Client connect - What is this?

John - AI4FR · December 2019

About 30 minutes after SSDR 317 was up and running I had an odd experience. See picture below. This IP address attempted to connect to SSDR about 30 or 40 times. I do not recognize it but a net search revealed it is from BlueOcean LLC from India. Any ideas?

Flex 6700
SSDR 317
Windows 7
4 instance of wsjt
4 instances of jtalert
Flex control
HF Auto software
DDUTIL

Image httpsd2r1vs3d9006apcloudfrontnets3_images1819393RackMultipart20191231-2985-afb9tl-Hacker_inlinejpg1577804404

David · December 2019

I recommend you change your SmartLink password.

Erika - KØDD · December 2019

Well yeah John, people out there smurfing the net are looking for ports to hack their way into. In this case looks like a station from India on that internet provider made an attempt to play radio. They need a user name and password though, and your radio must not necessarily be OPEN... OR IS IT? Erika DD

John - AI4FR · December 2019

Thanks David and Erika. I've never really used Smartlink and doubt that I could remember my password. As far as I know the radio is not open. Is there such a setting in SSDR or Smartlink? Time for me to pull out the manual.

David · December 2019

It has been a while since I have mine set to auto-reconnect. I think if you disconnect from the radio (from menu line: Setting - Chose Radio - SmartLink Setup) you will find an option to change the password and other account options.

Erika - KØDD · December 2019

My smartlink setup which I am not currently using uses my "GOOGLIE" Username and password... I am just local with this one anyway,

Not that a VU2 ham is a bad guy or anything but trying to hack a radio IS being a bad guy. IT's so EZ to download various versions of the SSDR software right off the website, and ANYBODY could connect... It's just that they can't get past the Username ETC... FUNNY, apparently neither can you?

John - AI4FR · December 2019

Thanks David and I was just playing with that. I have unregistered the radio from smartlink. I'll leave it this way for a while or until I need it.

Erika - KØDD · December 2019

It's nice to know the next time you're in India John, you'll be able to use your radio... That is after resetting things. giggle

Max · December 2019

Same happened to me 2hrs ago but different ip

John - AI4FR · December 2019

LOL, very true Erika!! Gosh is it ever good to know that it works in India. As far as we know the hacker is following this post.

Yes, I still have the vette. It sits in the garage which is right next to the shack. I've wanted one since before I was of age to drive. Many decades later, with an empty nest, we saved our pennies and finally got one. Thanks for asking.

I created a page about it here:
http://ai4fr.com/main/page_1965_corvette_1965_corvette.html

KC7ES · December 2019

Just turned up SSDR and seeing this IP trying to connect, over and over :45.56.126.141
Looks like the SIP bots we get at our broadcast plant before the devices permitted blacklisting. Any chance Flex needs to get involved. This only just started today (12/31/19) for me.

Ha Gei · December 2019

John,
If you never used smartlink, i wonder why there would be any port open from outside to inside of your network at all. You should have that checked , this would offend a security flaw. Our flex opens his ports when switched on through the router via UPNP . Then , well if there is an occasional portscan against your public IP, SSDR will see this as a connection attempt and hopefully just not understand what the guy wants.
As far as i understood the smartlink IP channel is only build up between SSDR and the Flex Box when the credentials are correct.

John - AI4FR · December 2019

Thanks Erika, I did log out of SmartLink and was able to log back in on the third try due to guessing at what password I used. I do not log in with Google or Facebook. For now I will run it unregistered since I do not use SmartLink.

John - AI4FR · December 2019

Ha Gei thanks for your thoughts. I had it turned on the help others and or to test it but never turned it off.

It appears that several Flex users are seeing this IP attack today. Scary.

Tim Blank · December 2019

Same thing happened to me also, I am beginning to thing the flex licensing server dB was hacked? How else could such a large number of people see this same behavior?

Erika - KØDD · December 2019

Just flippen wonderful... If so maybe they'll put that on a list of things to fix some day?

K5CG · December 2019

This kind of thing is going to happen when your network becomes more complex and you don't reinforce your front door. Consumer grade Internet routers are not adequate.

Chris DL5NAM · December 2019

... and if you use your Google or Facebook account login for other software login = open your door for the world and invite them to come !

