cancel
Showing results for 
Search instead for 
Did you mean: 

Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'

Highlighted
Rising Star
Posts: 575
Thanks: 14
Registered: ‎05-04-2008

Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'

This is peculiar, and I'm not sure I can explain it well enough.

I came back to my PC after lunch to find I couldn't access the internet. Trying to access most sites forwarded me to the router home page.(Google gave me some kind of 'can't connect - security problem' message.)

[Router = Plusnet Hub One. Firmware version ends 8.263, last updated 19th Feb 2019]

After looking around a bit I tried disconnecting the internet session. I went to the Broadband settings page (not the advanced one) and tried to reconnect. The router claimed to connect (blue light and 'connected' message) but I had the same problem.

I tried it again and noticed that the username was listed as 'setup@plusdsl.net' rather than my own username. This time, when I connected, it worked and I now have normal access again.

I had a look at the router log. At 12:27 (when I was away from all my devices) there was the following:

12:27:52, 31 Jul. (6451541.870000) PPP LCP Send Termination Request [User request]

 

How could that have happened? It had been preceded by a lot of messages like this:

12:21:33, 31 Jul. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.64]:47113-​>[151.101.18.133]:443 on ppp3)

 

Which, from the local IP address, seem to relate to my mobile phone.

Immediately preceding the 'user request' the sequence was as follows (read from the bottom).

12:27:52, 31 Jul. (6451541.450000) CWMP: session completed successfully
12:27:51, 31 Jul. (6451541.230000) CWMP: Set Parameter by TR069 Success
12:27:51, 31 Jul. (6451540.760000) CWMP: HTTP authentication success from https://dbtpnhdm.bt.mo
12:27:50, 31 Jul. (6451539.540000) CWMP: Server URL: https://dbtpnhdm.bt.mo; Connecting as user: ACS username
12:27:50, 31 Jul. (6451539.540000) CWMP: Session start now. Event code(s): '6 CONNECTION REQUEST,4 VALUE CHANGE'
12:27:49, 31 Jul. (6451539.120000) CWMP: Initializing transaction for event code 6 CONNECTION REQUEST
12:27:33, 31 Jul. IN: BLOCK [16] Remote administration (TCP [159.192.98.61]:51164-​>[146.200.38.221]:22 on ppp3)

 

Since I've got the internet connection back, I'm getting quite a few blocks of messages like this:

13:56:29, 31 Jul. IN: BLOCK [9] Packet invalid in connection (Invalid tcp flags for current tcp state: TCP [104.82.74.185]:443-​>[146.199.147.102]:58593 on ppp3)
13:56:13, 31 Jul. (6456843.130000) CWMP: session closed due to error: Could not resolve host
13:56:08, 31 Jul. (6456838.250000) CWMP: Server URL: https://ceased.tr69.p; Connecting as user: ACS username
13:56:08, 31 Jul. (6456838.240000) CWMP: Session start now. Event code(s): '0 BOOTSTRAP,6 CONNECTION REQUEST,4 VALUE CHANGE'

 

Have I been hacked?

Oh, and another thing- the 'Home Network' part of Advanced Settings is claiming my mobile phone is not connected, whereas it is indeed connected, to the correct SSID, and using WiFi normally. I'm going to try switching it off and on again.

 

3 REPLIES 3
Highlighted
Community Gaffer
Community Gaffer
Posts: 14,491
Thanks: 2,112
Fixes: 148
Registered: ‎04-04-2007

Re: Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'

You've nothing to worry about as far as hacking is concerned.

I had a look at the router log. At 12:27 (when I was away from all my devices) there was the following:

12:27:52, 31 Jul.
(6451541.870000) PPP LCP Send Termination Request [User request]

 

This is an innocent message suggesting your router tore the Internet connection down. There's not enough info to establish why at preset. It could have been a blip/burst of interference that broke connectivity with the exchange for a short while.

It had been preceded by a lot of messages like this:

12:21:33, 31 Jul.
OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.64]:47113-​>[151.101.18.133]:443 on ppp3)

 

Looks like an out of sequence TCP packet that got sent from your phone to a HTTPS website somewhere. Nothing really to worry about.

Immediately preceding the 'user request' the sequence was as follows (read from the bottom).

12:27:52, 31 Jul. (6451541.450000) CWMP: session completed successfully
12:27:51, 31 Jul. (6451541.230000) CWMP: Set Parameter by TR069 Success
12:27:51, 31 Jul. (6451540.760000) CWMP: HTTP authentication success from https://dbtpnhdm.bt.mo
12:27:50, 31 Jul. (6451539.540000) CWMP: Server URL: https://dbtpnhdm.bt.mo; Connecting as user: ACS username
12:27:50, 31 Jul. (6451539.540000) CWMP: Session start now. Event code(s): '6 CONNECTION REQUEST,4 VALUE CHANGE'
12:27:49, 31 Jul. (6451539.120000) CWMP: Initializing transaction for event code 6 CONNECTION REQUEST
12:27:33, 31 Jul. IN: BLOCK [16] Remote administration (TCP [159.192.98.61]:51164-​>[146.200.38.221]:22 on ppp3)

 


This is your router calling back to our hardware management platform. Something it does when a new Internet connection is established. Perfectly normal.

 

Since I've got the internet connection back, I'm getting quite a few blocks of messages like this:

13:56:29, 31 Jul.
IN: BLOCK [9] Packet invalid in connection (Invalid tcp flags for current tcp state: TCP [104.82.74.185]:443-​>[146.199.147.102]:58593 on ppp3)
13:56:13, 31 Jul.
(6456843.130000) CWMP: session closed due to error: Could not resolve host
13:56:08, 31 Jul.
(6456838.250000) CWMP: Server URL: https://ceased.tr69.p; Connecting as user: ACS username

 

 Now this looks odd. It suggests that your router has been deleted, or 'ceased' from our hardware management platform. When this happens, your broadband username is overwritten with the default 'setup@plusdsl.net' value and the web address your router uses to 'call home' is changed. This explains some of what you observed, however I've no idea why it happened (I can't see anything on your account that triggered it) Huh

Whatever it was happened at 1:42pm.

I'll see if I can establish what caused it, but in summary, I wouldn't worry too much about it. I'm sure there's a non-sinister explanation.

To properly reactivate your router on our hardware management platform (recommended for firmware updates etc.) you'll need to factory reset it by inserting something into the pinhole at the rear of the device until the status light flashes green.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Highlighted
Rising Star
Posts: 575
Thanks: 14
Registered: ‎05-04-2008

Re: Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'

Thanks very much, Bob, for that reassurance. I'm still getting similar messages (too late to go into detail now).

I'm away for a couple of days from tomorrow morning so I'll shut down the router, and when I get back I'll perhaps try to reset it (if I'm still getting lots of odd messages, which seem to have started at around 10:30 on July 31st).

Highlighted
Rising Star
Posts: 575
Thanks: 14
Registered: ‎05-04-2008

Re: Have I been hacked? Internet down, remote connections, 'tcp reset attack suspected'

The factory reset seems to have done the trick, and TR069 messages are now reporting successful connections again.

The filter feature in the Hub One event log is useful - it allows you to concentrate on the type of event that's most relevant.

Thanks again, @bobpullen