MKR1000 - Why does my board try and talk to bizarre addresses?

I have a MKR1000. It's all good, no issues with it for the small application that I'm playing with.

However, and I'm quite concerned here, it's making HTTP requests to Nigeria and South Africa.

This is not meant to be slanderous about those countries, but my app is configured to talk to ThingSpeak and nothing else.

The IP addresses that it's trying to speak to are:-

197.255.255.255.255 - Nigeria
196.255.255.255.255 - South Africa

Both these addresses are the broadcast address from the networks. So again, it's odd that my MKR is trying to send HTTP GETs in that direction, (all blocked on my firewall). And GETs from a broadcast address. It seems a little Bot-Net/Command and control-ish.

I'll set up some packet captures, to see the content of the packets.

All the software/firmware that I'm using has come direct from the official Arduino repositories.

Any ideas? Is anyone else seeing this?

cheers

You may want to post the code you are using.

Maybe also check that those requests are indeed coming from the MKR itself via your router logs etc.

I use thingspeak and traffic from my TS devices is pretty direct.

Many thanks for the advice.

It seems that the MRK1000 is scanning the broadcast addresses of the subnets for a period of time, then it increments the first octet of the IP address.

It is the only thing in the subnet. I’m a Network Security bod by trade, and can confirm that there is only one node in that subnet, the MKR1000, only it’s MAC address appears in the firewall arp table, (for that interface).
As well as, packet captures have all this detail in their headers, when I look at the SYN packets heading out.

currently it’s sending SYN’s to 197.255.255.255, 198.255.255.255, 200,255.255.255
Not too sure why it skipped 199.255.255.255

I’m 100% sure that this has nothing to do with ThingSpeak.

I’m stating to suspect that the issue is in the underlying code, or it’s been exposed to something that has corrupted it. I’m guessing that there is malware in the wild for these?

As for the code that this device is running:-

#include <Wire.h>
#include <SPI.h>
#include <Adafruit_Sensor.h>
#include <Adafruit_BMP280.h>
#include <WiFi101.h>

#define BMP_SCK 13
#define BMP_MISO 12
#define BMP_MOSI 11
#define BMP_CS 10

//Hardware pin definitions
int UVOUT = A0; //Output from the sensor
int REF_3V3 = A1; //3.3V power on the Arduino board

// Used for BMP2800
Adafruit_BMP280 bme; // I2C

int BMP280T1 = 0;
int BMP280P1 = 0;

// Local Network Settings
char ssid = “OOO”;
char pass = “********”;

int status = WL_IDLE_STATUS;

// Initialize the Wifi client library
WiFiClient client;

// ThingSpeak Settings
char server = “api.thingspeak.com”;
String writeAPIKey = “********************”; // Exeter Street

unsigned long lastConnectionTime = 0; // track the last connection time
const unsigned long postingInterval = 30L * 1000L; // post data every 30 seconds

// declare Voids
void ReadUV();

void setup() {

Serial.begin(9600);
Serial.println(“BMP280 Villetta Sensor-01”);
Serial.println(“v0.1 - 20160602”);

if (!bme.begin()) {
Serial.println(“Could not find a valid BMP280 sensor, check wiring!”);
while (1);
}

// Setup for UV sensor
pinMode(UVOUT, INPUT);
pinMode(REF_3V3, INPUT);

// attempt to connect to Wifi network:
while ( status != WL_CONNECTED) {
Serial.print("Attempting to connect to WPA SSID: ");
Serial.println(ssid);
// Connect to WPA/WPA2 network:
status = WiFi.begin(ssid, pass);

// wait 10 seconds for connection:
delay(10000);
}

// you’re connected now, so print out the data:
Serial.println(“You’re connected to the network”);
// printCurrentNet();
// printWifiData();
}

void loop() {
// if interval time has passed since the last connection,
// then connect again and send data

if (millis() - lastConnectionTime > postingInterval) {
// ReadSensors();
ReadUV();
httpRequest();
}

