Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User wolvesmad
(fountain of knowledge) Fri 28-Apr-17 19:13:31
Print Post

Hacked?


[link to this post]
 
My BT fiber connection dropped about 20 mins ago.

I thought oh it'll come back up on it's own, it rarely goes down. I couldn't telnet into my HG612 which I thought was strange just for a PPP drop,

Ran a network scanner on my PC and every IP address including the one for my HG612 was being used by an unknown device?

I'm in the process of cleaning up a relatives virus ridden laptop which I thought was clean, has something flooded my local LAN?

-

BT BroadbandInfinity 2
Administrator MrSaffron
(staff) Fri 28-Apr-17 19:15:44
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Sounds almost like the laptop you throught was clean is running a bot of some description

Not an uncommon payload alongside the usual virus mixtures these days

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User wolvesmad
(fountain of knowledge) Fri 28-Apr-17 19:33:44
Print Post

Re: Hacked?


[re: MrSaffron] [link to this post]
 
Thought that.

It's the only device on my lan that I can think of that would cause it.

Looks like it's getting formatted then!

-

BT BroadbandInfinity 2


Register (or login) on our website and you will not see this ad.

Standard User wolvesmad
(fountain of knowledge) Sat 29-Apr-17 00:51:28
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Just got home, same again, devices on every IP and PPP down.

-

BT BroadbandInfinity 2
Administrator MrSaffron
(staff) Sat 29-Apr-17 09:15:45
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
If the case then the 'suspect' PC is off and not connected to LAN then consider this

https://www.theregister.co.uk/2016/12/08/talktalk_ro...

Other makes were also affected

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User wolvesmad
(fountain of knowledge) Sat 29-Apr-17 10:20:43
Print Post

Re: Hacked?


[re: MrSaffron] [link to this post]
 
Switched back to my Home Hub5 and the PPP has remained up since last night as expected.

Thought the firewall on the HG612 was capable?

-

BT BroadbandInfinity 2
Standard User BatBoy
(sensei) Sat 29-Apr-17 10:39:06
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
In reply to a post by wolvesmad:
Thought the firewall on the HG612 was capable?
The HG612 is a modem. What router were you using with it?
Administrator MrSaffron
(staff) Sat 29-Apr-17 10:40:35
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
All depends on how you've configured it, if using hg612 in router mode then a guide to some basic firewall changes is at http://wiki.kitz.co.uk/index.php/Huawei_HG612_-_Rout...

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User baby_frogmella
(fountain of knowledge) Sat 29-Apr-17 11:41:04
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
In reply to a post by wolvesmad:
Switched back to my Home Hub5 and the PPP has remained up since last night as expected.

Thought the firewall on the HG612 was capable?


The question you should really be asking is "why did the firewall on the router not do its job?" You should get the biggest hammer you can find and smash the culprit router into smithereens. Otherwise by continuing to use the same router you're not fixing anything and all that time spent formatting your hard disk(s) will be in vain. Even a £20 el-cheapo router from Argos will give you decent firewall protection.

--------------------------------------------------------------------
Waiting for FluidOne FTTPoD 330/30 mbps installation
1) Order placed
2) Survey done
3) Test rodding of ducts
4) Fibre laid
5) Jointing work - due 15/05/17

Edited by baby_frogmella (Sat 29-Apr-17 11:47:58)

Standard User caffn8me
(eat-sleep-adslguide) Sat 29-Apr-17 14:39:16
Print Post

Re: Hacked?


[re: baby_frogmella] [link to this post]
 
Firewalls are generally configured to block threats coming from the outside but if a compromised device is connected to the internal 'trusted' network, the firewall may very well be configured to allow all traffic from that device.

If a vulnerable router had port 23 TCP open for administration from the LAN (and many do by default), there would be no protection at all against a Mirai style trojan coming from an infected local device, which could then pwn the router.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User BatBoy
(sensei) Sat 29-Apr-17 16:03:09
Print Post

Re: Hacked?


[re: caffn8me] [link to this post]
 
A temporary fix for a mirai-infected router is to reboot the device, but as soon as the router has been rescanned by mirai it will be infected again.
Standard User Ignitionnet
(knowledge is power) Sat 29-Apr-17 16:48:32
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
In reply to a post by BatBoy:
In reply to a post by wolvesmad:
Thought the firewall on the HG612 was capable?
The HG612 is a modem. What router were you using with it?


