Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Cobalt19 · ‎08-05-2013

Thanks. All devices were off during the tests. The mystery deepens...

Oldjim · ‎15-06-2007

Having just checked UPnP is enabled

Razer · ‎17-11-2012

If you're freaking out about results from GRC.com's Shields Up pages I can only presume you've read a bit on Steve Gibson's site regarding the issues. I guess you'll probably freak out some more when you read what he has to say about UPnP. Whilst much of what he says may be true generally, his site can be a bit alarmist - and I say that as quite the paranoid sort when it comes to security issues. In any event it is good to know about these things, but try not to freak out. There isn't a hacker waiting to break into your computer the moment you connect.

Oldjim · ‎15-06-2007

You could of course look at the router log - mine shows this
Warning May 8 17:05:51 IDS proto parser : tcp null port (1 of 28) : 4.79.142.206 81.174.168.118 0044 TCP 58218->0 [......] seq 1564800384 win 8192

Warning May 8 17:02:53 IDS proto parser : udp null port (1 of 1) : 192.168.1.64 192.168.1.255 0090 UDP 137->0

Warning May 8 17:00:34 IDS scan parser : tcp syn scan: 4.79.142.206 scanned at least 20 ports at 81.174.168.118. (1 of 1) : 4.79.142.206 81.174.168.118 0044 TCP 58134->24 [S.....] seq 3915130105 win 8192

Warning May 8 16:59:55 IDS proto parser : tcp null port (1 of 1) : 4.79.142.206 81.174.168.118 0044 TCP 58129->0 [......] seq 2345921030 win 8192

Cobalt19 · ‎08-05-2013

Hi all.
@Razer - I am not freaking out but I get your point. I will be happy if all ports are stealthed and I can use VPN and everything works as it did when I had my previous router/ISP.
@Oldjim - I did look at my Router logs, but like yours you listed here - I have absolutely no idea what all that gobbledegook actually means so its pointless me looking really!
What I don't get still is how one user on this thread (spraxyt) has got stealtehd Ports even though he doesn't even have the server-side firewall on and his router is on Standard Firewall...
The test result in the opening post differs from mine. My firmware is 8.4.4.J.
With the standard settings (including for UPnP) on my TG582n (ADSL), except ping response from WAN is enabled, all common ports show as 'stealth'. The Plusnet firewall is 'off'.
Can anyone explain how this can be - given I have two firewalls, and the server side is on 'High'???

Anotherone · ‎31-08-2007

If you want to use VPN you need to set the Plusnet Firewall to Low. Remember to drop your PPP session and reconnect to make the change active.

w23 · ‎08-01-2008

Just a thought. you're not running these tests while connected to the VPN by any chance?
If you are and you have 'Use default gateway on remote network' ticked in Advanced TCP/IP settings (or equivalent) then the scan will be showing the result for the VPN internet gateway rather then your own connection.

Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.

ReedRichards · ‎14-07-2009

I tested my old faithful Netgear DG834PN router and got

Quote
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.

That's with the Plusnet firewall set to Off and the router firewall set to defaults. I don't do any VPN malarkey.

alan659882 · ‎04-02-2011

Hmm, I just had a quick re-check with "Shields-Up" and all my ports are stealth-ed apart from 21 & 990 which I've deliberately forwarded to my FTP server. So the TG582n obviously can do it!
I have uPNP turned off and all other servers (FTP, NFS, "Media server" under "content sharing") on the router disabled.