}

void httpRequest() {
Serial.println(“Collecting Data to send”);
// read analog pin 0
int sensorValue = analogRead(0);
// read Wi-Fi signal strength (rssi)
long rssi = WiFi.RSSI();
// read temperature
String BMP280T1 = String(bme.readTemperature());
// read pressure
String BMP280P1 = String(bme.readPressure() / 100.0F);
// read UV
// int uvLevel = averageAnalogRead(UVOUT);
// int refLevel = averageAnalogRead(REF_3V3);

//Use the 3.3V power pin as a reference to get a very accurate output value from sensor
// float outputVoltage = 3.3 / refLevel * uvLevel;

// float uvIntensity = mapfloat(outputVoltage, 0.99, 2.9, 0.0, 15.0);

Serial.print("MP8511 output: ");
Serial.print(uvLevel);

Serial.print(" MP8511 voltage: ");
Serial.print(outputVoltage);

Serial.print(" UV Intensity (mW/cm^2): ");
Serial.println(uvIntensity);

// show the values to the serial port - more for debug than anything else
Serial.println(“Data to be sent to ThingSpeak:-”);
Serial.println(rssi);
Serial.println(BMP280T1);
Serial.println(BMP280P1);
Serial.println(uvLevel);
Serial.println(uvIntensity);

Serial.println(“Sending data to ThingSpeak”);
// create data string to send to ThingSpeak
// String data = String(“field1=” + String(rssi, DEC) + “&field2=” + String(rssi, DEC));
String data = String(“field1=” + String(rssi, DEC) + “&field2=” + (BMP280T1) + “&field3=” + (BMP280P1) + “&field4=” + (uvLevel) + “&field5=” + (uvIntensity));
// close any connection before sending a new request
client.stop();

// POST data to ThingSpeak
if (client.connect(server, 80)) {
client.println(“POST /update HTTP/1.1”);
client.println(“Host: api.thingspeak.com”);
client.println(“Connection: close”);
client.println(“User-Agent: ArduinoWiFi/1.1”);
client.println("X-THINGSPEAKAPIKEY: "+writeAPIKey);
client.println(“Content-Type: application/x-www-form-urlencoded”);
client.print(“Content-Length: “);
client.print(data.length());
client.print(”\n\n”);
client.print(data);

// note the last connection time
lastConnectionTime = millis();
}
}
/*
void ReadSensors() {

Serial.println(“Reading BMP280”);
Serial.print(“Temperature = “);
Serial.print(bme.readTemperature());
// BMP280T1 = (bme.readTemperature());
String BMP280T1 = String(bme.readTemperature());
Serial.println(” *C”);

Serial.print(“Pressure = “);
Serial.print(bme.readPressure());
String BMP280P1 = String(bme.readPressure());
Serial.println(” Pa”);

Serial.println(“BMP280 Values”);
}

void ReadUV()
{
int uvLevel = averageAnalogRead(UVOUT);
int refLevel = averageAnalogRead(REF_3V3);

//Use the 3.3V power pin as a reference to get a very accurate output value from sensor
float outputVoltage = 3.3 / refLevel * uvLevel;

float uvIntensity = mapfloat(outputVoltage, 0.99, 2.9, 0.0, 15.0);

Serial.print("MP8511 output: ");
Serial.print(uvLevel);

Serial.print(" MP8511 voltage: ");
Serial.print(outputVoltage);

Serial.print(" UV Intensity (mW/cm^2): ");
Serial.print(uvIntensity);

Serial.println();

delay(100);
}

int averageAnalogRead(int pinToRead)
{
byte numberOfReadings = 8;
unsigned int runningValue = 0;

for(int x = 0 ; x < numberOfReadings ; x++)
runningValue += analogRead(pinToRead);
runningValue /= numberOfReadings;

return(runningValue);
}

float mapfloat(float x, float in_min, float in_max, float out_min, float out_max)
{
return (x - in_min) * (out_max - out_min) / (in_max - in_min) + out_min;
}

You may want to edit the code to use the code tags just above the first smiley.

I cannot see any of the addresses you mentioned in the code.

Personally I would suspect one of your computers or other devices as a tracert to thingspeak did not produce any of your results from here.

Arin does not show the address range either. and they seem to hold the site on Amazon servers.

You might want to do a FULL security sweep on your hardware (not the MKR).
By full I mean malware, anti virus, et all. Also dont trust any security you currently have. Maybe use some of the reputable online such as ESET etc.