cancel
Showing results for 
Search instead for 
Did you mean: 

Have i been hacked by hackers or big B?

SE
Rising Star
Posts: 72
Thanks: 1
Fixes: 1
Registered: ‎19-08-2013

Have i been hacked by hackers or big B?

Hi a few weeks ago when logging on to the router control it opened a different page not the normal start page
the firmware was the same old number but it seemed to have different options and a new admin had been added
username was “Diagnostics” and the privileges were intercept
then today my internet went off for about 15 mins or so but the router status said i had internet
i looked at the log and was shocked to see things like “Info  Mar 14 14:55:39 FIREWALL event (1 of 46): created rules” amd “Info  Mar 14 14:55:39 FIREWALL event (1 of 16): deleted rules”
there were many port scans just before the internet went off too
when the internet came on the log showed “Info  Mar 14 15:07:13 CONFIGURATION saved by TR69” the wan management protocol
and found this
“Security risks
The compromise of an ISP ACS server or the link between an ACS and CPE by unauthorized entities, including hackers and (domestic and foreign) government agencies, can give access to an entire ISP's subscriber base's routers (with TR-069 enabled). All the above-mentioned information and actions would be available to the potential attackers, including MAC addresses of all clients connected to the router, covert redirection of all DNS queries to a rogue DNS server, and even a surreptitious firmware update which may contain a backdoor to enable covert access from potentially anywhere in the world.”

In 20 years of using the internet ive never seen this before, so am i being hacked by hackers or other darker people and maybe my firmware “updated” ?
it also shows 192.168.1.67 that's not even a pc
I know what TR69 is, its to help people like my old sister  Wink
but this setup is not new
and why the port scans just before my internet went off and why TR69 just as it came back on? Mmmmm  Lips are sealed
the router is a Technicolor TG582n FTTC modified to use a fibre
part of the log (see pics for more info)

Warning  Mar 14 14:56:00 PPP link up (Internet) [172.20.241.131]  
Info  Mar 14 14:56:00 PPP CHAP Receive success (Internet)
Info  Mar 14 14:55:53 PPP CHAP Receive challenge from rhost acc-aln4.kl (Internet)
Info  Mar 14 14:55:39 FIREWALL event (1 of 29): modified rules
Info  Mar 14 14:55:39 FIREWALL event (1 of 46): created rules
Info  Mar 14 14:55:39 FIREWALL event (1 of 16): deleted rules
Warning  Mar 14 14:55:39 PPP link down (Internet) [212.159.86.3]  
Warning  Mar 14 14:35:24 IDS scan parser : udp port scan: 192.168.1.67 scanned at least 20 ports at 23.246.36.156. (1 of 1) : 192.168.1.67 23.246.36.156 30 10 UDP 52260->33456
Info  Mar 14 14:18:19 SNTP Synchronised to server: 212.159.13.50
Warning  Mar 14 14:13:43 IDS scan parser : udp port scan: 192.168.1.67 scanned at least 20 ports at 198.38.109.161. (1 of 1) : 192.168.1.67 198.38.109.161 30 10 UDP 50957->33456
Info  Mar 14 13:18:19 SNTP Synchronised to server: 212.159.6.10
Info  Mar 14 12:18:19 SNTP Synchronised again to server: 212.159.6.9
Warning  Mar 14 11:30:13 IDS scan parser : udp port scan: 145.102.244.2 scanned at least 20 ports at 212.159.86.3. (1 of 2) : 145.102.244.2 212.159.86.3 56 55 UDP 11428->60731
Info  Mar 14 11:18:19 SNTP Synchronised again to server: 212.159.6.9
Info  Mar 14 10:18:19 SNTP Synchronised again to server: 212.159.6.9
Info  Mar 14 09:18:19 SNTP Synchronised again to server: 212.159.6.9
Info  Mar 14 08:18:18 SNTP Synchronised again to server: 212.159.6.9
Error  Mar 14 07:58:35 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 94.23.247.7 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
Info  Mar 14 07:18:18 SNTP Synchronised again to server: 212.159.6.9
Warning  Mar 14 06:44:15 IDS proto parser : tcp null port (1 of 1) : 103.235.242.51 212.159.86.3 40 33 TCP 0->4728 [S.A...] seq 1989870279 ack 1355564719 win 512
Info  Mar 14 06:18:18 SNTP Synchronised to server: 212.159.6.9
Info  Mar 14 05:18:18 SNTP Synchronised again to server: 212.159.6.10
Error  Mar 14 05:04:33 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 154.54.38.57 Dst ip: 212.159.86.3 Type: Time Exceeded Code: Time to Live exceeded in Transit
Info  Mar 14 04:18:18 SNTP Synchronised to server: 212.159.6.10
Info  Mar 14 03:18:18 SNTP Synchronised to server: 212.159.6.9
Info  Mar 14 02:18:18 SNTP Synchronised again to server: 212.159.6.10
Info  Mar 14 01:18:18 SNTP Synchronised again to server: 212.159.6.10
Error  Mar 14 01:02:39 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 164.132.181.160 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
Info  Mar 14 00:18:18 SNTP Synchronised again to server: 212.159.6.10
Error  Mar 14 00:02:12 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 87.98.243.201 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable
Info  Mar 13 23:18:18 SNTP Synchronised again to server: 212.159.6.10
Error  Mar 13 23:17:09 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 149.202.92.163 Dst ip: 212.159.86.3 Type: Destination Unreachable Code: Port Unreacheable

