Hacked?

My BT fiber connection dropped about 20 mins ago.

I thought oh it'll come back up on it's own, it rarely goes down. I couldn't telnet into my HG612 which I thought was strange just for a PPP drop,

Ran a network scanner on my PC and every IP address including the one for my HG612 was being used by an unknown device?

I'm in the process of cleaning up a relatives virus ridden laptop which I thought was clean, has something flooded my local LAN?

Sounds almost like the laptop you throught was clean is running a bot of some description

Not an uncommon payload alongside the usual virus mixtures these days

Thought that.

It's the only device on my lan that I can think of that would cause it.

Looks like it's getting formatted then!

Just got home, same again, devices on every IP and PPP down.

If the case then the 'suspect' PC is off and not connected to LAN then consider this

https://www.theregister.co.uk/2016/12/08/talktalk_ro...

Other makes were also affected

Switched back to my Home Hub5 and the PPP has remained up since last night as expected.

Thought the firewall on the HG612 was capable?

In reply to a post by wolvesmad:

Thought the firewall on the HG612 was capable?

The HG612 is a modem. What router were you using with it?

All depends on how you've configured it, if using hg612 in router mode then a guide to some basic firewall changes is at http://wiki.kitz.co.uk/index.php/Huawei_HG612_-_Rout...

In reply to a post by wolvesmad:

Switched back to my Home Hub5 and the PPP has remained up since last night as expected.

Thought the firewall on the HG612 was capable?

The question you should really be asking is "why did the firewall on the router not do its job?" You should get the biggest hammer you can find and smash the culprit router into smithereens. Otherwise by continuing to use the same router you're not fixing anything and all that time spent formatting your hard disk(s) will be in vain. Even a £20 el-cheapo router from Argos will give you decent firewall protection.

Edited by deleted (Sat 29-Apr-17 11:47:58)

Firewalls are generally configured to block threats coming from the outside but if a compromised device is connected to the internal 'trusted' network, the firewall may very well be configured to allow all traffic from that device.

If a vulnerable router had port 23 TCP open for administration from the LAN (and many do by default), there would be no protection at all against a Mirai style trojan coming from an infected local device, which could then pwn the router.

A temporary fix for a mirai-infected router is to reboot the device, but as soon as the router has been rescanned by mirai it will be infected again.

In reply to a post by BatBoy:

In reply to a post by wolvesmad:

Thought the firewall on the HG612 was capable?

The HG612 is a modem. What router were you using with it?

The 612 is a router that has a bridge mode. They arrive from Openreach in bridge but it's just a drop down to put them in router mode.

To be more exact they arrive with an interface in router mode, the external management VLAN Openreach use for telemetry and firmware updates, and the regular Internet interface in bridge.

In reply to a post by Ignitionnet:

The 612 is a router that has a bridge mode. They arrive from Openreach in bridge but it's just a drop down to put them in router mode.

... after you've disabled the firewall which is set to bar access from the WAN or the LAN

They have to be flashed with a custom firmware indeed before they can be managed by users, though that is trivial.

Line is still fine running on the Home Hub 5.

Is the HG612 actually infected? Is it written off? I want to get it back up and running as it's far more stable than the HH5.

Home Hub 5.

It's a modem yes, but it has a built in firewall.

If you've unlocked the hg612, put it back to locked state via a hardware reset and then see if it's stilll insecure - using a router if necessary. If it's ok in factory state, then you should try unlocking it again, its possible the original flash wasn't done properly.

I've done a factory reset on it and I can now access it etc.

I'll be using it with the Home Hub, do I leave the firewall on, on the HG612?

Disable DHCP, QOS and NAT?

In reply to a post by wolvesmad:

I've done a factory reset on it and I can now access it etc.

I'll be using it with the Home Hub, do I leave the firewall on, on the HG612?

Disable DHCP, QOS and NAT?

In that case you shouldn't need to change anything on the HG612 and ensure the firewall is switched on the Home Hub.

Edited by deleted (Sun 30-Apr-17 14:25:35)

Plugged the H612 back in, in it's default state and all has been fine until 20:41 when the internet dropped.