krs360 · ‎27-04-2013

Quote from: Cobalt19
THE SITUATION
Just joined Plusnet three days ago and connected the supplied Router (Technicolor TG582n) and it set itself up fine and I get Broadband OK - this part is good.
Testing the router with the www.grc.com 'Shields Up!' security check service (as suggested on Plusnet's own website) using the 'All Common Ports' test, reveals many ports are visible as 'open' or 'closed' and not stealthed. Consequently my network is open to hacking and it is not good enough. I phoned Plusnet telephone customer service twice and spoke to friendly guys who informed me that they "do not support giving advice on stealthing this router". Not good!
Visible Ports are as follows....
Closed: Port s21, 22, 137, 138, 443
Open: Ports 139, 445, 548
My previous router (and on a different ISP - the very excellent but expensive Eclipse Internet) stealthed everything and that is what I want again with this new router and Plusnet. My previous router is not ADSL2+ as I got it when Broadband in the UK became available 'back in the day' probably 2004 for me. I am not a computer technician - just your average user. The household uses internet for email, surfing, iPlayer, Youtube Skype video calls, and the occasional online gaming (PS3). As I said earlier - all this has been working perfectly before using a stealthed router.
MY OBJECTIVE
To have my new router operating all internet fnctions whilst being completely stealthed.
MY QUESTIONS
Is it possible to stealth this Technicolor TG582n?
If so - where can I find the detailed settings?
If i

t is impossible to stealth this router then what do I do next?
See screen grab below...

Are you using a MAC? or apple product for sharing/streaming movies, etc by any chance?
Some of those ports would not be open on a windows based PC without the necessary configuration, e.g ssh and ftp ports.
If you are using windows it probably wouldn't hurt to run netstat and check which ports your computer is listening for connections on (If you need more help with this, let me know). I would suggest disconnecting all other devices when you do this wired and wireless (disable if necessary).

mattturner · ‎25-06-2009

Hi Cobalt,
I'm not sure why these ports aren't showing as dropping packets (stealth), all my tests here show that they should.
I can give you some commands to 'stealth' these ports, ie make the router drop all packets sent to them, however I suspect that this will break something that's running on your internal network.
You can try anyway, as long as you don't run the :saveall command these settings will be lost after you reboot.
:expr add name CobaltPortBlock type=serv proto=tcp dstport=21
:expr add name CobaltPortBlock type=serv proto=tcp dstport=22
:expr add name CobaltPortBlock type=serv proto=tcp dstport=137
:expr add name CobaltPortBlock type=serv proto=tcp dstport=138
:expr add name CobaltPortBlock type=serv proto=tcp dstport=443
:expr add name CobaltPortBlock type=serv proto=tcp dstport=139
:expr add name CobaltPortBlock type=serv proto=tcp dstport=445
:expr add name CobaltPortBlock type=serv proto=tcp dstport=548
:firewall rule add chain=forward_custom dstinf=wan serv=CobaltPortBlock action=drop
This new rule will tell your router to drop all packets arriving on those ports on the wan interface.
This could have unintended consequences so be prepared to do a factory reset if things go wrong!
Let me know what your ShieldsUp page shows after running these.
Cheers,
Matt

x47c · ‎14-08-2009

Like poster 'Oldjim',my router's log also show a deluge of attempted queries being dumped on my connection to see whether anything is potentially open - which the router/modem unit is blocking. It's day in day out night and day.
There have been 15 warning entries just this afternoon of attempted intrusions/port scanning.
My router is totally steathed including blocking ICMPing.
Sometime I get allocated a dynamic IP address by by Plusnet which is clearly not (yet) on the scammers database and then I get a period of quiet -as far as the logs go with nothing reported.
When I can be arssed I check the attacking IP addresses only to find that invariably they are in the Far East and Eastern Europe.
I've just checked the last two an they appear to be from registered IP locations of Santiago and Moscow.......

npr · ‎21-01-2013

Quote from: x47c

My router is totally steathed including blocking ICMPing.

Have you checked TCP port 51005 on Gibson's ShieldsUp site?

To stealth this port, disable CWMP-S.
http://npr.me.uk/telnet.html#cwmp
Note:
Disabling CWMP-S may prevent the router from automatically detecting your PN username and password.

ejs · ‎10-06-2010

Quote from: x47c
Like poster 'Oldjim',

Oldjim's log was the log messages generated by the GRC shields up test!

penfold · ‎01-08-2007

Mines an 'out of the box' tg585, and checking with shields up, upnp and all ports are stealthed. Plusnets firewall also on at low. Only changes made to router are the password, and some reserved ip addresses

Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed

Re: Plusnet's Technicolor TG582n Router is OPEN TO HACKERS! - help needed