cancel
Showing results for 
Search instead for 
Did you mean: 

A question to plusnet about their configuratoon

Highlighted
Dabbler
Posts: 19
Thanks: 3
Fixes: 1
Registered: ‎08-11-2016

A question to plusnet about their configuratoon

Hi

 

What is PluNet's TR-069 configuration?

 

Tags (3)
11 REPLIES 11
Highlighted
Plusnet Staff
Plusnet Staff
Posts: 2,225
Thanks: 395
Fixes: 122
Registered: ‎22-08-2015

Re: A question to plusnet about their configuratoon

Hello there,

TR069 is an industry standard remote management system for end user devices. In our case, we use it to link Plusnet routers to their associated accounts.

It allows for the easy setup of routers to get online initially and should the PPP session ever drop it will usually reconnect automatically because of this system. I believe that we can also push firmware updates when required.

This is my personal Community Forum account to help out around these parts while I'm at home. If I'm posting from the 1st March 2020, this means I'm off-duty with no access to internal systems.
If this post resolved your issue, please click the 'This fixed my problem' button
Highlighted
Dabbler
Posts: 19
Thanks: 3
Fixes: 1
Registered: ‎08-11-2016

Re: A question to plusnet about their configuratoon

Hi,

I presume TR-069 uses port 7547.

When using the IoT scanner from BullGuard, the said port was open to the external Internet.

I've managed to close said port with port forwarding (7547 in all four columns) but wondering how to stealth said port.  I want to ensure that your TR-069 enabled device does not leave any exposed ports

I'm using the 2704n.  Firmware 7.275.2_F2704N_Plusnet which hides remote management.

Highlighted
Dabbler
Posts: 19
Thanks: 3
Fixes: 1
Registered: ‎08-11-2016

Re: A question to plusnet about their configuratoon

Never mind.  I've solved the problem by reverting back to my old router that has the option to disable remote management.

Highlighted
Dabbler
Posts: 19
Thanks: 3
Fixes: 1
Registered: ‎08-11-2016

Re: A question to plusnet about their configuratoon

As reported widely in the media within the last two days the newly discovered  Mirai worm is bringing routers down offline utilising the TR069  industry standard remote management system.

 

Can PlusNet confirm whether or not their router is susceptible to this attack?

Highlighted
All Star
Posts: 1,976
Thanks: 224
Fixes: 23
Registered: ‎02-08-2007

Re: A question to plusnet about their configuratoon

Highlighted
Grafter
Posts: 57
Thanks: 5
Registered: ‎17-10-2016

Re: A question to plusnet about their configuratoon


@Pk9 wrote:

As reported widely in the media within the last two days the newly discovered  Mirai worm is bringing routers down offline utilising the TR069  industry standard remote management system.

 

Can PlusNet confirm whether or not their router is susceptible to this attack?


This is a very good question that should be addressed quickly.

Highlighted
Grafter
Posts: 188
Registered: ‎13-11-2007

Re: A question to plusnet about their configuratoon

Is there an easy way to check if your router has been attacked?

Highlighted
Community Veteran
Posts: 38,460
Thanks: 1,033
Fixes: 62
Registered: ‎15-06-2007

Re: A question to plusnet about their configuratoon


@Pk9 wrote:

As reported widely in the media within the last two days the newly discovered  Mirai worm is bringing routers down offline utilising the TR069  industry standard remote management system.

 

Can PlusNet confirm whether or not their router is susceptible to this attack?


As I understand it the attack is via misconfigured Tr-064 not directly via TR-069 and the Plusnet router isn't one of those susceptible

In any case the Plusnet routers have a unique login password - unlike many where it is standard

Highlighted
Community Veteran
Posts: 38,460
Thanks: 1,033
Fixes: 62
Registered: ‎15-06-2007

Re: A question to plusnet about their configuratoon

I have just read this http://forum.kitz.co.uk/index.php/topic,19002.msg338425.html#msg338425 which explains how it happened

The issue was with the TR-064 stack not properly checking which interface HTTP requests came from.  TR-064 is only supposed to accept LAN side requests.  The bug allowed TR-064 requests to be injected into TR-069 (WAN) HTTP requests.  The device then assumed that the request was coming come the LAN HTTP server.  In summary, these requests had the ability to open [http] port 80 on the firewall,  thereby exposing the web administration GUI to the WAN side.

Highlighted
Dabbler
Posts: 19
Thanks: 3
Fixes: 1
Registered: ‎08-11-2016

Re: A question to plusnet about their configuratoon

@Anoush is it true that both telnet and ssh is disabled on the Sagemcom 2704n router?

And TR-064 is not running on the internet facing WAN side? on port 7547.

Highlighted
Dabbler
Posts: 19
Thanks: 3
Fixes: 1
Registered: ‎08-11-2016

Re: A question to plusnet about their configuratoon

So is the router correctly configured with the Tr-064 server not listening on the same port of Tr-069 port 7547?

Can PluNet's confirm this?

Or is it just a case of the router password being the saving grace?