Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Router
- :
- Re: Have I been hacked? Internet down, remote conn...
Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'
31-07-2019 3:17 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
This is peculiar, and I'm not sure I can explain it well enough.
I came back to my PC after lunch to find I couldn't access the internet. Trying to access most sites forwarded me to the router home page.(Google gave me some kind of 'can't connect - security problem' message.)
[Router = Plusnet Hub One. Firmware version ends 8.263, last updated 19th Feb 2019]
After looking around a bit I tried disconnecting the internet session. I went to the Broadband settings page (not the advanced one) and tried to reconnect. The router claimed to connect (blue light and 'connected' message) but I had the same problem.
I tried it again and noticed that the username was listed as 'setup@plusdsl.net' rather than my own username. This time, when I connected, it worked and I now have normal access again.
I had a look at the router log. At 12:27 (when I was away from all my devices) there was the following:
12:27:52, 31 Jul. | (6451541.870000) PPP LCP Send Termination Request [User request] |
How could that have happened? It had been preceded by a lot of messages like this:
12:21:33, 31 Jul. | OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.64]:47113->[151.101.18.133]:443 on ppp3) |
Which, from the local IP address, seem to relate to my mobile phone.
Immediately preceding the 'user request' the sequence was as follows (read from the bottom).
12:27:52, 31 Jul. | (6451541.450000) CWMP: session completed successfully |
12:27:51, 31 Jul. | (6451541.230000) CWMP: Set Parameter by TR069 Success |
12:27:51, 31 Jul. | (6451540.760000) CWMP: HTTP authentication success from https://dbtpnhdm.bt.mo |
12:27:50, 31 Jul. | (6451539.540000) CWMP: Server URL: https://dbtpnhdm.bt.mo; Connecting as user: ACS username |
12:27:50, 31 Jul. | (6451539.540000) CWMP: Session start now. Event code(s): '6 CONNECTION REQUEST,4 VALUE CHANGE' |
12:27:49, 31 Jul. | (6451539.120000) CWMP: Initializing transaction for event code 6 CONNECTION REQUEST |
12:27:33, 31 Jul. | IN: BLOCK [16] Remote administration (TCP [159.192.98.61]:51164->[146.200.38.221]:22 on ppp3) |
Since I've got the internet connection back, I'm getting quite a few blocks of messages like this:
13:56:29, 31 Jul. | IN: BLOCK [9] Packet invalid in connection (Invalid tcp flags for current tcp state: TCP [104.82.74.185]:443->[146.199.147.102]:58593 on ppp3) |
13:56:13, 31 Jul. | (6456843.130000) CWMP: session closed due to error: Could not resolve host |
13:56:08, 31 Jul. | (6456838.250000) CWMP: Server URL: https://ceased.tr69.p; Connecting as user: ACS username |
13:56:08, 31 Jul. | (6456838.240000) CWMP: Session start now. Event code(s): '0 BOOTSTRAP,6 CONNECTION REQUEST,4 VALUE CHANGE' |
Have I been hacked?
Oh, and another thing- the 'Home Network' part of Advanced Settings is claiming my mobile phone is not connected, whereas it is indeed connected, to the correct SSID, and using WiFi normally. I'm going to try switching it off and on again.
Re: Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'
31-07-2019 5:03 PM - edited 31-07-2019 5:03 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You've nothing to worry about as far as hacking is concerned.
I had a look at the router log. At 12:27 (when I was away from all my devices) there was the following:
12:27:52, 31 Jul. |
(6451541.870000) PPP LCP Send Termination Request [User request] |
This is an innocent message suggesting your router tore the Internet connection down. There's not enough info to establish why at preset. It could have been a blip/burst of interference that broke connectivity with the exchange for a short while.
It had been preceded by a lot of messages like this:
12:21:33, 31 Jul. |
OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.64]:47113->[151.101.18.133]:443 on ppp3) |
Looks like an out of sequence TCP packet that got sent from your phone to a HTTPS website somewhere. Nothing really to worry about.
Immediately preceding the 'user request' the sequence was as follows (read from the bottom).
12:27:52, 31 Jul. (6451541.450000) CWMP: session completed successfully 12:27:51, 31 Jul. (6451541.230000) CWMP: Set Parameter by TR069 Success 12:27:51, 31 Jul. (6451540.760000) CWMP: HTTP authentication success from https://dbtpnhdm.bt.mo 12:27:50, 31 Jul. (6451539.540000) CWMP: Server URL: https://dbtpnhdm.bt.mo; Connecting as user: ACS username 12:27:50, 31 Jul. (6451539.540000) CWMP: Session start now. Event code(s): '6 CONNECTION REQUEST,4 VALUE CHANGE' 12:27:49, 31 Jul. (6451539.120000) CWMP: Initializing transaction for event code 6 CONNECTION REQUEST 12:27:33, 31 Jul. IN: BLOCK [16] Remote administration (TCP [159.192.98.61]:51164->[146.200.38.221]:22 on ppp3)
This is your router calling back to our hardware management platform. Something it does when a new Internet connection is established. Perfectly normal.
Since I've got the internet connection back, I'm getting quite a few blocks of messages like this:
13:56:29, 31 Jul. |
IN: BLOCK [9] Packet invalid in connection (Invalid tcp flags for current tcp state: TCP [104.82.74.185]:443->[146.199.147.102]:58593 on ppp3) |
13:56:13, 31 Jul. |
(6456843.130000) CWMP: session closed due to error: Could not resolve host |
13:56:08, 31 Jul. |
(6456838.250000) CWMP: Server URL: https://ceased.tr69.p; Connecting as user: ACS username |
Now this looks odd. It suggests that your router has been deleted, or 'ceased' from our hardware management platform. When this happens, your broadband username is overwritten with the default 'setup@plusdsl.net' value and the web address your router uses to 'call home' is changed. This explains some of what you observed, however I've no idea why it happened (I can't see anything on your account that triggered it)
Whatever it was happened at 1:42pm.
I'll see if I can establish what caused it, but in summary, I wouldn't worry too much about it. I'm sure there's a non-sinister explanation.
To properly reactivate your router on our hardware management platform (recommended for firmware updates etc.) you'll need to factory reset it by inserting something into the pinhole at the rear of the device until the status light flashes green.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'
01-08-2019 12:38 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks very much, Bob, for that reassurance. I'm still getting similar messages (too late to go into detail now).
I'm away for a couple of days from tomorrow morning so I'll shut down the router, and when I get back I'll perhaps try to reset it (if I'm still getting lots of odd messages, which seem to have started at around 10:30 on July 31st).
Re: Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'
05-08-2019 9:40 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The factory reset seems to have done the trick, and TR069 messages are now reporting successful connections again.
The filter feature in the Hub One event log is useful - it allows you to concentrate on the type of event that's most relevant.
Thanks again, @bobpullen
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Router
- :
- Re: Have I been hacked? Internet down, remote conn...