Looks like the HG612 rebooted? So I checked the Home Hub 5's log and saw this :-

20:41:36, 01 May.
(27887.730000) Ethernet is up
20:41:35, 01 May.
(27886.810000) Ethernet is down after 367 minutes uptime
20:41:35, 01 May.
(27886.800000) PPPoE is down after 366 minutes uptime [Waiting for Underlying Connection (WAN Ethernet -​ Up)]
20:41:33, 01 May.
(27883.990000) PPP LCP Send Termination Request [User request]

What's that PPP LCP termination request?

The HG612 has been a really solid modem with nearly 100 days uptime until recently.

Edited by wolvesmad (Mon 01-May-17 22:35:57)

The PPP LCP termination request is TR069 which plagues BT Internet.

Have you disabled CWMP and ptm1.301 on your HG612?

Hi Batboy, no I haven't is that something that needs to be done in CLI?

Checking the logs on the HH5 it looks like either the HG612 or HH5 has asked to drop the VDSL link?


(27890.540000) CWMP: Initializing transaction for event code 4 VALUE CHANGE
20:41:36, 01 May.
(27887.730000) Ethernet is up
20:41:35, 01 May.
(27886.810000) Ethernet is down after 367 minutes uptime
20:41:35, 01 May.
(27886.800000) PPPoE is down after 366 minutes uptime [Waiting for Underlying Connection (WAN Ethernet -​ Up)]
20:41:33, 01 May.
(27883.990000) PPP LCP Send Termination Request [User request]

Unless someone has found a backdoor to the HG612.

CWMP is remote access. So something is trying to access the system.

CWMP was disabled.

In WAN PTM 1.301 TR069 and TR069_INTERNET both had the WAN box ticked.

Disabled both now.

Wasn't there a worm that is / was attacking TR069 modem / routers?

Not sure hopefully someone will be along to confirm, but I would imagine it is a likely attack vector.

https://www.theregister.co.uk/2016/11/28/router_flaw...

Interesting read so maybe an HG612 exploit is in the wild and just hasn't been reported on or discovered?

If so a quick fix is to change the default admin password. Is the firewall on the HG612 preventing access from the WAN?

The firewall on the HG612 is in it's default state so you'd like to think so.

Something is asking it to reboot / drop it's PPP though according to the log on the HG612.

When all this started the default admin password on the HG612 was changed, not the telnet one though.

My HG612 was supplied by BT so the default state of the firewall was named "BT" which prevented any access at all. I don't know which of the various firewall settings are default on yours.

The request to drop PPPoE is sent by BT's TR069 server. This is standard practice and plagues everyone on BT as I've already said. It is what led me to unlocking my HG612 in the first place to disable TR069 to stop it happening, as soon as Asbokid's unlocked firmware was available.

Did you use the Mega firmware suffixed by _webgui to unlock yours? That's the one I recommend as it has TR069 disabled by default.

Its the router that decides what to do with the connection. The HG612 acting as a modem acts on whatever the router is saying.

As you say the TR069 thing is what plagues a lot of BT devices, mainly the home hubs.

To the OP, I'd recommend you use a different compatable router. I use the ASUS RT-N66U. But I'm not sure of what connection your on, and others can recommend other routers too.

From what I can tell you've done everything right as far as the HG612 is concerned, as long as you turned off the settings recommended earlier in the thread. Imho you need a better router to replace the HH.

The PTM settings I have now removed. Bit reluctant to leave the HG612 running whilst at work today so will test and monitor it later.

I'm not sure if the HH5 still does its 14 day reboot when running in PPPOE but up until Friday the PPP connection had been up for over a month no issues.

Looking at the logs it does look as if the HH5 has asked the HG612 to drop the PPPOE.

Why it doesn't do this when running the DSL connection I don't understand.

Could attempts be linked to the regular HTTP authentication fails I see in my log?

00:49:39,29 Apr. HTTP authentication Fail from 123.151.42.xx
19:47:10,29 Apr. HTTP authentication Fail from 93.174.93.xxx
01:17:23,30 Apr. HTTP authentication Fail from 123.151.42.xx
12:59:57,30 Apr. HTTP authentication Fail from 185.40.4.xxx
00:06:08,01 May. HTTP authentication Fail from 93.174.93.xxx
02:51:00,01 May. HTTP authentication Fail from 123.151.42.xx
03:13:37,02 May. HTTP authentication Fail from 123.151.42.xx
03:35:31,02 May. HTTP authentication Fail from 93.174.93.xxx
16:09:13,02 May. HTTP authentication Fail from 139.162.87.xxx

I have also had a successful authentication that appears to be from BT asking the hub to reboot
CWMP:Reboot.

which it did, as is 'normal' every so often.

