Keep getting these threat notifications to a certain iPhone on my network, always to port 22222. Any idea on what or why this keeps happening?
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Edit: I’ve seen a reference to Hola VPN using port 22222. It forms a P2P network with other Hola clients, which may explain why you’re seeing data to weird destinations. How you approach the owner about VPN use on your network is your business.
Run a packet capture with WireShark or similar and pull out some destination IPs and packet contents. That’s a lot of strange IP ranges for “regular person” internet use. Also maybe ask if the phone owner has installed any apps which aren’t mainstream.
I have the Spamhaus Top 10 Worst Spam and Top 10 Worst Botnet countries (excluding USA) sinkholed at the firewall using pfBlocker / Suricata on pfSense as nothing on my network has any reason to connect to those destinations. Might be worth looking into GeoIP blocking on your router as well.
With the amount of vulnerabilities Apple patched these last few years, I would make sure that the iPhone itself is up to date with iOS as well as the apps on the device.
You’ve got a port forward rule sending port 22222 to that device. Maybe UPnP if you didn’t set one explicitly.
Edit: says Swedish TV maps to this port, could be someone is trying to watch television back home
Well, that’s informative. “misc attack”
I’m getting the same warnings. It’s definitely UPnP related. The only new app on the phone is Subsurface (a dive log app). It does have a cloud sync function that I guess could be the issue.
I saw this hit my network last night. The origin IP was Taiwan, but same port (22222) trying to hit my iPhone’s IP.
Did you figure it out?
Here’s what speed guide says about the port: Port 22222 (tcp/udp) :: SpeedGuide
Another thing you could do is monitor the traffic with Wireshark and check the IP the iPhone is talking to.
Most likely not, user only does average stuff on the device like browse Facebook, TikTok, etc