Is someone hacking my Tablo via Port 80?

Just some background first… About two weeks ago I was notified by the Google security folks that a login to my Google account was blocked since it was suspicious. It was suggested that we change passwords which was done. The IP address of the “culprit” was provided to me via Google security and was traced to a location in Fayetteville NC which is about 75miles South of me.

I was going over some Router Logs from my Netgear R8300 router and I see the usual guide update to the Table about every 10-12 hours. The Tablo’s iP is dedicated to:

That"usual" guide transaction looks like this…
LAN access from remote] from to, Tuesday, Sep 12,2017 12:08:33
[LAN access from remote] from to, Tuesday, Sep 12,2017 12:08:33

There were many attempts by the following IP to Port 80 on the Table from the same “spurious” IP that Google warned me about:
LAN access from remote] from to, Monday, Sep 11,2017 09:45:47
[LAN access from remote] from to, Monday, Sep 11,2017 09:45:47
[LAN access from remote] from to, Monday, Sep 11,2017 09:45:45
[LAN access from remote] from to, Monday, Sep 11,2017 09:45:45

I am not a software guy (it probably shows…) but was a hardware designer for telecom stuff prior to my retirement.
Any help/ suggestions / would be helpful.

The fact that the source port keeps changing indicates that the originator was probably trying repeatedly (although with a sample of only 4 entries in 2 seconds, that could simply be part of a page load.

The source IP address from your logs is associated with a CenturyLink owned ISP’s DHCP pool. So, unless you are allowing your friends to access your Tablo remotely, it was probably some scripted attack looking for vulnerabilities.

This does, however, lead me to a question. Why are you forwarding Port 80 through your firewall to your Tablo? I didn’t think the Tablo remote web interface operated on port 80. (someone correct me if I’m wrong).

You might want to review your home router/firewall set-up and see if you have port forwarding enabled. I’m not sure, but I thought the Tablo didn’t use UPnP (device requests your router forward ports to it) unless you enabled remote access. Am I wrong?

Ports 80 and 8887 are the ones that need forwarding to the Tablo. Note that those are the local ports on the Tablo. The external ports on the router that get forwarded to those ports will be very different.

Looks like someone was scanning for vulnerabilities and happened to hit the ports that were forwarded to the Tablo.

Thank you! for your replies. Remote Access was enabled when these logs were recorded. Remote Access now disabled. Remote Access was setup by Tablo. We never shared the Tablo (knowingly) with anyone. The transactions started with Port 8887 and then 22 seconds worth of the Port 80 stuff this time.
As I went deeper in the logs, it turns out that this has happened a couple of times before - same IP?
Not sure if I need to worry about this or not.?
Again Thank You! very much.
Looks like someone tried to gain access to our network? Not sure where to go with this…

More likely someone was running an automated tool and noticed that you had your tablo exposed. He/she/it probably poked around as much as he/she/it could and left.

You’ve disabled remote access on your tablo. That should have told your router to stop forwarding the ports (if UPnP worked right). Keep and eye on the router logs and see if it still happens. If it does, consider opening a ticket with the Tablo support folks to get them to see if anything weird happened on your Tablo. Otherwise, don’t worry.

If you want to be extra paranoid, check with your ISP. They probably provide you with graphs of your Internet usage. Look at the graph and see if there is any unusual bursts (especially outbound) that don’t make sense. Not making sense would be when you aren’t home or when you are asleep.

If you’ve got kids (especially teens), the graphs probably won’t be much help. Teens with computer access can have very odd usage profiles compared to what adults expect.

P.S. @FlyingDiver FlyingDiver, below, is right. You probably don’t need to worry. I just provided some things you could do if you want to investigate deeper.

Nothing you can really do about it if you want to enable Remote Access. Hackers are out there that probe every port on every active IP address they can find. But they’re looking for specific vulnerabilities and I don’t know of any in the Tablo.

Worth noting that once Tablo Connect is enabled, we do poke the ports every so often (determined by lease time, router reboots, etc) to make sure the rules haven’t broken.

I’m pretty sure that’s not one of your addresses in the log snippet.

Go here it’s gibson research run a scan of your fire wall. If you show any ports you will need to make the necessary adjustments. They have help online at this site.

Thank you. Went to Gibson, ran the tool and no vulnerabilities found. Thanks for the input. Will be checking router logs more frequently for sure. Interestingly, once we disabled remote access, both iPads no longer connected to the Tablo. Had to delete the app and reload it on each one to get it to work. I thought (dangerous) that we were connected locally thru my WiFi router and not “remote accessed” or whatever. Not sure how I can determine that connectivity. All is up and running for now on both iPads.