Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[d323bkpuser]

Hi all,
does anyone know why DNS-323 (firmware 1.10) is trying to connect to the following addresses:
205.171.76.135:8245
61.67.210.241:8245
168.158.8.115:80

I use this box for backup only and don't have any service enabled (no UPnP, no iTunes, no DHCP, no LLTD and not even NTP). I see no reason to connect outside my local network but it still does. I disabled internet access in my router (DIR-655) and it reports the following:
Internet access port filter dropped packet from 192.168.0.X:2261[DN:S3:23:AD:DR] to 168.158.8.115:80 (protocol 6)
Internet access port filter dropped packet from 192.168.0.X:2364[DN:S3:23:AD:DR] to 61.67.210.241:8245 (protocol 6)
Internet access port filter dropped packet from 192.168.0.X:2078[DN:S3:23:AD:DR] to 205.171.76.135:8245 (protocol 6)

Thanks,
d323bkpuser

[FurryNutz]

Domain Tools is reporting that the 1st ip adderss belongs to DLink, the 2nd address belongs to some Taiwan Taipei Koos Broadband Telecom Co. Ltd in Taiwan and the 3rd belongs to Sprint.

[d323bkpuser]

None of them makes sense. DLink on port 8245? At first I thought is NTP to blame, but that's on port 123 and as I said is disabled. Why would it try to connect to all these addresses / ports.

[FurryNutz]

Not sure, if there are any services on the DNS and needs this or not. I would phone contact DLink support, level 2 and higher and inquire about this.

Have you tried blocking these addresses on your host router and what are the results, if any?

Let us know what they say.

[d323bkpuser]

Yes, I blocked all access to outside from DNS-323 MAC address. I posted what DIR-655 reports in my initial post. Here they are again:

Code: [Select]

[INFO] Tue Dec 04 13:29:18 2012 Dropped packet from 192.168.0.X to 168.158.8.115 (IP protocol 6) as unable to create new session
[INFO] Tue Dec 04 13:29:18 2012 Internet access port filter dropped packet from 192.168.0.X:2261[DN:S3:23:AD:DR] to 168.158.8.115:80 (protocol 6)
....
[INFO] Tue Dec 04 13:28:14 2012 Dropped packet from 192.168.0.X to 61.67.210.241 (IP protocol 6) as unable to create new session
[INFO] Tue Dec 04 13:28:14 2012 Internet access port filter dropped packet from 192.168.0.X:2364 [DN:S3:23:AD:DR] to 61.67.210.241:8245 (protocol 6)
....
[INFO] Tue Dec 04 13:28:14 2012 Dropped packet from 192.168.0.X to 205.171.76.135 (IP protocol 6) as unable to create new session
[INFO] Tue Dec 04 13:28:14 2012 Internet access port filter dropped packet from 192.168.0.X:2078 [DN:S3:23:AD:DR] to 205.171.76.135:8245 (protocol 6)
While running for few hours the messages did show up only when I rebooted the DNS-323. It looks like is trying to connect only at startup.

[d323bkpuser]

Hi,
after I waited for a while to get a hold on tech. supp, I gave up and I did some investigation on my own. It looks like "getexip" module tries to connect to all these sites. I have very basic Linux knowledge so I can't tell you a lot. PS yields these results after reboot:

Code: [Select]

1453 root       664 S    getexip
 1454 root       784 S    sh -c wget http://checkip.dyndns.com:8245/ -T 3 -q -O /tmp/wgetpage.txt
 1458 root       716 S    wget http://checkip.dyndns.com:8245/ -T 3 -q -O /tmp/wgetpage.txt
and later

Code: [Select]

....
 1486 root      8856 S    /web/webs
 1507 root       700 S    check_daemon
 1524 root       796 S    crond
 1527 root       496 S    atd
 1576 root      5096 S    smbd -D
 1633 root       664 S    getexip
 1636 root       784 S    sh -c wget http://www.swlink.net/~styma/REMOTE_ADDR.shtml -T 3 -q -O /tmp/wgetpage.txt
 1637 root       720 S    wget http://www.swlink.net/~styma/REMOTE_ADDR.shtml -T 3 -q -O /tmp/wgetpage.txt
....
well, as I said Linux knowledge = 0, but I looked into getexip with a text editor and these commands are hardcoded in there @ offset E9C.
The first url returns the public IP address, but the second one is just dead.
Looking at the second url I wonder if the box was hacked or is just bad DLink code.
I wonder if someone else can confirm that their box behaves the same, that way I can have a bit of piece of mind.

Cheers

[dosborne]

Sounds like GetExIp is simply a utility that looks up the external IP address by connecting to a "known" server and gets the IP address returned.

[d323bkpuser]

More so.
1) Why would DNS like to know the external IP address? Unless it uses dyndns which in my case is disabled or wants to open ports behind my back on a upnp router.
2) Why it will be hardcoded with a "well unknown" website (http://www.swlink.net/~styma/REMOTE_ADDR.shtml) which looks more a old days personal page url o***uy named S. Tyma
3) Is GetExIp utility the creation of DLink or is a public contribution (sort of open source)?

Anyhow, to be on the safe side I will keep the router blocking all outgoing requests from dns. It works well for me so far and if I don't reboot it I don't even notice its attempts to connect.

Thanks.

[ivan]

Does your unit have Fun_Plug installed?  If so can you just delete the offending utility which might solve your problems.

[d323bkpuser]

Hi Ivan,
I do have telnet access on the unit. As I previously said I'm not very knowledgeable of linux, but I did a find / -name getexip and found the "utility" in 2 places:
a) /sys/crfs/sbin/getexip
b) /usr/sbin/getexip
I did a rm but the first one can not be deleted - "rm: cannot remove '/sys/crfs/sbin/getexip': Read-only file system". Not quite sure what it means but after rebooting the unit the "utility" is back on both locations and no change in behavior.