November 20, 20169 yr Was having issue with plex not playing so gone into //tower/ and saw the following message in FCP Possible Hack Attempt on Nov 16 On Nov 16 there were 30 invalid login attempts. This could either be yourself attempting to login to your server (SSH / Telnet) with the wrong user or password, or you could be actively be the victim of hack attacks. A common cause of this would be placing your server within your router's DMZ, or improperly forwarding ports. This is a major issue and needs to be addressed IMMEDIATELY NOTE: Because this check is done against the logged entries in the syslog, the only way to clear it is to either increase the number of allowed invalid logins per day (if determined that it is not a hack attempt) or to reset your server. It is not recommended under any circumstance to ignore this error I know for a fact I havent been trying to access my machine using telnet/ssh and only ports open are for plex on my router. Currently running 6.2.4. I have attached diagnostics. Should I be worried? tower-diagnostics-20161120-1558.zip
November 20, 20169 yr The invalid logins are coming from your local subnet at 192.168.1.218. What device has that IP? Is in your DHCP pool? If it is not one of your devices, it may be someone nearby connecting to your wireless AP.
November 20, 20169 yr Author I have just noticed the same, 192.168.1.218 seems to be assigned my new phone looking at the router logs Samsung-Galaxy-S7 192.168.1.218 MAC REMOVED 0:13:37 So panic over I suppose but I didnt try access unraid as far as I can remember and dont have any telnet tools installed...
November 20, 20169 yr I do not know about your level of knowledge about this, but fastest way to find out what device is on that ip is to login to your router and to check it there. Even if the device is disconected now, it will display the device name it had while it was connected. That is, if your router does not miss on common functions, and the ip address has not been used for another device in between. The high number of 218 in the end suggests (on some routers) that this is a requested/static ip as normaly routers give out ip addresses up to about 200 themselves and let the upper end free for static ips. My router for instance gives out the addresses 20-200 automatically, yet this may differ. Most likely scenarios are, some of your devices tried to connect with wrong authentication. There might be some automatism involved to this. Someone else is inside your local network, either using one of your devices, or has a real device conected to your network. In both cases you want to know what device has that address. As to your update: It is quite possible that someone knows the ip of your phone, and tried to get that ip from your router, then if you conect your phone again, the router will update the entry of that adress back to your phone.
November 22, 20169 yr Your phone may be hacked. That is definitely not acceptable behavior from a phone. Do you have any network utilities or monitoring tools installed on the phone?
November 22, 20169 yr With which login information did the device on the IP try to log in? This could be huge, i have never heard about a malware that uses a smartphone to log in to random linux servers on the local network. This is very scary and should definitely be investigated. Please unplug your sim and don't connect to any WLAN network. I am sure there are people here with experience with Android who can help you find out what the malware is doing and maybe even where it came from. When do DHCP addresses expire on your DHCP server (probably router)? It could be possible that another device used this IP before your Samsung Galaxy smartphone.
November 23, 20169 yr Just a random thought. No curious teenagers in thr household? Trying to think about other possible ways this could have occurred? Sent from my LG-H815 using Tapatalk
Archived
This topic is now archived and is closed to further replies.