Last edited:
Hi SynoFans,
Excuse my ignorance, but I'm a first time poster and new to Synology tech. Not 100% sure where to post this, but thanks for any help in advance. Please move to another thread if not applicable.
RT2600AC / SRM 1.2.3-8017 Update 4
I installed ntop-ng (network monitoring) on a linux box at home to play around with and discovered some of my IP's talking to an unknown IP address. My IP space is 192.168.x.x and the offending IP was 10.254.2.1. After scanning the IP address with nmap, ports 80 (Apache httpd), 443, and 8080 (reported as http-proxy) as well as SIP ports were open. The OS was reported as Google Android 4.1.1. No Mac address was reported back. Scanning my internal SRM GW IF, the results were similar but lacked all the detail, certs, etc,
I ran a traceroute to 10.254.2.1 and got weird results. Why would the traceroutes go 13 hops one day to IP's to (reported) DC / San Jose, CA - then a single hop the next day - then back again? The IP's are 98.124.174.77 (ae1-300.cr0-pao1.ip4.gtt.net) and 154.24.30.33 (be3573.agr21.sjc01.atlas.cogentco.com). Neither of these IP's are known to me, nor do they map back to Synology.
A wireshark dump reveled certificate handshakes, but I'm no networking whizz and having issues to figure out what's going on.
So, it appears that someone popped my router and were possibly rerouting traffic through it.
So - my question is, has anyone else experience this? Am I scanning a part of SRM that is proxing traffic and tracing connections back to systems and supporting services, or have I been popped?
I am not running any external access (no SSH, etc,) at all, so I'm scratching my head as to how they got in? Password is 50+ chars, complex. Any suggestions welcome.
Thanks.
Excuse my ignorance, but I'm a first time poster and new to Synology tech. Not 100% sure where to post this, but thanks for any help in advance. Please move to another thread if not applicable.
RT2600AC / SRM 1.2.3-8017 Update 4
I installed ntop-ng (network monitoring) on a linux box at home to play around with and discovered some of my IP's talking to an unknown IP address. My IP space is 192.168.x.x and the offending IP was 10.254.2.1. After scanning the IP address with nmap, ports 80 (Apache httpd), 443, and 8080 (reported as http-proxy) as well as SIP ports were open. The OS was reported as Google Android 4.1.1. No Mac address was reported back. Scanning my internal SRM GW IF, the results were similar but lacked all the detail, certs, etc,
I ran a traceroute to 10.254.2.1 and got weird results. Why would the traceroutes go 13 hops one day to IP's to (reported) DC / San Jose, CA - then a single hop the next day - then back again? The IP's are 98.124.174.77 (ae1-300.cr0-pao1.ip4.gtt.net) and 154.24.30.33 (be3573.agr21.sjc01.atlas.cogentco.com). Neither of these IP's are known to me, nor do they map back to Synology.
A wireshark dump reveled certificate handshakes, but I'm no networking whizz and having issues to figure out what's going on.
So, it appears that someone popped my router and were possibly rerouting traffic through it.
So - my question is, has anyone else experience this? Am I scanning a part of SRM that is proxing traffic and tracing connections back to systems and supporting services, or have I been popped?
I am not running any external access (no SSH, etc,) at all, so I'm scratching my head as to how they got in? Password is 50+ chars, complex. Any suggestions welcome.
Thanks.