and more new ones

Info  Mar 14 15:18:18 FIREWALL event (1 of 4): modified rules
Info  Mar 14 15:18:18 FIREWALL event (1 of 4): created rules
Info  Mar 14 15:18:18 FIREWALL event (1 of 4): deleted rules
Warning  Mar 14 15:18:18 PPP link down (Internet) [212.159.86.3]  

Info  Mar 14 15:07:13 CONFIGURATION saved by TR69

28 REPLIES
Community Veteran
Posts: 5,187
Thanks: 486
Fixes: 21
Registered: ‎10-06-2010

Re: Have i been hacked by hackers or big B?

Those logs look similar to anybody else's logs from the 582n. Apparently Plusnet did update the firmware for a lot of the 582n routers recently (causing the DNS issue).
Some of the port scan entries are reporting one of your devices, internal IP address 192.168.1.67, accessing or trying to access IP addresses associated with netflix. The port scan, or merely lots of connection attempts that look a bit like a port scan, is outbound.
The short outage today looks like you failed to connect to Plusnet, and might have been re-directed to a BTWholesale page, if you were using the automatically assigned DNS servers. If you had configured some other DNS servers manually, you probably wouldn't have seen the BTWholesale error page.
SE
Rising Star
Posts: 72
Thanks: 1
Fixes: 1
Registered: ‎19-08-2013

Re: Have i been hacked by hackers or big B?

Oh thanks my pulse is dropping a little  Shocked
The thing is why the firewall rule changes and why did TR69 show up?
fw number 10.2.5.2 fo

yes your right on the Netflix
the router in hard set to use the two plusnet DNS's but on the PC's and TVhdd box the DNS's are set to a outside DNS provider
is there a way to get the full log? maybe using telnet if I turn it on the PC? the logs are small and when there is lots of activity info gets moved out quickly

Thanks again Karl
adie:quote
Community Veteran
Posts: 5,187
Thanks: 486
Fixes: 21
Registered: ‎10-06-2010

Re: Have i been hacked by hackers or big B?

I think the telnet command syslog msgbuf show hist=enabled gives a bit more output.
It's also possible to reduce the SNTP update frequency, so that it doesn't clutter up the log so much, e.g. for every 12 hours (entered in minutes):
sntp config poll=720
saveall
Community Veteran
Posts: 1,841
Thanks: 103
Fixes: 6
Registered: ‎21-01-2013

Re: Have i been hacked by hackers or big B?

