Rustdesk worries

B

Bucky

I've spent quite a bit of time with tcpdump and wireshark (tshark on FreeBSD) looking at the traffic related to the rustdesk-server and its Windows clients. Today I noticed some interesting things.

My setup: latest quarterly version of rustdesk-server. Latest Windows versions of the rustdesk clients. Rustdesk-server running in a jail. FreeBSD 14.3p2.

My intention: self-hosting the rustdesk-server.

When the rustdesk-server is first started it sends a DNS query for the A and AAAA records of 'api.rustdesk.com'. Those queries return 49.12.46.241 and 2a01:4f8:c012:2e59::1. When each rustdesk client is activated it sends a SYN packet to 49.12.46.241.443 and 49.12.46.241.80 for reasons unknown but I think pretty obviously to capture the IP address on this end.

Thereafter, even when the rustdesk server and clients are not active, incoming email server connection attempts are made every 35 seconds around the
clock from 196.251.92.51.

I've blocked all the IP addresses above from all inbound and outbound connection attempts and the rustdesk-server and clients still work on the local LAN (haven't been able to get it to work in self-hosting mode outside the LAN).

Comments?
 
Any evidence that those are related?
I'd guess those connection attempts to port 25/smtp (or what exactly are your referring to by "email server connection"?) are just common noise...
 
It is possible that they aren't related so my evidence may be poor. But there is something about the port 25 probing from that specific IP that isn't normal. The connection attempt at the mail server level doesn't actually try to send any mail. It simply connects to the mail server and sends an empty command.

What puzzled me is that the "common noise" port 25 connection attempts look like they are coming from real smtp servers and go through the connection dance, are IDed as trash and dumped. But this single IP address does not try to do the dance and is the most persistent in trying to connect. When the initial SYN is dropped on my end, it tries 'retransmission' 3-4 times right away, then pauses and starts the process over again. That is unusual and didn't start until I began playing around with rustdesk-server.

It makes me suspicious about the ultimate intentions of the rustdesk devs.
 
Bucky said:
It is possible that they aren't related so my evidence may be poor. But there is something about the port 25 probing from that specific IP that isn't normal. The connection attempt at the mail server level doesn't actually try to send any mail. It simply connects to the mail server and sends an empty command.
Click to expand...
Easily tested: simply stop / disable rustdesk for a day or two, and see if the port 25 attempts disappear.
 
All instances of rustdesk-server and clients have been stopped now for 15 hours and the port 25 probes by 196.251.92.51 continue with the same intensity.
 
...because it is normal background noise. Scanning for running mailservers is pretty much 'normal' nowadays. E.g. a random snippet from the spamd log of one of my mailservers:
Code: 
Sep 15 14:24:12 mail spamd[68506]: 66.228.53.78: connected (1/0)
Sep 15 14:24:23 mail spamd[68506]: 66.228.53.78: disconnected after 11 seconds.
Sep 15 14:24:23 mail spamd[68506]: 66.228.53.78: connected (1/0)
Sep 15 14:24:31 mail spamd[68506]: 66.228.53.78: disconnected after 8 seconds.
Sep 15 14:38:35 mail spamd[68506]: 119.40.84.186: connected (1/0)
Sep 15 14:38:39 mail spamd[68506]: 119.40.84.186: disconnected after 4 seconds.
Sep 15 14:42:20 mail spamd[68506]: 178.16.53.46: connected (1/0)
Sep 15 14:42:24 mail spamd[68506]: 178.16.53.46: disconnected after 4 seconds.
Sep 15 14:58:00 mail spamd[68506]: 178.16.53.46: connected (1/0)
Sep 15 14:58:03 mail spamd[68506]: 178.16.53.46: disconnected after 3 seconds.
Sep 15 15:03:17 mail spamd[68506]: 178.16.53.46: connected (1/0)
Sep 15 15:03:20 mail spamd[68506]: 178.16.53.46: disconnected after 3 seconds.
Sep 15 15:14:18 mail spamd[68506]: 147.185.132.3: connected (1/0)
Sep 15 15:14:25 mail spamd[68506]: 147.185.132.3: disconnected after 7 seconds.
Sep 15 15:16:00 mail spamd[68506]: 147.185.132.3: connected (1/0)
Sep 15 15:16:02 mail spamd[68506]: 147.185.132.3: disconnected after 2 seconds.
Sep 15 15:22:03 mail spamd[68506]: 178.16.53.46: connected (1/0)
Sep 15 15:22:06 mail spamd[68506]: 178.16.53.46: disconnected after 3 seconds.
Sep 15 15:28:42 mail spamd[68506]: 34.203.10.185: connected (1/0)
Sep 15 15:28:45 mail spamd[68506]: 34.203.10.185: disconnected after 3 seconds.
Sep 15 15:32:22 mail spamd[68506]: 185.196.10.175: connected (1/0)
Sep 15 15:32:26 mail spamd[68506]: 185.196.10.175: disconnected after 4 seconds.
Sep 15 15:38:50 mail spamd[68506]: 119.40.84.186: connected (1/0)
Sep 15 15:38:53 mail spamd[68506]: 119.40.84.186: disconnected after 3 seconds.
Sep 15 15:41:59 mail spamd[68506]: 178.16.53.46: connected (1/0)
Sep 15 15:42:02 mail spamd[68506]: 178.16.53.46: disconnected after 3 seconds.
Sep 15 15:50:37 mail spamd[68506]: 178.16.53.46: connected (1/0)
Sep 15 15:50:40 mail spamd[68506]: 178.16.53.46: disconnected after 3 seconds.
Sep 15 15:51:11 mail spamd[68506]: 167.94.145.96: connected (1/0)
Sep 15 15:51:18 mail spamd[68506]: 167.94.145.96: disconnected after 7 seconds.
Sep 15 15:51:19 mail spamd[68506]: 167.94.145.96: connected (1/0)
Sep 15 15:51:23 mail spamd[68506]: 167.94.145.96: disconnected after 4 seconds.
Sep 15 16:04:37 mail spamd[68506]: 178.16.53.46: connected (1/0)
Sep 15 16:04:40 mail spamd[68506]: 178.16.53.46: disconnected after 3 seconds.
Sep 15 16:27:06 mail spamd[68506]: 172.234.162.56: connected (1/0)
Sep 15 16:27:08 mail spamd[68506]: 172.234.162.56: disconnected after 2 seconds

