Skip to main content

Jieming's Router Anomaly

Last night, while randomly watching my router's activities, I found out that it has an active connection to some IP address owned by Amazon and hosted in New York. While trying to do curl request to the server's port 80, it returned a website and when I opened it in browser I was quite surprised because it is a ASUS router's web interface (ASUS RT-AC5300). So I figured that IP address is a router. The weird thing is that I was able to login automatically without being prompted with username and password. And also I am able to see everything, including the local devices connected to the router and administration settings. I tried changing something but it doesn't seem to persist the configuration change. So I took a look at the site's client scripts and it's kind of weird. By the look of the Javascript code, the apply button will never work at all. It looks like it was deliberately done.

I tried looking deeper and see which of  my processes  are connecting to this server and it say's com.apple. It means some native Mac OS process, behind my back, is connecting to this server in New York for a reason I don't know.


I went back to the router's web interface, checkout the client list. There are 2 connected devices to this router listed.


I tried to enable SSH on the router so that I could tunnel to the devices with no success because the changes doesn't get persisted. I spent few hours trying to know more about this router and why is it publicly opened. I setup a Wireshark listener to listen to the wire and look at the packets being sent and received to this router and I left it running overnight. Then I slept at 5:00 AM.

The morning after, the first thing I did was to check the Wireshark trace and was disappointed to not find any entry. When I scanned my active connections again, it seemed that the IP address is no longer there in the list of active connections. But I am seeing new ones and again check them in browser. I was suprised that for another IP address, I was getting exactly the same web interface of an ASUS router. The IP address is also geo-located in New York and owned by Amazon.


When I check the client list (the devices connected to the router), I got exactly the same devices with exactly the same MAC addresses. I realized this must be the same router. But the problem is that when I did a reverse DNS and a trace of the 2 IP addresses, they do not agree. The DNS server is saying that those 2 IP addresses does not belong to the same server. The trace is also being routed differently between the 2 IP addresses. It got me scratching my head for a while.

I stopped for a while, brewed some coffee and spent few minutes over a coffee recalling what i have done so far to investigate. I am running out of options so I went to google. Guess what I searched for? I searched "Jieming-PC" hoping to find some guys also having the same problem with whoever this Jieming is. The first 2 results was from a domain "demoui.asus.com". So all this time, I was looking at a demo UI of ASUS routers. Whew! That explains why they look the same, with the same clients. That is just one problem solved because I still don't know why a Mac OS (com.apple) would connect to a demo UI of an ASUS Router somewhere in New York.

I suspected that maybe because I am opening the my Router administration page and that this page is trying to connect to that server. I investigated further by looking at the source code of the ASUS router admin page and finally I confirmed that the page is connecting to that remote IP address to check for Firmware upgrade. I still have one little problem why did the lsof command say that it was "com.apple" who is connecting to that IP and why not "Firefox" (I am using firefox) ?  I did a little and found the exact apple library responsible for the connection. It was apple's WebKit which is obviously used by Firefox.



What Really Happened?

What really happened was that when I opened up my router administration page, the first thing it did was to check if there are new version of Firmware available. I updated the firmware. It connected to www.asus.com and downloaded and installed the firmware. The router rebooted. I had to re-open the router administration page. Again it checked for available firmware versions through www.asus.com. Because of load-balancing it got forwarded to some another server (another IP address). This explains why it connected to 2 different IPs. It also turned out that the server used for firmware upgrades are the same server hosting the Demo UI.

Whew!!! Now everything is solved. I can now sleep well knowing that my home network is safe and Jieming is not a Chinese hacker. One lesson I learned and that is I should stop being paranoid.

But anyways, it was a good exercise. I haven't done this kind of things for a long time and now I felt like I'm Sherlock! :D :D

Comments

Popular

DIY Airsoft Chrono [PC-based]

Chrono or Chronograph, the term used by Airsofter and Paintball players to refer to the device that measures the muzzle velocity of firearms. This is also called MVMD, short for Muzzle Velocity Measuring Device by the British Army. Muzzle Velocity is the velocity of the bullet as it exits the barrel of the firearm.

A year ago I was an active Airsofter in Iligan who's more interested in modifying and improvising AEGs (Automatic Electric Gun) rather than playing airsoft. I have made my AEG susceptible to high current burns by using locally available MOSFETs. I have improved velocity by replacing cylinder gaskets and spring. I have increased the rounds per minute by altering the armature windings of the drive motor. And most of all, I have made my own cheap alternative PC-based Chrono.

I have posted an artivle before that details the development of my chrono but unfortunately the online forum was hacked/deleted by webmaster of proboards.com due to some violation in the contents. So, …

Disable PrintScreen on C# without Keyboard Hooks

Yes, there is a simple solution to prevent grabbing information on your C# application screen with the keyboard's printscreen key without using keyboard hooks or calling COM interops. The solution makes use of Windows Forms Message Filter to trap keyboard events on your application window.

To trap keyboard events with Windows Message Filter, you need to implement the IMessageFilter interface and override the member PreFilterMessage(ref Message WM) method. This is the method called whenever a Form receives a keyboard or mouse event. You may want to read more about IMessageFilter.

The problem is that even though you have trapped the PrintScreen keypress event, the captured image will still persist to the clipboard. Therefore the simplest solution is to clear up the clipboard right after the PrintScreen is pressed on the keyboard.

This is how the overridden method will look like this:

publicbool PreFilterMessage(refMessage WM)
{
Keys kCode = (Keys)…

DIY Mic Shock Mount

For the past couple of weeks I was looking for a cheap microphone shock mount and the cheapest I saw that was available in my country was around US$160 so I decided to build a cheap one. I only spent less than $6 and a 2 hours of my not very precious time.Before I left office today, bought materials and tools to for my DIY shock mount which are a piece of 4”-diameter PVC pipe coupling ($0.50), a set of hair ties($0.40), set of stove bolts ($0.50), a set of coping saw frame and blades ($2.5).First, I decided to cut the PVC coupling so it would look like Rode SM3 shock mount’s frame.Then I used the section of the PVC coupling that was removed to be a attachment brace to the original mic holders base and bolted it to the base of the frame. I had to heat that part so could bend it to a desired angle.And then cut slots on the edges for the rubber suspensions (hair ties). Right after positioning the suspensions, i found a problem. The rubber bands slip every time i attempted to position the…