The 612 is a router that has a bridge mode. They arrive from Openreach in bridge but it's just a drop down to put them in router mode.

To be more exact they arrive with an interface in router mode, the external management VLAN Openreach use for telemetry and firmware updates, and the regular Internet interface in bridge.
Standard User BatBoy
(sensei) Sat 29-Apr-17 17:13:35
Print Post

Re: Hacked?


[re: Ignitionnet] [link to this post]
 
In reply to a post by Ignitionnet:
The 612 is a router that has a bridge mode. They arrive from Openreach in bridge but it's just a drop down to put them in router mode.
... after you've disabled the firewall which is set to bar access from the WAN or the LAN
Standard User Ignitionnet
(knowledge is power) Sat 29-Apr-17 23:36:41
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
They have to be flashed with a custom firmware indeed before they can be managed by users, though that is trivial.
Standard User wolvesmad
(fountain of knowledge) Sun 30-Apr-17 12:23:24
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
Line is still fine running on the Home Hub 5.

Is the HG612 actually infected? Is it written off? I want to get it back up and running as it's far more stable than the HH5.

-

BT BroadbandInfinity 2
Standard User wolvesmad
(fountain of knowledge) Sun 30-Apr-17 12:28:19
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
Home Hub 5.

It's a modem yes, but it has a built in firewall.

-

BT BroadbandInfinity 2
Standard User baby_frogmella
(fountain of knowledge) Sun 30-Apr-17 13:07:31
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
If you've unlocked the hg612, put it back to locked state via a hardware reset and then see if it's stilll insecure - using a router if necessary. If it's ok in factory state, then you should try unlocking it again, its possible the original flash wasn't done properly.

--------------------------------------------------------------------
Waiting for FluidOne FTTPoD 330/30 mbps installation
1) Order placed
2) Survey done
3) Test rodding of ducts
4) Fibre laid
5) Jointing work - due 15/05/17
Standard User wolvesmad
(fountain of knowledge) Sun 30-Apr-17 14:10:08
Print Post

Re: Hacked?


[re: baby_frogmella] [link to this post]
 
I've done a factory reset on it and I can now access it etc.

I'll be using it with the Home Hub, do I leave the firewall on, on the HG612?

Disable DHCP, QOS and NAT?

-

BT BroadbandInfinity 2
Standard User baby_frogmella
(fountain of knowledge) Sun 30-Apr-17 14:24:58
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
In reply to a post by wolvesmad:
I've done a factory reset on it and I can now access it etc.

I'll be using it with the Home Hub, do I leave the firewall on, on the HG612?

Disable DHCP, QOS and NAT?


In that case you shouldn't need to change anything on the HG612 and ensure the firewall is switched on the Home Hub.

--------------------------------------------------------------------
Waiting for FluidOne FTTPoD 330/30 mbps installation
1) Order placed
2) Survey done
3) Test rodding of ducts
4) Fibre laid
5) Jointing work - due 15/05/17

Edited by baby_frogmella (Sun 30-Apr-17 14:25:35)

Standard User wolvesmad
(fountain of knowledge) Mon 01-May-17 21:51:58
Print Post

Re: Hacked?


[re: baby_frogmella] [link to this post]
 
Plugged the H612 back in, in it's default state and all has been fine until 20:41 when the internet dropped.

Looks like the HG612 rebooted? So I checked the Home Hub 5's log and saw this :-

20:41:36, 01 May.
(27887.730000) Ethernet is up
20:41:35, 01 May.
(27886.810000) Ethernet is down after 367 minutes uptime
20:41:35, 01 May.
(27886.800000) PPPoE is down after 366 minutes uptime [Waiting for Underlying Connection (WAN Ethernet -​ Up)]
20:41:33, 01 May.
(27883.990000) PPP LCP Send Termination Request [User request]

What's that PPP LCP termination request?

The HG612 has been a really solid modem with nearly 100 days uptime until recently.

