- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some dude has been running botnet attacks to gain access to my Westell 9100 BHR router and this past weekend he was successful:
Oct 9 20:01:39 2010 Inbound Traffic Blocked - Default policy TCP 74.125.227.33:80->71.170.238.87:49396 on eth1
Oct 9 20:03:50 2010 Inbound Traffic Blocked - Default policy TCP 173.192.226.198:80->71.170.238.87:49487 on eth1
Oct 9 20:04:34 2010 Outbound Traffic Blocked - Default policy UDP 192.168.1.3:50018->65.55.158.118:3544 on eth1
Oct 9 20:04:36 2010 Inbound Traffic Blocked - Default policy TCP 65.60.38.194:80->71.170.238.87:49497 on eth1
Oct 9 20:04:37 2010 Outbound Traffic Blocked - Default policy UDP 192.168.1.3:50018->65.55.158.118:3544 on eth1
Oct 9 20:06:45 2010 Inbound Traffic Blocked - Default policy TCP 74.125.227.49:80->71.170.238.87:49534 on eth1
Oct 9 20:07:01 2010 Inbound Traffic Blocked - Default policy TCP 78.141.177.62:443->71.170.238.87:49540 on eth1
Oct 9 20:16:35 2010 Inbound Traffic Blocked - Packet invalid in connection TCP 77.67.87.105:80->71.170.238.87:49683 on eth1
Oct 9 20:16:37 2010 Firewall Info Rate Limit 1 messages of type [9] Packet invalid in connection suppressed in 1 second(s)
Oct 9 20:23:25 2010 Inbound Traffic Blocked - Default policy TCP 81.200.61.23:60289->71.170.238.87:2439 on eth1
Oct 9 20:23:25 2010 Inbound Traffic Accepted Traffic - Remote administration TCP 81.200.61.23:60289->71.170.238.87:4567 on eth1
Oct 9 20:23:25 2010 Firewall Info Rate Limit 17 messages of type [15] Default policy suppressed in 1 second(s)
Oct 9 20:23:25 2010 Inbound Traffic Blocked - Default policy TCP 81.200.61.23:60289->71.170.238.87:4964 on eth1
Oct 9 20:23:27 2010 Firewall Info Rate Limit 53 messages of type [15] Default policy suppressed in 1 second(s)
Oct 9 20:23:27 2010 Inbound Traffic Blocked - Default policy TCP 81.200.61.23:60290->71.170.238.87:4728 on eth1
Oct 9 20:23:27 2010 Inbound Traffic Accepted Traffic - Remote administration TCP 81.200.61.23:60296->71.170.238.87:4567 on eth1
Oct 9 20:23:27 2010 Firewall Info Rate Limit 59 messages of type [15] Default policy suppressed in 1 second(s)
Oct 9 20:23:27 2010 Inbound Traffic Blocked - Default policy TCP 81.200.61.23:60289->71.170.238.87:2000 on eth1
Oct 9 20:23:28 2010 Firewall Info Rate Limit 74 messages of type [15] Default policy suppressed in 1 second(s)
Oct 9 20:23:28 2010 Inbound Traffic Blocked - Default policy TCP 81.200.61.23:60290->71.170.238.87:2749 on eth1
Oct 9 20:23:29 2010 Inbound Traffic Accepted Traffic - Remote administration TCP 81.200.61.23:60297->71.170.238.87:4567 on eth1
Oct 9 20:23:29 2010 Firewall Info Rate Limit 74 messages of type [15] Default policy suppressed in 1 second(s)
I went ahead and reset whatever settings he changed, but how do I close this port to prevent this guy from gaining access to my router in the future?
Solved! Go to Correct Answer
Correct answers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that is a verizon administration port how are you sure it wasn't verizon?
it's a verizon ip in texas and they have a huge NOC in DFW
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I live in the DFW and {edited for privacy} is my home ip address.
The accepted inbound traffic is a proxy from the Czech Republic: http://www.ip-adress.com/whois/81.200.61.2
I have an adept stalker/hacker chasing after me who's been monitoring my gchats and internet activity for whatever reason. I would guess he has some extremely hidden spyware or hijacked the browser in a way that isn't being picked up by zonealarm or norton, as the router attacks only happened AFTER i started googling insecure network ports on my router (I'll reformat, I guess?)
