Have i been hacked by hackers or big B?
Hi a few weeks ago when logging on to the router control it opened a different page not the normal start page
the firmware was the same old number but it seemed to have different options and a new admin had been added
username was “Diagnostics” and the privileges were intercept
then today my internet went off for about 15 mins or so but the router status said i had internet
i looked at the log and was shocked to see things like “Info Mar 14 14:55:39 FIREWALL event (1 of 46): created rules” amd “Info Mar 14 14:55:39 FIREWALL event (1 of 16): deleted rules”
there were many port scans just before the internet went off too
when the internet came on the log showed “Info Mar 14 15:07:13 CONFIGURATION saved by TR69” the wan management protocol
and found this
“Security risks
The compromise of an ISP ACS server or the link between an ACS and CPE by unauthorized entities, including hackers and (domestic and foreign) government agencies, can give access to an entire ISP's subscriber base's routers (with TR-069 enabled). All the above-mentioned information and actions would be available to the potential attackers, including MAC addresses of all clients connected to the router, covert redirection of all DNS queries to a rogue DNS server, and even a surreptitious firmware update which may contain a backdoor to enable covert access from potentially anywhere in the world.”
In 20 years of using the internet ive never seen this before, so am i being hacked by hackers or other darker people and maybe my firmware “updated” ?
it also shows 192.168.1.67 that's not even a pc
I know what TR69 is, its to help people like my old sister
but this setup is not new
and why the port scans just before my internet went off and why TR69 just as it came back on? Mmmmm
the router is a Technicolor TG582n FTTC modified to use a fibre
part of the log (see pics for more info)
Warning Mar 14 14:56:00 PPP link up (Internet) [172.20.241.131]
Info Mar 14 14:56:00 PPP CHAP Receive success (Internet)
Info Mar 14 14:55:53 PPP CHAP Receive challenge from rhost acc-aln4.kl (Internet)
Info Mar 14 14:55:39 FIREWALL event (1 of 29): modified rules
Info Mar 14 14:55:39 FIREWALL event (1 of 46): created rules
Info Mar 14 14:55:39 FIREWALL event (1 of 16): deleted rules
Warning Mar 14 14:55:39 PPP link down (Internet) [212.159.86.3]
Warning Mar 14 14:35:24 IDS scan parser : udp port scan: 192.168.1.67 scanned at least 20 ports at 23.246.36.156. (1 of 1) : 192.168.1.67 23.246.36.156 30 10 UDP 52260->33456
Info Mar 14 14:18:19 SNTP Synchronised to server: 212.159.13.50
Warning Mar 14 14:13:43 IDS scan parser : udp port scan: 192.168.1.67 scanned at least 20 ports at 198.38.109.161. (1 of 1) : 192.168.1.67 198.38.109.161 30 10 UDP 50957->33456
Info Mar 14 13:18:19 SNTP Synchronised to server: 212.159.6.10
Info Mar 14 12:18:19 SNTP Synchronised again to server: 212.159.6.9
Warning Mar 14 11:30:13 IDS scan parser : udp port scan: 145.102.244.2 scanned at least 20 ports at 212.159.86.3. (1 of 2) : 145.102.244.2 212.159.86.3 56 55 UDP 11428->60731
Info Mar 14 11:18:19 SNTP Synchronised again to server: 212.159.6.9
Info Mar 14 10:18:19 SNTP Synchronised again to server: 212.159.6.9
Info Mar 14 09:18:19 SNTP Synchronised again to server: 212.159.6.9
Info Mar 14 08:18:18 SNTP Synchronised again to server: 212.159.6.9
Error Mar 14 07:58:35 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 94.23.247.7 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
Info Mar 14 07:18:18 SNTP Synchronised again to server: 212.159.6.9
Warning Mar 14 06:44:15 IDS proto parser : tcp null port (1 of 1) : 103.235.242.51 212.159.86.3 40 33 TCP 0->4728 [S.A...] seq 1989870279 ack 1355564719 win 512
Info Mar 14 06:18:18 SNTP Synchronised to server: 212.159.6.9
Info Mar 14 05:18:18 SNTP Synchronised again to server: 212.159.6.10
Error Mar 14 05:04:33 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 154.54.38.57 Dst ip: 212.159.86.3 Type: Time Exceeded Code: Time to Live exceeded in Transit
Info Mar 14 04:18:18 SNTP Synchronised to server: 212.159.6.10
Info Mar 14 03:18:18 SNTP Synchronised to server: 212.159.6.9
Info Mar 14 02:18:18 SNTP Synchronised again to server: 212.159.6.10