In the HG612 I changed the default password, removed TR069 and made sure CWMP was disabled.

Checking the logs etc the connection survived the night and no traces of PPP drops in the router logs.

Checked the HG612 and it has dropped at some point as the line rate has dropped from 61403 kbit/s / 20000 kbit/s to 59990kbit/s which is strange as the line will usually sit at 62/63 for months.

Is there a log in the HG612 which will tell me when the PPP dropped and why?

The only thing I can think of is DLM as Monday night the HH5 rebooted 3 times.

As far as I'm aware, DLM will take action if you have too many Error Seconds or too many disconnections in 24 hours. I think banding is applied for too many disconnections.

The best way I know to monitor this is to run the modem monitor DSLStats 24*7 and upload to mydslwebstats which takes care of all the monitoring for you. You can run DSLStats on a Raspberry Pi if you don't have a 24*7 server available.

This is what I find hard to believe as the HG612 was saying 340 CRC errors, 170 HEC errors and very little errors on the upstream in 12 hours uptime.

G.INP is running on the line.

I've had a dig around online and now know how to view the logs on the HG612 so i'll monitor what time it is re-syncing now.

I haven't got a Rasperry Pi but do have an Android box running Android 6, not sure if it can be configured on that?

Edited by wolvesmad (Wed 03-May-17 11:31:11)

I don't think the stats reported by the HG612 web interface are correct, I think you have to get them from telnet

I don't think DSLStats runs on android.

I'll check via Telnet later after work.

What would you say are high error figures for nearly 24 hours uptime?

Kitz has a DLM calculator http://www.kitz.co.uk/adsl/DLM_calculator.php

And detailed info http://www.kitz.co.uk/adsl/DLM.htm

Only 11 ES in 24 hours.

Opened a line stats thread in Fiber Broadband as this isn't really a Home network query now.

Thanks for your help everyone.

I would reset the homehub 5, and remove the hg612 entirely. Does it still drop?

HH5 has a built in modem as I am sure you know, worth trialing out.

Unfortunately the HH5 reset 3 times during Monday night 'Open RG' and then twice last night. DLM has picked up on it and taken action.

Time for it to go in the bin I think.


Still got this strange device on my LAN, only my laptop appears to find it on Advanced IP scanner. It doesn't have a host name and when I do a remote shut down on it, my laptop shuts down!

When I ping it I get <1ms. It doesn't show up in the routers address table or my WAP.

No idea what it is.

Edited by wolvesmad (Thu 04-May-17 08:51:38)

Sounds like it's your laptop. Wifi connection perhaps?

In reply to a post by wolvesmad:

Unfortunately the HH5 reset 3 times during Monday night 'Open RG' and then twice last night. DLM has picked up on it and taken action.

Time for it to go in the bin I think.


Still got this strange device on my LAN, only my laptop appears to find it on Advanced IP scanner. It doesn't have a host name and when I do a remote shut down on it, my laptop shuts down!

When I ping it I get <1ms. It doesn't show up in the routers address table or my WAP.

No idea what it is.

Mine always did this also - FYI my Smarthub only reboots every 14 days. The HH5A was rebooting multiple times a week sometimes.

Traced it to a Firestick I used to use that was still in the back of one of the TV's, panic over.

Edited by wolvesmad (Thu 04-May-17 18:51:39)

I know they are instructed to reboot every 14 days, which isn't really a problem but 2,4 and 6am due to Open RG and then 4pm and 9pm in the same 24 hour period is silly really.

After 2 days of uptime the issue re-occurred last night.

HG612's DSL light was off when I woke up this morning. Couldn't telnet into it on 192.168.1.2, HH5 was responding as normal.

As you can see below, LAN was flooded. 192.168.1.2 (HG612) was still showing but couldn't ping or tracert it.

https://ibb.co/fxH4RQ

Edited by wolvesmad (Fri 05-May-17 08:26:34)