From what I've been reading all he needed to get in was the router's ethernet MAC address and some administrator password that's supposedly available online. Is this correct?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
also, my router is a westell 9100 BHR ultra series not actiontec. sorry
and when the stalker had access to my router he changed this under the port forwarding settings:
Local Host:
255.255.255.255
Local Address:
255.255.255.255 (Unresolved) Verizon FIOS Service Any Application - TCP Any -> 0 Disabled
Does that mean anything, or was he just trying to see what he could do?
and here's a few failed attempts so you guys get the point that it was a hacker attack:
Oct 9 20:25:25 2010 Inbound Traffic Blocked - Remote administration TCP 222.186.26.72:12200->71.170.238.87:8080 on eth1
Oct 9 20:19:03 2010 Inbound Traffic Blocked - Remote administration ICMP type 8 code 0 94.112.161.102->71.170.238.87 on eth1
Oct 9 20:19:47 2010 Inbound Traffic Blocked - Default policy TCP 81.200.61.23:60289->71.170.238.87:22 on eth1
Oct 9 20:19:48 2010 Firewall Info Rate Limit 9 messages of type [15] Default policy suppressed in 1 second(s)
Oct 9 20:19:49 2010 Firewall Info Rate Limit 10 messages of type [15] Default policy suppressed in 1 second(s)
Oct 9 20:19:49 2010 Inbound Traffic Blocked - Remote administration TCP 81.200.61.23:60289->71.170.238.87:23 on eth1
Oct 9 20:19:50 2010 Firewall Info Rate Limit 14 messages of type [15] Default policy suppressed in 1 second(s)
Oct 9 20:19:50 2010 Firewall Info Rate Limit 5 messages of type [16] Remote administration suppressed in 1 second(s)
Oct 9 20:19:51 2010 Firewall Info Rate Limit 18 messages of type [15] Default policy suppressed in 1 second(s)
Oct 9 20:19:51 2010 Inbound Traffic Blocked - Default policy TCP 81.200.61.23:60289->71.170.238.87:1540 on eth1
etc.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@whokebe1 wrote:Some dude has been running botnet attacks to gain access to my actiontec router and this past weekend he was successful:
You're being probed from a number of different addresses, which is not uncommon.
74.125.227.33
173.192.226.198
65.60.38.194
74.125.227.49
78.141.177.62
77.67.87.105
The above probes are simply discarded because you have no application listening on that port.
The probes from 81.200.61.23 (Czech Republic) to the VZ CPE management port (4567) are logged as accepted because there is an application listening on that port. The log message simply means the initial inbound TCP connect packet was passed on to the application rather than being dropped by the firewall. Port 4567 is protected by SSL encryption, so it is highly unlikely that the hacker was able to crack the both the logon credentials and the SSL certificate.
There used to be ways to block port 4567, however VZ has disabled those methods.
Bottom line. I wouldn't worry about it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@whokebe1 wrote:From what I've been reading all he needed to get in was the router's ethernet MAC address and some administrator password that's supposedly available online. Is this correct?
No. What you are seeing is an attack from the WAN port on VZ's CPE management port.
There was a vunerability published that allows attacking the router from the LAN side using a malicious browser script and the default "admin/password" or "admin/password1" credentials.
These two attack vectors are unrelated.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Anti-Phish wrote:Port 4567 is protected by SSL encryption, so it is highly unlikely that the hacker was able to crack the both the logon credentials and the SSL certificate.So it must have taken him a while, I hope?
Here's a screenshot I uploaded of the changes made to my Port Forwarding page: http://img708.imageshack.us/f/55548062.png/
I'm pretty certain I didn't see that bottom entry the previous week. And if you'll notice, I can't undo it without reseting the router.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whokebe1 wroteI'm pretty certain I didn't see that bottom entry the previous week. And if you'll notice, I can't undo it without resetting the router.That certainly doesn't look like anything I've seen VZ add.
I have seen VZ add a UDP from from ANY address / ANY port to DVR port 63145 which effective blocks port forwarding needed for third party VOIP.
VZ recently encrypted the Actiontec config file. However the config file for Westells remains unencrypted.
If you want to block access to the CPE Management port.
- Save your current configuration to a file.
- Open it with a text editor.
- About 3/4 of the way down the file you will see the following lines:
(cwmp
(enabled(1))
- Change it to:
(cwmp
(enabled(0))That should block remote CPU access.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@whokebe1 wrote:So it must have taken him a while, I hope?
Here's a screenshot I uploaded of the changes made to my Port Forwarding page: http://img708.imageshack.us/f/55548062.png/
I'm pretty certain I didn't see that bottom entry the previous week. And if you'll notice, I can't undo it without reseting the router.
Interesting that you have no port forwarding entries for the stb's. I have many of them, looks like 8 for each stb now. I reset the router and they come back as does the port 4567 forwarding. There have been several dicussions on this in this forum in the past.
As you can see from the attachment I have the same forwarding that you do and I believe everybody else does. Maybe it's a Westell thing .
If it's a hacker it would seem to be rather pointless as there is nothing on the lan segment addressed by the westell router except the stbs and another router that has no port forwarding rules.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I run more than one router. Verizon's 192.168.1.x subnet is considered the DMZ with my set top boxes only on that subnet. Cool to see my paranoia is valid.
Yes you are right. This is not Verizon.
Oct 9 20:23:29 2010 Inbound Traffic Accepted Traffic - Remote administration TCP 81.200.61.23:60297->71.170.238.87:4567 on eth1
Name: ip61-23.nettel.cz
IP Address: 81.200.61.23
Location: Unknown
Network: 81-RIPE