Those are bots that only probe for a valid (or any) mailserver banner, then disconnect. This is most likely to collect/verify lists of running mailservers which can then be fed to other bots/botnets.

I just add those IPs to a temporary PF blocklist after 3 attempts. If you don't run anything on port 25 just ignore it - as said: it's normal background noise nowadays.
 
That would be reassuring if I saw different IP addresses pummeling my port 25. I issued this command:

tcpdump -n -e -ttt -i pflog0 port 25

And what I got for a solid hour, repeating 4x every 30 seconds was this. No other IPs.

Code: 
 00:00:00.000000 rule 2/0(match): block in on igb0: 196.251.92.51.58290 > 10.145.120.61.25: Flags [S], seq 3140717274, win 29
200, options [mss 1460,sackOK,TS val 352339672 ecr 0,nop,wscale 7], length 0

It seems to me that if it was bots probing port 25 I should see lots of different IP address such as you show in your code snippet. Wouldn't you agree?

FWIW, I've sent an 'abuse' email to the email shown in the 'whois' info.
 
Bucky said:
It seems to me that if it was bots probing port 25 I should see lots of different IP address such as you show in your code snippet. Wouldn't you agree?
Click to expand...
no, there's often that one idiot bot script that got stuck and doesn't move on for several days... E.g. 178.16.53.46 is returning a few times in that snippet.

Bucky said:
FWIW, I've sent an 'abuse' email to the email shown in the 'whois' info.
Click to expand...
This usually isn't worth the time. 90% of those bots origin from AS/ISPs/hosters that don't care and/or are known for hosting malware.

Again: if you don't run anything on port 25 just ignore it. If you actually run a MTA consider running mail/spamd to make those idiots at least waste valuable time and resources and (considerably) slow them down.
 
Look up the IP addresses with whois(1).

Bucky said:
sends a SYN packet to 49.12.46.241.443 and 49.12.46.241.80
Click to expand...
IP address is registered to Hetzner (popular cloud/hosting provider in Germany).

Bucky said:
incoming email server connection attempts are made every 35 seconds around the
clock from 196.251.92.51.
Click to expand...
This address is registered to Zhongguanchun (technology district in Beijing) operating from the Seychelles. Dodgy. As others have noted, probably a bot.
 
Well thanks to everyone. Several things I hadn't been able to pin down and I'd long been avoiding spamd for no particular reason. Running opensmtpd here; very, very low traffic.

Mostly I'll have to just consider this one of the costs of doing business (personal business :).
 
You must log in or register to reply here.
Back
Top