-

BT BroadbandInfinity 2

Edited by wolvesmad (Mon 01-May-17 22:35:57)

Standard User BatBoy
(sensei) Mon 01-May-17 22:17:15
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
The PPP LCP termination request is TR069 which plagues BT Internet.

Have you disabled CWMP and ptm1.301 on your HG612?
Standard User wolvesmad
(fountain of knowledge) Mon 01-May-17 22:35:19
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
Hi Batboy, no I haven't is that something that needs to be done in CLI?

Checking the logs on the HH5 it looks like either the HG612 or HH5 has asked to drop the VDSL link?


(27890.540000) CWMP: Initializing transaction for event code 4 VALUE CHANGE
20:41:36, 01 May.
(27887.730000) Ethernet is up
20:41:35, 01 May.
(27886.810000) Ethernet is down after 367 minutes uptime
20:41:35, 01 May.
(27886.800000) PPPoE is down after 366 minutes uptime [Waiting for Underlying Connection (WAN Ethernet -​ Up)]
20:41:33, 01 May.
(27883.990000) PPP LCP Send Termination Request [User request]

-

BT BroadbandInfinity 2
Standard User Banger
(eat-sleep-adslguide) Mon 01-May-17 23:22:47
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Unless someone has found a backdoor to the HG612.

CWMP is remote access. So something is trying to access the system.

Tim
www.uno.net.uk & freenetname
Asus DSL-N55U and TP-Link WD9970 on 80 Meg LLU Fibre
http://www.thinkbroadband.com/speedtest/results.html...

Current Sync: 68696/18766
Standard User wolvesmad
(fountain of knowledge) Mon 01-May-17 23:42:20
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
CWMP was disabled.

In WAN PTM 1.301 TR069 and TR069_INTERNET both had the WAN box ticked.

Disabled both now.

-

BT BroadbandInfinity 2
Standard User wolvesmad
(fountain of knowledge) Mon 01-May-17 23:43:22
Print Post

Re: Hacked?


[re: Banger] [link to this post]
 
Wasn't there a worm that is / was attacking TR069 modem / routers?

-

BT BroadbandInfinity 2
Standard User Banger
(eat-sleep-adslguide) Tue 02-May-17 00:04:08
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Not sure hopefully someone will be along to confirm, but I would imagine it is a likely attack vector.

Tim
www.uno.net.uk & freenetname
Asus DSL-N55U and TP-Link WD9970 on 80 Meg LLU Fibre
http://www.thinkbroadband.com/speedtest/results.html...

Current Sync: 68696/18766
Standard User wolvesmad
(fountain of knowledge) Tue 02-May-17 00:13:54
Print Post

Re: Hacked?


[re: Banger] [link to this post]
 
https://www.theregister.co.uk/2016/11/28/router_flaw...

-

BT BroadbandInfinity 2
Standard User Banger
(eat-sleep-adslguide) Tue 02-May-17 01:00:05
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Interesting read so maybe an HG612 exploit is in the wild and just hasn't been reported on or discovered?

Tim
www.uno.net.uk & freenetname
Asus DSL-N55U and TP-Link WD9970 on 80 Meg LLU Fibre
http://www.thinkbroadband.com/speedtest/results.html...

Current Sync: 68696/18766
Standard User BatBoy
(sensei) Tue 02-May-17 01:11:12
Print Post

Re: Hacked?


[re: Banger] [link to this post]
 
If so a quick fix is to change the default admin password. Is the firewall on the HG612 preventing access from the WAN?
Standard User wolvesmad
(fountain of knowledge) Tue 02-May-17 08:59:32
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
The firewall on the HG612 is in it's default state so you'd like to think so.

Something is asking it to reboot / drop it's PPP though according to the log on the HG612.

When all this started the default admin password on the HG612 was changed, not the telnet one though.

-

BT BroadbandInfinity 2
Standard User BatBoy
(sensei) Tue 02-May-17 10:47:39
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
My HG612 was supplied by BT so the default state of the firewall was named "BT" which prevented any access at all. I don't know which of the various firewall settings are default on yours.

The request to drop PPPoE is sent by BT's TR069 server. This is standard practice and plagues everyone on BT as I've already said. It is what led me to unlocking my HG612 in the first place to disable TR069 to stop it happening, as soon as Asbokid's unlocked firmware was available.