Chris

Erika - KØDD · December 2019

I would never have UPNP setup... I'd get the correct port numbers from FLEX and manually set them up. When I had UPNP turned on every hacker in on the planet walked right in my front door. I needed to find out from the defaults on my router what loopholes existed.

I LOCKED it down tight. I also changed the time server. It was using the European Netgear default one and all of Europe was monitoring!!!!! Wowsers...

I then set ONLY MAC address filtering and DHCP has reservations and only those and no new ones can connect.

That keep the front door locked down, but if they find individual ports... Well that could be another thing.

My attacks went from 25 different IPs to maybe one a week or so.

Close your doors and lock them. also close the ability to log in to your router remotely. This is why I didn't use the router from the Provider and bought my own.

Erika DD

Erika - KØDD · December 2019

Oh Chris, all of my googlie accounts have 15 character randomly generated passwords. each one is a different ONE... I'd never have anything important on less than 15 characters and they're weird ones... I can barely type them twice when I have to !

Chris DL5NAM · December 2019

Erika, i believe you but you count to the 0.1% they do it right . Most used password of the is ?

PASSWORD

Erika - KØDD · December 2019

and their USER NAME is USERNAME... Dummies Yeah I found a site on the net with a random password generator and had the thing **** out 80 of them for me. I only mark the pages with a used when i actually use them and there's no X-reference. I usually add an additional character to some too. HOWEVER if somebody got into my file cabinet and pulled my master password list out... YOUWSERS... Even my husband doesn't know ehere that thing is at at and if he did probably couldn't type one in correct. HAHAHAHA. Yes I have all his passwords and got rid of his 5 and 6 character ones, hahahaha. I hate computers... sigh

Wayne Schonfeld · December 2019

I have seen this message when my network was unstable. I think if you check the IP address , it will be the IP address of the device you were using for smart SDR-like your PC. I have seen this occur when part of your network is hard wired and some wireless. The network sometimes fails to "talk" with itself and generates this on Smart SDR. I doubt it's a hacker.

I am no "elmer" but have been using by 6700 for over 5 years and have seen this in the past on many ocassions.

John - AI4FR · December 2019

On this end everything is hardwired. Radio to router and computer to router. Been running this way for about 2 years now and today was the first time I have ever seen this issue.

Erika - KØDD · December 2019

me 2 time to look at the router logs

Erika - KØDD · December 2019

Only thing I've been seeing is accessing from various ports to the ECHOLINK port...

[LAN access from remote] from 185.156.73.52:57710 to 192.168.1.11:5200, Tuesday, Dec 31,2019 06:08:56

That's happening about once a week and NOT when I get on with the YLRL ladies.

I'm getting an occasional IP Spoof here also.. Somebody is trying to get in with a "DOT 5" IP address. HAHAHAHA yeah buddy I only accept MAC addresses.

This 185 guy is a a KNOWN and reported hacker. Nice.

Ha Gei · January 2020

Her, UPNP is the best solution :

My Router will ONLY let the Flex and 2 other machines from inside use UPNP at all and never ever expose UPNP to the outside. I trust the handbook and the proposals of AVM who make my fritzbox router.

I have not seen the attack here myself, but was online just a while last day. I will monitor this today.

What scares me : Why does no one from flex comment here at all ??

K5CG · January 2020

"Why does no one from flex comment here at all ??"

Because it's not a problem with the radio.

Bill -VA3WTB · January 2020

Flex employees could chime in to explain what we are seeing here.
It is nothing new, I have seen this for a long time time. I was under the impression that DAX and CAT both have an IP address. When my radio starts I always see 3 IP addresses pop up. I thought I am seeing DAX IP CAT IP and the radio IP. I may be wrong about this.

John - AI4FR · January 2020

Bill what you are seeing is normal. We all see that. We are also familiar with the IP addresses. What happened here is a NEW IP address attempting to connect over and over again, 30 or 40 times for nearly a minute.

Bill -VA3WTB · January 2020

John, it sounds like your very concerned, perhaps you should start a help desk ticket to find out what it is.

Client connect - What is this?

Answers

Leave a Comment

Categories