Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | [3] | 4 | 5 | (show all)   Print Thread
Standard User BatBoy
(sensei) Mon 01-May-17 22:17:15
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
The PPP LCP termination request is TR069 which plagues BT Internet.

Have you disabled CWMP and ptm1.301 on your HG612?
Standard User wolvesmad
(fountain of knowledge) Mon 01-May-17 22:35:19
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
Hi Batboy, no I haven't is that something that needs to be done in CLI?

Checking the logs on the HH5 it looks like either the HG612 or HH5 has asked to drop the VDSL link?


(27890.540000) CWMP: Initializing transaction for event code 4 VALUE CHANGE
20:41:36, 01 May.
(27887.730000) Ethernet is up
20:41:35, 01 May.
(27886.810000) Ethernet is down after 367 minutes uptime
20:41:35, 01 May.
(27886.800000) PPPoE is down after 366 minutes uptime [Waiting for Underlying Connection (WAN Ethernet -​ Up)]
20:41:33, 01 May.
(27883.990000) PPP LCP Send Termination Request [User request]

-

BT BroadbandInfinity 2
Standard User Banger
(eat-sleep-adslguide) Mon 01-May-17 23:22:47
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Unless someone has found a backdoor to the HG612.

CWMP is remote access. So something is trying to access the system.

Tim
www.uno.net.uk & freenetname
Asus DSL-N55U and TP-Link WD9970 on 80 Meg LLU Fibre
http://www.thinkbroadband.com/speedtest/results.html...

Current Sync: 68696/18766


Register (or login) on our website and you will not see this ad.

Standard User wolvesmad
(fountain of knowledge) Mon 01-May-17 23:42:20
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
CWMP was disabled.

In WAN PTM 1.301 TR069 and TR069_INTERNET both had the WAN box ticked.

Disabled both now.

-

BT BroadbandInfinity 2
Standard User wolvesmad
(fountain of knowledge) Mon 01-May-17 23:43:22
Print Post

Re: Hacked?


[re: Banger] [link to this post]
 
Wasn't there a worm that is / was attacking TR069 modem / routers?

-

BT BroadbandInfinity 2
Standard User Banger
(eat-sleep-adslguide) Tue 02-May-17 00:04:08
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Not sure hopefully someone will be along to confirm, but I would imagine it is a likely attack vector.

Tim
www.uno.net.uk & freenetname
Asus DSL-N55U and TP-Link WD9970 on 80 Meg LLU Fibre
http://www.thinkbroadband.com/speedtest/results.html...

Current Sync: 68696/18766
Standard User wolvesmad
(fountain of knowledge) Tue 02-May-17 00:13:54
Print Post

Re: Hacked?


[re: Banger] [link to this post]
 
https://www.theregister.co.uk/2016/11/28/router_flaw...

-

BT BroadbandInfinity 2
Standard User Banger
(eat-sleep-adslguide) Tue 02-May-17 01:00:05
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Interesting read so maybe an HG612 exploit is in the wild and just hasn't been reported on or discovered?

Tim
www.uno.net.uk & freenetname
Asus DSL-N55U and TP-Link WD9970 on 80 Meg LLU Fibre
http://www.thinkbroadband.com/speedtest/results.html...

Current Sync: 68696/18766
Standard User BatBoy
(sensei) Tue 02-May-17 01:11:12
Print Post

Re: Hacked?


[re: Banger] [link to this post]
 
If so a quick fix is to change the default admin password. Is the firewall on the HG612 preventing access from the WAN?
Standard User wolvesmad
(fountain of knowledge) Tue 02-May-17 08:59:32
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
The firewall on the HG612 is in it's default state so you'd like to think so.

Something is asking it to reboot / drop it's PPP though according to the log on the HG612.

When all this started the default admin password on the HG612 was changed, not the telnet one though.

-

BT BroadbandInfinity 2
Pages in this thread: 1 | 2 | [3] | 4 | 5 | (show all)   Print Thread

Jump to