I agree with ejs, those log entries don't look unusual for a technicolor router.
If you're concerned about the ISP and possible others (v unlikely IMO) having access to your router, you can prevent this by disabling CWMP.
Telnet commands to do this can be found here: http://npr.me.uk/telnet.html#cwmp
SE
Rising Star
Posts: 72
Thanks: 1
Fixes: 1
Registered: ‎19-08-2013

Re: Have i been hacked by hackers or big B?

kk thx
for what its worth ive turned off tr69 from the isp page
ive been thinking about a better router for a time now for better control so might get one
why would the firewall remove rules?
thx
mav:quote
mcintoshuk
Rising Star
Posts: 66
Fixes: 1
Registered: ‎17-10-2012

Re: Have i been hacked by hackers or big B?

The firmware update push to 10.2.5.2.FO changed a few things, like adding the "diagnostics" user, making it the default user and changing the landing page for the router's web GUI. The firewall rule creation and deletion seems to be a fairly normal part of the router boot process - I haven't looked in detail but it wouldn't surprise me if it's ensuring that the various bits of the router can talk to each other during the start up. At the end of the boot your own saved rules get loaded anyway, which is what matters.
Community Veteran
Posts: 1,841
Thanks: 103
Fixes: 6
Registered: ‎21-01-2013

Re: Have i been hacked by hackers or big B?

You'll be hard pressed to find a router with better control, but you do need to use telnet to get the control.
Easy to find a router with better wifi.  Undecided
SE
Rising Star
Posts: 72
Thanks: 1
Fixes: 1
Registered: ‎19-08-2013

Re: Have i been hacked by hackers or big B?

Quote from: SE

[Moderator's note by Mike (Mav):  Full quote of preceding post removed, as per Forum Rule]

Hold on mod what rule what did I doHuhHuhShocked
SE
Rising Star
Posts: 72
Thanks: 1
Fixes: 1
Registered: ‎19-08-2013

Re: Have i been hacked by hackers or big B?

Quote from: mcintoshuk
The firmware update push to 10.2.5.2.FO changed a few things, like adding the "diagnostics" user, making it the default user and changing the landing page for the router's web GUI. The firewall rule creation and deletion seems to be a fairly normal part of the router boot process - I haven't looked in detail but it wouldn't surprise me if it's ensuring that the various bits of the router can talk to each other during the start up. At the end of the boot your own saved rules get loaded anyway, which is what matters.

Thanks for the info
I thought I had 10.2.5.2.FO do you know when it came out?
Community Veteran
Posts: 5,187
Thanks: 486
Fixes: 21
Registered: ‎10-06-2010

Re: Have i been hacked by hackers or big B?

The 10.2.5.2 FO firmware was first made available at the end of 2013, I don't think anyone has said why the remote upgrades were done much more recently.
pwatson
Rising Star
Posts: 2,468
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Have i been hacked by hackers or big B?

Quote from: SE
Hold on mod what rule what did I doHuhHuhShocked

From the Forum Rule link given:
Quotes are a useful way of showing which post/partial post you are replying to.
You should not quote a full post unless; (i)It’s not the post immediately prior to your reply or (ii)Your post is the first on a new page
You should always think before using quotes as they can make a thread difficult to follow.
SE
Rising Star
Posts: 72
Thanks: 1
Fixes: 1
Registered: ‎19-08-2013

Re: Have i been hacked by hackers or big B?

Quote from: pwatson
Quote from: SE
Hold on mod what rule what did I doHuhHuhShocked

From the Forum Rule link given:

Lots of rules given and read
didn't think it was a problem
pwatson
Rising Star
Posts: 2,468
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Have i been hacked by hackers or big B?

Yet you've quoted unnecessarily again though  Embarrassed
SE
Rising Star
Posts: 72
Thanks: 1
Fixes: 1
Registered: ‎19-08-2013

Re: Have i been hacked by hackers or big B?

Oh shoot sorry  Smiley
that how we've don't it since the days of 14k and BB's
but I will try and remember next time early stage dementia permitting  Sad
I looked at the logs again and saw 192.168.1.67 scanned at least 20 ports
I have never had this before a few days ago, its only a old TV Box that plays iplayer and NF
Is that any better?