Did you use the Mega firmware suffixed by _webgui to unlock yours? That's the one I recommend as it has TR069 disabled by default.
Standard User bowdon
(committed) Tue 02-May-17 11:07:30
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
Its the router that decides what to do with the connection. The HG612 acting as a modem acts on whatever the router is saying.

As you say the TR069 thing is what plagues a lot of BT devices, mainly the home hubs.

To the OP, I'd recommend you use a different compatable router. I use the ASUS RT-N66U. But I'm not sure of what connection your on, and others can recommend other routers too.

From what I can tell you've done everything right as far as the HG612 is concerned, as long as you turned off the settings recommended earlier in the thread. Imho you need a better router to replace the HH.

Demon => Freeserve => Pipex => Be => Sky => BT Infinity 2
Standard User wolvesmad
(fountain of knowledge) Tue 02-May-17 11:44:03
Print Post

Re: Hacked?


[re: bowdon] [link to this post]
 
The PTM settings I have now removed. Bit reluctant to leave the HG612 running whilst at work today so will test and monitor it later.

I'm not sure if the HH5 still does its 14 day reboot when running in PPPOE but up until Friday the PPP connection had been up for over a month no issues.

Looking at the logs it does look as if the HH5 has asked the HG612 to drop the PPPOE.

Why it doesn't do this when running the DSL connection I don't understand.

-

BT BroadbandInfinity 2
Standard User kitcat
(experienced) Tue 02-May-17 20:23:58
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Could attempts be linked to the regular HTTP authentication fails I see in my log?

00:49:39,29 Apr. HTTP authentication Fail from 123.151.42.xx
19:47:10,29 Apr. HTTP authentication Fail from 93.174.93.xxx
01:17:23,30 Apr. HTTP authentication Fail from 123.151.42.xx
12:59:57,30 Apr. HTTP authentication Fail from 185.40.4.xxx
00:06:08,01 May. HTTP authentication Fail from 93.174.93.xxx
02:51:00,01 May. HTTP authentication Fail from 123.151.42.xx
03:13:37,02 May. HTTP authentication Fail from 123.151.42.xx
03:35:31,02 May. HTTP authentication Fail from 93.174.93.xxx
16:09:13,02 May. HTTP authentication Fail from 139.162.87.xxx

I have also had a successful authentication that appears to be from BT asking the hub to reboot
CWMP:Reboot.

which it did, as is 'normal' every so often.
Standard User wolvesmad
(fountain of knowledge) Wed 03-May-17 08:49:25
Print Post

Re: Hacked?


[re: kitcat] [link to this post]
 
In the HG612 I changed the default password, removed TR069 and made sure CWMP was disabled.

Checking the logs etc the connection survived the night and no traces of PPP drops in the router logs.

Checked the HG612 and it has dropped at some point as the line rate has dropped from 61403 kbit/s / 20000 kbit/s to 59990kbit/s which is strange as the line will usually sit at 62/63 for months.

Is there a log in the HG612 which will tell me when the PPP dropped and why?

The only thing I can think of is DLM as Monday night the HH5 rebooted 3 times.

-

BT BroadbandInfinity 2
Standard User BatBoy
(sensei) Wed 03-May-17 11:09:45
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
As far as I'm aware, DLM will take action if you have too many Error Seconds or too many disconnections in 24 hours. I think banding is applied for too many disconnections.

The best way I know to monitor this is to run the modem monitor DSLStats 24*7 and upload to mydslwebstats which takes care of all the monitoring for you. You can run DSLStats on a Raspberry Pi if you don't have a 24*7 server available.
Standard User wolvesmad
(fountain of knowledge) Wed 03-May-17 11:29:36
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
This is what I find hard to believe as the HG612 was saying 340 CRC errors, 170 HEC errors and very little errors on the upstream in 12 hours uptime.

G.INP is running on the line.

I've had a dig around online and now know how to view the logs on the HG612 so i'll monitor what time it is re-syncing now.

I haven't got a Rasperry Pi but do have an Android box running Android 6, not sure if it can be configured on that?