Info Mar 14 01:18:18 SNTP Synchronised again to server: 212.159.6.10
Error Mar 14 01:02:39 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 164.132.181.160 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
Info Mar 14 00:18:18 SNTP Synchronised again to server: 212.159.6.10
Error Mar 14 00:02:12 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 87.98.243.201 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
Info Mar 13 23:18:18 SNTP Synchronised again to server: 212.159.6.10
Error Mar 13 23:17:09 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 149.202.92.163 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
and more new ones
Info Mar 14 15:18:18 FIREWALL event (1 of 4): modified rules
Info Mar 14 15:18:18 FIREWALL event (1 of 4): created rules
Info Mar 14 15:18:18 FIREWALL event (1 of 4): deleted rules
Warning Mar 14 15:18:18 PPP link down (Internet) [212.159.86.3]
Info Mar 14 15:07:13 CONFIGURATION saved by TR69
the firmware was the same old number but it seemed to have different options and a new admin had been added
username was “Diagnostics” and the privileges were intercept
then today my internet went off for about 15 mins or so but the router status said i had internet
i looked at the log and was shocked to see things like “Info Mar 14 14:55:39 FIREWALL event (1 of 46): created rules” amd “Info Mar 14 14:55:39 FIREWALL event (1 of 16): deleted rules”
there were many port scans just before the internet went off too
when the internet came on the log showed “Info Mar 14 15:07:13 CONFIGURATION saved by TR69” the wan management protocol
and found this
“Security risks
The compromise of an ISP ACS server or the link between an ACS and CPE by unauthorized entities, including hackers and (domestic and foreign) government agencies, can give access to an entire ISP's subscriber base's routers (with TR-069 enabled). All the above-mentioned information and actions would be available to the potential attackers, including MAC addresses of all clients connected to the router, covert redirection of all DNS queries to a rogue DNS server, and even a surreptitious firmware update which may contain a backdoor to enable covert access from potentially anywhere in the world.”
In 20 years of using the internet ive never seen this before, so am i being hacked by hackers or other darker people and maybe my firmware “updated” ?
it also shows 192.168.1.67 that's not even a pc
I know what TR69 is, its to help people like my old sister
but this setup is not new
and why the port scans just before my internet went off and why TR69 just as it came back on? Mmmmm
the router is a Technicolor TG582n FTTC modified to use a fibre
part of the log (see pics for more info)
Warning Mar 14 14:56:00 PPP link up (Internet) [172.20.241.131]
Info Mar 14 14:56:00 PPP CHAP Receive success (Internet)
Info Mar 14 14:55:53 PPP CHAP Receive challenge from rhost acc-aln4.kl (Internet)
Info Mar 14 14:55:39 FIREWALL event (1 of 29): modified rules
Info Mar 14 14:55:39 FIREWALL event (1 of 46): created rules
Info Mar 14 14:55:39 FIREWALL event (1 of 16): deleted rules
Warning Mar 14 14:55:39 PPP link down (Internet) [212.159.86.3]
Warning Mar 14 14:35:24 IDS scan parser : udp port scan: 192.168.1.67 scanned at least 20 ports at 23.246.36.156. (1 of 1) : 192.168.1.67 23.246.36.156 30 10 UDP 52260->33456
Info Mar 14 14:18:19 SNTP Synchronised to server: 212.159.13.50
Warning Mar 14 14:13:43 IDS scan parser : udp port scan: 192.168.1.67 scanned at least 20 ports at 198.38.109.161. (1 of 1) : 192.168.1.67 198.38.109.161 30 10 UDP 50957->33456
Info Mar 14 13:18:19 SNTP Synchronised to server: 212.159.6.10
Info Mar 14 12:18:19 SNTP Synchronised again to server: 212.159.6.9
Warning Mar 14 11:30:13 IDS scan parser : udp port scan: 145.102.244.2 scanned at least 20 ports at 212.159.86.3. (1 of 2) : 145.102.244.2 212.159.86.3 56 55 UDP 11428->60731
Info Mar 14 11:18:19 SNTP Synchronised again to server: 212.159.6.9
Info Mar 14 10:18:19 SNTP Synchronised again to server: 212.159.6.9
Info Mar 14 09:18:19 SNTP Synchronised again to server: 212.159.6.9
Info Mar 14 08:18:18 SNTP Synchronised again to server: 212.159.6.9
Error Mar 14 07:58:35 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 94.23.247.7 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
