Sunday, August 13, 2017

Jieming's Router Anomaly

Last night, while randomly watching my router's activities, I found out that it has an active connection to some IP address owned by Amazon and hosted in New York. While trying to do curl request to the server's port 80, it returned a website and when I opened it in browser I was quite surprised because it is a ASUS router's web interface (ASUS RT-AC5300). The weird thing is that I was able to login automatically without being prompted with username and password. And also I am able to see everything, including the local devices connected to the router and administration settings. I tried changing something but it doesn't seem to persist the configuration change. So I took a look at the site's client scripts and it's kind of weird. By the look of the Javascript code, the apply button will never work at all. It looks like it was deliberately done.

I tried digging deeper and see which of  my processes  are connecting to this server and it say's It means some native Mac OS process, behind my back, is connecting to this server in New York for a reason I don't know.

I went back to the remote router's web interface, checkout the client list. There are 2 connected devices to this router listed.

I tried to enable SSH on the router so that I could tunnel to the devices with no success because the changes doesn't get persisted. I spent few hours trying to know more about this router and why is it publicly opened. I setup a Wireshark listener to listen to the wire and look at the packets being sent and received to this router and I left it running overnight. Then I slept at 5:00 AM.

The morning after, the first thing I did was to check the Wireshark trace and was disappointed to not find any entry. When I scanned my active connections again, it seemed that the IP address is no longer there in the list of active connections. But I am seeing new ones and again check them in browser. I was suprised that for another IP address, I was getting exactly the same web interface of an ASUS router. The IP address is also geo-located in New York and owned by Amazon.

When I check the client list (the devices connected to the router), I got exactly the same devices with exactly the same MAC addresses. I realized this must be the same router. But the problem is that when I did a reverse DNS and a trace of the 2 IP addresses, they do not agree. The DNS server is saying that those 2 IP addresses does not belong to the same server. The trace is also being routed differently between the 2 IP addresses. It got me scratching my head for a while.

I stopped for a while, brewed some coffee and spent few minutes over a coffee recalling what i have done so far to investigate. I am running out of options so I went to google. Guess what I searched for? I searched "Jieming-PC" hoping to find some guys also having the same problem with whoever this Jieming is. The first 2 results was from a domain "". So all this time, I was looking at a demo UI of ASUS routers. Whew! That explains why they look the same, with the same clients. That is just one problem solved because I still don't know why a Mac OS ( would connect to a demo UI of an ASUS Router somewhere in New York.

I suspected that maybe because I am opening the my Router administration page and that this page is trying to connect to that server. I investigated further by looking at the source code of the ASUS router admin page and finally I confirmed that the page is connecting to that remote IP address to check for Firmware upgrade. I still have one little problem why did the lsof command say that it was "" who is connecting to that IP and why not "Firefox" (I am using firefox) ?  I did a little and found the exact apple library responsible for the connection. It was apple's WebKit which is obviously used by Firefox.

What Really Happened?

What really happened was that when I opened up my router administration page, the first thing it did was to check if there are new version of Firmware available. I updated the firmware. It connected to and downloaded and installed the firmware. The router rebooted. I had to re-open the router administration page. Again it checked for available firmware versions through Because of load-balancing it got forwarded to some another server (another IP address). This explains why it connected to 2 different IPs. It also turned out that the server used for firmware upgrades are the same server hosting the Demo UI.

Whew!!! Now everything is solved. I can now sleep well knowing that my home network is safe and Jieming is not a Chinese hacker. One lesson I learned and that is I should stop being paranoid.

But anyways, it was a good exercise. I haven't done this kind of things for a long time and now I felt like I'm Sherlock! :D :D

No comments:

Post a Comment