-

BT BroadbandInfinity 2

Edited by wolvesmad (Wed 03-May-17 11:31:11)

Standard User BatBoy
(sensei) Wed 03-May-17 12:37:22
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
I don't think the stats reported by the HG612 web interface are correct, I think you have to get them from telnet

I don't think DSLStats runs on android.
Standard User wolvesmad
(fountain of knowledge) Wed 03-May-17 13:05:48
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
I'll check via Telnet later after work.

What would you say are high error figures for nearly 24 hours uptime?

-

BT BroadbandInfinity 2
Standard User BatBoy
(sensei) Wed 03-May-17 15:01:18
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Kitz has a DLM calculator http://www.kitz.co.uk/adsl/DLM_calculator.php

And detailed info http://www.kitz.co.uk/adsl/DLM.htm
Standard User wolvesmad
(fountain of knowledge) Wed 03-May-17 19:57:34
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
Only 11 ES in 24 hours.

Opened a line stats thread in Fiber Broadband as this isn't really a Home network query now.

Thanks for your help everyone.

-

BT BroadbandInfinity 2
Standard User ukhardy07
(knowledge is power) Thu 04-May-17 01:43:53
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
I would reset the homehub 5, and remove the hg612 entirely. Does it still drop?

HH5 has a built in modem as I am sure you know, worth trialing out.
Standard User wolvesmad
(fountain of knowledge) Thu 04-May-17 08:48:58
Print Post

Re: Hacked?


[re: ukhardy07] [link to this post]
 
Unfortunately the HH5 reset 3 times during Monday night 'Open RG' and then twice last night. DLM has picked up on it and taken action.

Time for it to go in the bin I think.


Still got this strange device on my LAN, only my laptop appears to find it on Advanced IP scanner. It doesn't have a host name and when I do a remote shut down on it, my laptop shuts down!

When I ping it I get <1ms. It doesn't show up in the routers address table or my WAP.

No idea what it is.

-

BT BroadbandInfinity 2

Edited by wolvesmad (Thu 04-May-17 08:51:38)

Standard User BatBoy
(sensei) Thu 04-May-17 09:56:17
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
Sounds like it's your laptop. Wifi connection perhaps?
Standard User ukhardy07
(knowledge is power) Thu 04-May-17 15:14:01
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
In reply to a post by wolvesmad:
Unfortunately the HH5 reset 3 times during Monday night 'Open RG' and then twice last night. DLM has picked up on it and taken action.

Time for it to go in the bin I think.


Still got this strange device on my LAN, only my laptop appears to find it on Advanced IP scanner. It doesn't have a host name and when I do a remote shut down on it, my laptop shuts down!

When I ping it I get <1ms. It doesn't show up in the routers address table or my WAP.

No idea what it is.
Mine always did this also - FYI my Smarthub only reboots every 14 days. The HH5A was rebooting multiple times a week sometimes.
Standard User wolvesmad
(fountain of knowledge) Thu 04-May-17 15:53:49
Print Post

Re: Hacked?


[re: BatBoy] [link to this post]
 
Traced it to a Firestick I used to use that was still in the back of one of the TV's, panic over.

-

BT BroadbandInfinity 2

Edited by wolvesmad (Thu 04-May-17 18:51:39)

Standard User wolvesmad
(fountain of knowledge) Thu 04-May-17 15:55:14
Print Post

Re: Hacked?


[re: ukhardy07] [link to this post]
 
I know they are instructed to reboot every 14 days, which isn't really a problem but 2,4 and 6am due to Open RG and then 4pm and 9pm in the same 24 hour period is silly really.

-

BT BroadbandInfinity 2
Standard User wolvesmad
(fountain of knowledge) Fri 05-May-17 08:25:38
Print Post

Re: Hacked?


[re: wolvesmad] [link to this post]
 
After 2 days of uptime the issue re-occurred last night.

HG612's DSL light was off when I woke up this morning. Couldn't telnet into it on 192.168.1.2, HH5 was responding as normal.

As you can see below, LAN was flooded. 192.168.1.2 (HG612) was still showing but couldn't ping or tracert it.

https://ibb.co/fxH4RQ

-

BT BroadbandInfinity 2

Edited by wolvesmad (Fri 05-May-17 08:26:34)

Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to