Info Mar 14 07:18:18 SNTP Synchronised again to server: 212.159.6.9
Warning Mar 14 06:44:15 IDS proto parser : tcp null port (1 of 1) : 103.235.242.51 212.159.86.3 40 33 TCP 0->4728 [S.A...] seq 1989870279 ack 1355564719 win 512
Info Mar 14 06:18:18 SNTP Synchronised to server: 212.159.6.9
Info Mar 14 05:18:18 SNTP Synchronised again to server: 212.159.6.10
Error Mar 14 05:04:33 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 154.54.38.57 Dst ip: 212.159.86.3 Type: Time Exceeded Code: Time to Live exceeded in Transit
Info Mar 14 04:18:18 SNTP Synchronised to server: 212.159.6.10
Info Mar 14 03:18:18 SNTP Synchronised to server: 212.159.6.9
Info Mar 14 02:18:18 SNTP Synchronised again to server: 212.159.6.10
Info Mar 14 01:18:18 SNTP Synchronised again to server: 212.159.6.10
Error Mar 14 01:02:39 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 164.132.181.160 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
Info Mar 14 00:18:18 SNTP Synchronised again to server: 212.159.6.10
Error Mar 14 00:02:12 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 87.98.243.201 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
Info Mar 13 23:18:18 SNTP Synchronised again to server: 212.159.6.10
Error Mar 13 23:17:09 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 149.202.92.163 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
and more new ones
Info Mar 14 15:18:18 FIREWALL event (1 of 4): modified rules
Info Mar 14 15:18:18 FIREWALL event (1 of 4): created rules
Info Mar 14 15:18:18 FIREWALL event (1 of 4): deleted rules
Warning Mar 14 15:18:18 PPP link down (Internet) [212.159.86.3]
Info Mar 14 15:07:13 CONFIGURATION saved by TR69
Oh thanks my pulse is dropping a little 
The thing is why the firewall rule changes and why did TR69 show up?
fw number 10.2.5.2 fo
yes your right on the Netflix
the router in hard set to use the two plusnet DNS's but on the PC's and TVhdd box the DNS's are set to a outside DNS provider
is there a way to get the full log? maybe using telnet if I turn it on the PC? the logs are small and when there is lots of activity info gets moved out quickly
Thanks again Karl
adie:quote
The thing is why the firewall rule changes and why did TR69 show up?
fw number 10.2.5.2 fo
yes your right on the Netflix
the router in hard set to use the two plusnet DNS's but on the PC's and TVhdd box the DNS's are set to a outside DNS provider
is there a way to get the full log? maybe using telnet if I turn it on the PC? the logs are small and when there is lots of activity info gets moved out quickly
Thanks again Karl
adie:quote
You'll be hard pressed to find a router with better control, but you do need to use telnet to get the control.
Easy to find a router with better wifi.
Easy to find a router with better wifi.
Quote from: SE
[Moderator's note by Mike (Mav): Full quote of preceding post removed, as per Forum Rule]
Hold on mod what rule what did I do???????
Quote from: SE Hold on mod what rule what did I do???????
From the Forum Rule link given:
Quotes are a useful way of showing which post/partial post you are replying to.
You should not quote a full post unless; (i)It’s not the post immediately prior to your reply or (ii)Your post is the first on a new page
You should always think before using quotes as they can make a thread difficult to follow.
Quote from: pwatson
Quote from: SE Hold on mod what rule what did I do???????
From the Forum Rule link given:
Lots of rules given and read
didn't think it was a problem
Yet you've quoted unnecessarily again though 
Oh shoot sorry 
that how we've don't it since the days of 14k and BB's
but I will try and remember next time early stage dementia permitting
I looked at the logs again and saw 192.168.1.67 scanned at least 20 ports
I have never had this before a few days ago, its only a old TV Box that plays iplayer and NF
Is that any better?
that how we've don't it since the days of 14k and BB's
but I will try and remember next time early stage dementia permitting
I looked at the logs again and saw 192.168.1.67 scanned at least 20 ports
I have never had this before a few days ago, its only a old TV Box that plays iplayer and NF
Is that any better?