4 hours ago, K49 said:

@itman, thank you for your response. ESET is in standard settings. I only changed the DNS network card to 1.1.1.1

This is most likely the problem in regards to the DNS issue.

You should never enter any data into any Zone  settings other than on an exception basis for the Trusted zone when needed, or for any manually created Zones. In regards to data within Eset's DNS Zone, Eset populates that with IP based data generated by network DHCP initialization processing performed at system startup time. DHCP queries first IPv4 and IPv6 DNS server settings present in the IPv4 and IPv6 like settings for your network adapter. If none exist there, DHCP processing will use previously ISP initialized DNS settings from your router; assuming you are using an ISP provided router.

Remove the CloudFlare DNS server settings you manually created in Eset's DNS Zone. Next, properly initialize DNS server settings for Win 10 using one of methods shown in this article: https://www.windowscentral.com/how-change-your-pcs-dns-settings-windows-10 . Once that is done, reboot your PC for DHCP initialization to complete. At this point, your DNS issues should be resolved.

For future reference, you can't verify that your network settings are properly configured by opening a command prompt window and entering:

ipconfig /all

Shown under DNS server settings should be your ClouldFlare DNS server IPv4 and IPv6, if so configured, IP addresses. Note: most routers contain a built-in DNS server using for example, IP address 192.168.1.254. When no third party DNS servers are configured on the network adapter, this DNS server IP address will be shown on the ipconfig display instead of the actual IPS DNS server addresses configured on the router.

For reference, below are Cloudflare's DNS server IPv4/6 addresses:

• 1.1.1.1 - Primary
• 1.0.0.1 - Alternate
• 2606:4700:4700::1111 - Primary
• 2606:4700:4700::1001 - Alternate

 

Edited April 21, 2020 by itman