Automated Router Login???
SteveP2
Contributor - Level 2

Hello all,

This morning at approximately 7:59 am came a flurry of system messages from my Actiontec router. It seems it was trying to do something but I am not sure what it is. Can someone please tell me what this snippet means:

Jan 17 07:59:34 AM,Daemon.Info,192.168.1.1,an 17 12:59:26 2012 Wireless_Broadband_Router RGFW-CONF: [68] Configuration change (Internal application has changed security settings)
Jan 17 07:59:34 AM,Daemon.Error,192.168.1.1,an 17 12:59:29 2012 Wireless_Broadband_Router ioctl_active_dev_names_set:91: Failed setting firewall on device ra0

Jan 17 07:59:55 AM,Daemon.Warning,192.168.1.1,an 17 12:59:52 2012 Wireless_Broadband_Router Bad login attempt

Jan 17 07:59:55 AM,Daemon.Info,192.168.1.1,an 17 12:59:52 2012 Wireless_Broadband_Router Web Server: 166.68.134.174 GET 96.239.54.88 /871d0b6e-1964-4c04-af86-97fe28bfb951 -> 401 Unauthorized

Jan 17 08:00:00 AM,Daemon.Info,192.168.1.1,an 17 12:59:52 2012 Wireless_Broadband_Router Web Server: 166.68.134.174 GET 96.239.54.88 /871d0b6e-1964-4c04-af86-97fe28bfb951 -> 200 OK

Jan 17 08:00:01 AM,Daemon.Info,192.168.1.1,an 17 12:59:58 2012 Wireless_Broadband_Router ACS ACK: event = 6 CONNECTION REQUEST

Jan 17 08:10:30 AM,Daemon.Info,192.168.1.1,an 17 13:10:26 2012 Wireless_Broadband_Router mt_conn_wizard_open:425: Conn Wizard: no need to open connection wizard for dev: ixp1.

Jan 17 08:10:30 AM,Daemon.Info,192.168.1.1,an 17 13:10:25 2012 Wireless_Broadband_Router RGFW-CONF: [68] Configuration change (Internal application has changed security settings)

Jan 17 08:10:30 AM,Daemon.Warning,192.168.1.1,an 17 13:10:26 2012 Wireless_Broadband_Router Failed to set device ixp1 netmask: Cannot assign requested address


I am particularly concerned about the third message, which indicates a bad login attempt, even though my router is not showing a hazard message on the main screen of the router. I was asleep at the time of this message, so it was not me logging in. I am a little confused to the final message, which I believes speaks to the second ethernet port on the router. I do have an ethernet cable plugged into this, but it is turned off at this time. Why would the router try to set a subnet mask on a device turned off? Last has anyone seen the first two messages before? Why would an internal application be changing my security settings, and how can I track down what is doing this? What is device ra0? I thought it might be the wireless portion of the router, but I thought the router's firewall is on be default for all connections?

Thanks,

Steve

0 Likes
Re: Automated Router Login???
dslr595148
Community Leader
Community Leader

While I know you have FIOS Internet, do you have FIOS TV OR their DVR??

0 Likes
Re: Automated Router Login???
SteveP2
Contributor - Level 2

I do have both Fios TV and the DVR option. I have a DVR in my living room and a HD STB in my bedroom.

0 Likes
Re: Automated Router Login???
dslr595148
Community Leader
Community Leader

Appears to be Verizon's back door.

Any fixes?

Unknown, but I believe this might help

http://www.dslreports.com/faq/16710

0 Likes
Re: Automated Router Login???
SteveP2
Contributor - Level 2

Hmm I am not using my own router, but I agree that I need to get all my services cleaned up. I have alot of screwy issues going on and a tech is coming on Sat. He is not leaving until we resolve all the outstanding issues.

Re: Automated Router Login???
smith6612
Community Leader
Community Leader

C:\Users\>nslookup 166.68.134.174
Server:  resolver1.opendns.com
Address:  208.67.222.222

Name:    sw01.verizon.com
Address:  166.68.134.174

Tracing route to sw01.verizon.com [166.68.134.174]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.3.1
  2    10 ms     8 ms     9 ms  10.15.3.1
  3     9 ms     9 ms     9 ms  so-1-1-0-0.BUFF-CORE-RTR2.verizon-gni.net [130.81.13.77]
  4    19 ms    19 ms    20 ms  as4-0.NY5030-BB-RTR1.verizon-gni.net [130.81.20.106]
  5    91 ms    91 ms    23 ms  0.xe-6-1-1.XT1.NYC4.ALTER.NET [152.63.10.57]
  6    22 ms    21 ms    22 ms  0.so-7-0-0.XL1.NYC8.ALTER.NET [152.63.16.222]
  7    21 ms    21 ms    21 ms  POS6-0.GW1.NYC8.ALTER.NET [152.63.18.137]
  8    23 ms    22 ms    22 ms  verizoncore-gw.customer.alter.net [157.130.221.166]
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.

That would be Verizon pushing configuration changes to your router. They have a TR-069 Backdoor into the router. It's been exploited by others, which is why Verizon changed the default passwords on many routers. The failed login attempt was most likely due to the system trying a few sets of passwords Verizon might have set for a router. As long as the router isn't being logged into by something that isn't a Verizon server, it's fine.

0 Likes
Re: Automated Router Login???
SteveP2
Contributor - Level 2

How do I know if I have a router that has changed pswds. I just recently got a refurb to replace my aged one, and I am seeing these messages.

0 Likes
Re: Automated Router Login???
smith6612
Community Leader
Community Leader

I'm pretty sure I saw mention of someone being able to find out what the password to the router would be via the CWMP Agent by using Telnet to access the router from within the network. That would be a pretty lenghty login to attempt to figure out. I don't know how the password is generated, but what I was thinking of in terms of changed password, would be the user-end or remote admin HTTP variant of modifying settings on the router. Rather than it being admin/admin to log in as it normally would be, it would be the serial number as the password.

Not sure if it makes a difference, but it's a guess at this point. Wish I had FiOS to be able to tell you with 100% certaincy.

Re: Automated Router Login???
Anti-Phish1
Master - Level 1

@SteveP wrote:

How do I know if I have a router that has changed pswds. I just recently got a refurb to replace my aged one,


Any refurb router should have been reset to factory defaults before it was sent out.  As such, you will be prompted to enter a user name and password the first time you logon to the router.

0 Likes