Jump to content


Photo

hijacked speedtouch router??


  • Please log in to reply
4 replies to this topic

#1 mike in toronto

mike in toronto

    Member

  • New Member
  • Pip
  • 1 posts

Posted 13 December 2006 - 03:41 PM

Our Speedtouch router logs show 50,000 packets in and 50,000 packets out every 15 minutes on the DSL side.
All local computers are showing correctly on the router status screen. the activity is 24 hours/day even when the PC's seem to be standing by.

Every computer in the place has been disconnected at some time but the traffic is not affected. All the PC's test clean with Norton or McAfee, plus an IP traffic monitor indicates no unusual activity on the local network. The monitor was installed on all the PC's.

The fixed IP address was blacklisted last week by spamhaus, but seems to be OK since two days ago.

The CBL team reported

>>The IP 70.xx.xx.xx was detected most recently at:
>>2006:12:11 ~12:00 UTC+/- 15 minutes (approximately 6 hours, 45 minutes ago)
>>sending email in such a way as to strongly indicate that the IP itself
>>was operating an open http or socks proxy, or a trojan spam package.

The router is a new Speedtouch (provided by the ISP, Bell Canada) combination unit with 4 wired ports plus wireless (encrypted and the log shows no connections except our own notebooks)

This has me baffled, suggestions welcomed!

#2 alansnoog

alansnoog

    Member

  • New Member
  • Pip
  • 1 posts

Posted 16 April 2007 - 08:00 PM

wireless?
if your router is in proximity with others outside your home someone could very well be tapping into your wireless network(they might not even realize it). an option to further protect your network is to set up a mac address filtering scheme, providing the router with the mac addresses of all the computers you want to be allowed access.

also change that router password, if not done so already.

#3 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 7,070 posts

Posted 16 April 2007 - 11:13 PM

Hello alansnoog.
If you registered just to post that helpful advice I say thank you. If you registered just to SPAM that link in your sig I say gotcha. Your time would be much better spent refining the fine art of self-promotion at those forums that have a much higher tolerance for SPAM.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#4 akline

akline

    The One And Only

  • Full Member
  • Pip
  • 8 posts

Posted 25 April 2007 - 07:01 PM

Have you changed the routers default access username and password from admin/password? And if you don't, and I'm sure you do. Use WEP or WPA encryption on the connection.

#5 PedroDaGr8

PedroDaGr8

    Inorganic Chemist

  • Full Member
  • Pip
  • 45 posts

Posted 04 November 2007 - 12:27 PM

Have you changed the routers default access username and password from admin/password? And if you don't, and I'm sure you do. Use WEP or WPA encryption on the connection.


Umm...it appears that this particular router can infact be hijacked from outside. I thought that I remembered a release awhile back by some researchers saying they found a flaw in this router. So I googled around and the second link that came up was:

http://www.gnucitize...the-bt-home-hub

So what can we do? Well, we can fully own the router remotely. At the moment we have three demo exploits which do the following:

* enable backdoor in order to control the router remotely
* disable wireless completely (can only be re-enabled if the user is technically capable)
* steal the WEP/WPA key

Of course there other other attacks you could launch! We can hijack any action with full admin privileges or steal any info returned by a router’s page. This means evilness of the exploits are only limited by the attacker’s imagination. Other examples of evil attacks include evesdropping VoIP conversations (change ’sip config primproxyaddr’ statement in config file), stealing VoIP credentials, exposing internal hosts on the DMZ, change the DNS settings for stealing online banking credentials, disable auto updates (change ‘cwmp.ini’ section in config file), etc …


White this is talking about the BT router (British Telecom) it is infact a Thomson/Alcatel Speedtouch router




Member of UNITE
Support SpywareInfo Forum - click the button