cancel
Showing results for 
would you rather see results for 
Did you mean: 
Need help?

h.1.01 v2.00t insecure webpage and portscans (system log)

Reply
4 REPLIES 4
Anonymous
Not applicable

Hi, recently I have been having trouble understanding what is going on with mt router, after trying to play pubg on my pc via ethernet I was lagged out for half hr, when I logged into the router to check system logs I was met with these warnings....
Action GetConnectionTypeInfo execute by UPNP/TR064() Success.

Action GetNATRSIPStatus execute by UPNP/TR064() Success.

Since then I have been monitoring the log only to find more has been happening while I was asleep...

Detect UDP port scan attack, scan packet from 80.82.77.33.

Warning Detect UDP port scan attack, scan packet from 216.218.206.78.


(todays messages)...

04:39:16 11/04/2019 User Level Debug Action GetNATRSIPStatus execute by UPNP/TR064() Success.

04:39:16 11/04/2019 User Level Debug Action GetConnectionTypeInfo execute by UPNP/TR064() Success.


07:06:33 11/04/2019 User Level Notice CWMP:Cwmp post inform success.
07:06:33 11/04/2019 User Level Notice CWMP or STUN parameter be changed.
07:06:33 11/04/2019 User Level Notice User ACS(62.24.243.161) modify ManagementServer.PeriodicInformEnable; ManagementServer.PeriodicInformTime; ManagementServer.PeriodicInformInterval; .
07:06:33 11/04/2019 User Level Notice User ACS(62.24.243.161) modify ManagementServer.ConnectionRequestPassword; ManagementServer.ConnectionRequestUsername; .
07:06:33 11/04/2019 User Level Notice CWMP inform message: period report.
07:06:33 11/04/2019 User Level Notice CWMP inform message: event: 2 PERIODIC.


07:47:32 11/04/2019 Security Warning DROP FTP Request

08:34:15 11/04/2019 Security Warning ACCEPT UDP SAMBA Request

08:58:19 11/04/2019 Security Warning DROP TCP SAMBA Request

10:21:37 11/04/2019 Security Debug DROP HTTP Request

12:59:51 11/04/2019 Security Debug DROP ICMP Request

13:59:35 11/04/2019 Security Warning DROP UDP SAMBA Request

16:39:15 11/04/2019 User Level Debug Action GetNATRSIPStatus execute by UPNP/TR064() Success.

16:39:15 11/04/2019 User Level Debug Action GetConnectionTypeInfo execute by UPNP/TR064() Success.

16:34:31 11/04/2019 Security Warning ACCEPT UDP SAMBA Request.


My other issue is to do with login on to the router using an unsecure webpage (see image)Untitled.png
How is this even safe to use if it doesnt use https and lacks certification?

Talktalk customer service is rubbish as they were more concerned with the name of my network (ssid) and even tried blaming it on a virus on my pc, I SCAN WEEKLY and use ccleaner daily.

Anonymous
Not applicable

BTW, I was alseep until 15:00 so why is talktalk accessing my router? 62.24.243.161 is a talktalk ip.

07:06:33 11/04/2019 User Level Notice CWMP:Cwmp post inform success.
07:06:33 11/04/2019 User Level Notice CWMP or STUN parameter be changed.
07:06:33 11/04/2019 User Level Notice User ACS(62.24.243.161) modify ManagementServer.PeriodicInformEnable; ManagementServer.PeriodicInformTime; ManagementServer.PeriodicInformInterval; .
07:06:33 11/04/2019 User Level Notice User ACS(62.24.243.161) modify ManagementServer.ConnectionRequestPassword; ManagementServer.ConnectionRequestUsername; .
07:06:33 11/04/2019 User Level Notice CWMP inform message: period report.
07:06:33 11/04/2019 User Level Notice CWMP inform message: event: 2 PERIODIC.

Community Team

Hi Nine-Toes

 

The IP address is our DNS server. It is not unusual to see contact from external servers such as NNTP or DNS.

 

Any intrusion attempts in the log just shows that the router is doing its job.

 

Thanks

 

Debbie

Anonymous
Not applicable

I have disabled remote accesss to avoid talktalk accessing my router without my knowledge or consent, but as for the intrusions you mention, these are not, you want to see a list of intrusions where the firewall is doing its job, fine, here they are, totally different to what I posted yesterday.... 

15:14:17 12/04/2019 Security Warning Intrusion -> src=185.40.4.82 DST=89.243.74.181 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=43529 DFPROTO=TCP SPT=17211 DPT=4664 WINDOW
15:04:10 12/04/2019 Security Warning Intrusion -> src=71.6.146.186 DST=89.243.74.181 LEN=44 TOS=0x00 PREC=0x00 TTL=112 ID=48664 PROTO=TCP SPT=30991 DPT=10554 WINDOW
14:54:18 12/04/2019 Security Warning Intrusion -> src=185.216.140.6 DST=89.243.74.181 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=TCP SPT=37906 DPT=41008 WINDO
This is just a fraction of that list, which i recieve one intrusion attempt every ten minutes or so.
what I posted yesterday was something entirely different.
Also what is the reason for using an unsecure webpage to login with, nobody has answered me that.

At present I am tempted to take this to a small claims court as to me it is a breach of my contract. (no safe secure login, no explanations, accessing customer router because you can, no reason to access it unless i state there is a problem.)

 

Anonymous
Not applicable

All is good, I have cancelled my contract and because talktalk breached the agreement I have no early cancellation fee. 

Using http to login to a router is bad practice and should stop asap, I will advise people to go elsewhere for their own security and never recommend talktalk