Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[les]

I would like to add my thanks to the producers of DMT - a most helpful tool.
Apart from assisting with getting better speed from my Speedtouch router, it helped to identify some facts about the device of which I was unaware.

There were two accounts with root priviledge established, which were hidden i.e. did not show in the HTTP interface.
I also discovered that there were persistent connections from two external sources. One could have been the ISP, but a most suspicious one was 88.242.49.210 which nslookup shows asdsl88.242-12754.ttnet.net.tr which seems to be some Eastern European crowd and certainly had no business with my account.

I was wondering if others had experienced similar "presences" on their machine?

The issue was finalised when I removed all users with the "flush" command and installed my own accounts.

Cheers,

Les.

[kitz]

>> but a most suspicious one was 88.242.49.210

hmmm turkey - not good
I wonder if someone managed to get in whilst the settings were at default?  I take it that you have now changed the admin password?

>> I was wondering if others had experienced similar "presences" on their machine?

No.. the only ones Ive ever seen are ISP ones.

[les]

>> but a most suspicious one was 88.242.49.210

hmmm turkey - not good
I wonder if someone managed to get in whilst the settings were at default?  I take it that you have now changed the admin password?

Yes it is very odd, since the device arrived from Demon with passwords properly set up. I have now removed ALL accounts using the "flush" command and set up accounts with myself as super-sod.

[kitz]

Weird wonder how it got there then :/

>> set up accounts with myself as super-sod.

 

[tnp]

Having been bombarded with telnet attempts on MY router, I returned the favour and browsed it and promptly was presented with a recognisable login screen of a router I know, so I keyed in the default login name and password, and it worked.

I was on the point of erasing its configuration, when I realised that probably someone else had used it to mount the attack on me..so I contented myself with shutting it down. Hoping this might alert the owner to its accessibility.

A router that has an open admin port on the net might as well not be there at all security wise. Easy to get in. snoop the DHCP table. add some port forwarding rules..and you can guess the rest.

Secure your router!

[kitz]

>> Having been bombarded with telnet attempts on MY router

I know what you mean.. I turned logging off on mine a fair while back as I was sick of seeing all the different types of attacks.  OK it was nice for a while to know that my router was keeping x y and zee at bay...  but it got to the point it was obscuring the logs that I did want to see.

>> when I realised that probably someone else had used it to mount the attack on me

very possibly :/

>> Secure your router!

Indeed - unfortunately there are still too many users who still have the default settings and passwords

[jeffbb]

Hi

quote Indeed - unfortunately there are still too many users who still have the default settings and passwords

I have changed the admin password  ,what other settings should I be looking to change  . 

Regards Jeff

[les]

Jeff, are you talking about speedtouch, or another brand?
On mine, I not only deleted all accounts and reset with new passwords, but I have been trying to tighten up the firewall - the menus for which seem to be a bit obscure.

I have allegedly blocked all telnet, ftp, etc, emanating from the internet but the logs seem to be a bit confused.

If someone tried to telnet in unsuccesfully, the log reports:

"User logged OUT on telnet 88.xxx.xxx.xxx"

If on the other hand I successfully log in locally via web interface, the log reports:

"User admin TRIED to login on HTTP 192.xxx.xxx.xxx"

So according to the syntax, an attempt (successful or not) under HTTP is logged as "tried to".
and failed telnet attempts are logged as "telnet logged out" even though they never logged in!

Who writes this stuff?

Confused of Wales.

[les]

Having been bombarded with telnet attempts on MY router, I returned the favour and browsed it and promptly was presented with a recognisable login screen of a router I know, so I keyed in the default login name and password, and it worked.

I was on the point of erasing its configuration, when I realised that probably someone else had used it to mount the attack on me..so I contented myself with shutting it down. Hoping this might alert the owner to its accessibility.

A router that has an open admin port on the net might as well not be there at all security wise. Easy to get in. snoop the DHCP table. add some port forwarding rules..and you can guess the rest.

Secure your router!

I just discovered a quick and dirty way of preventing the log from being filled with attempted hacks. Leave 2 telnet sessions connected (but not logged in). Seems to work on the speedtouch and keeps the log clear.

Les.

[jeffbb]

Hi

I am using Netgear DG834G V4.
I have done no changes to the default settings except to change the Password.
Regards Jeff

[les]

Finally found out how to completely isolate the Speedtouch regarding Telnet & FTP from the wicked outside world. After adding a load of rules to the firewall via the HTTP interface which achieved nothing, I used the telnet CLI interface, - moved to service/system and issued these commands:

ifdelete name=TELNET group=wan
ifdelete name=FTP group=wan

saveall
 

Now a scan using https://www.grc.com/x/ne.dll?bh0bkyd2

shows no access from the internet to either Telnet or FTP, but I can still telnet via my local network.
Pity this was not clear from the "manual".

Les.

[mr_chris]

Useful info les, thank you for posting. I reckon this should go on the main site actually, I'll make a note of it

This thread seems to have got a bit muddled, so I've split Toulouse's issue into another thread as it's a separate issue, keeps things nice and tidy then