Guy accessed remote administration port 4567 on my router. Thanks, Verizon!
whokebe1
Enthusiast - Level 2

Some  dude has been running botnet attacks to gain access to my  Westell 9100 BHR router and this past weekend he was successful:


Oct  9 20:01:39 2010    Inbound Traffic    Blocked - Default policy    TCP 74.125.227.33:80->71.170.238.87:49396 on eth1
Oct  9 20:03:50 2010    Inbound Traffic    Blocked - Default policy    TCP 173.192.226.198:80->71.170.238.87:49487 on eth1
Oct  9 20:04:34 2010    Outbound Traffic    Blocked - Default policy    UDP 192.168.1.3:50018->65.55.158.118:3544 on eth1
Oct  9 20:04:36 2010    Inbound Traffic    Blocked - Default policy    TCP 65.60.38.194:80->71.170.238.87:49497 on eth1
Oct  9 20:04:37 2010    Outbound Traffic    Blocked - Default policy    UDP 192.168.1.3:50018->65.55.158.118:3544 on eth1
Oct  9 20:06:45 2010    Inbound Traffic    Blocked - Default policy    TCP 74.125.227.49:80->71.170.238.87:49534 on eth1
Oct  9 20:07:01 2010    Inbound Traffic    Blocked - Default policy    TCP 78.141.177.62:443->71.170.238.87:49540 on eth1
Oct  9 20:16:35 2010    Inbound Traffic    Blocked - Packet invalid in connection    TCP 77.67.87.105:80->71.170.238.87:49683 on eth1
Oct  9 20:16:37 2010    Firewall Info    Rate Limit    1 messages of type [9] Packet invalid in connection suppressed in 1 second(s)

Oct  9 20:23:25 2010    Inbound Traffic    Blocked - Default policy    TCP 81.200.61.23:60289->71.170.238.87:2439 on eth1
Oct  9 20:23:25 2010    Inbound Traffic    Accepted Traffic - Remote administration    TCP 81.200.61.23:60289->71.170.238.87:4567 on eth1

Oct  9 20:23:25 2010    Firewall Info    Rate Limit    17 messages of type [15] Default policy suppressed in 1 second(s)

Oct  9 20:23:25 2010    Inbound Traffic    Blocked - Default policy    TCP 81.200.61.23:60289->71.170.238.87:4964 on eth1
Oct  9 20:23:27 2010    Firewall Info    Rate Limit    53 messages of type [15] Default policy suppressed in 1 second(s)

Oct  9 20:23:27 2010    Inbound Traffic    Blocked - Default policy    TCP 81.200.61.23:60290->71.170.238.87:4728 on eth1
Oct  9 20:23:27 2010    Inbound Traffic    Accepted Traffic - Remote administration    TCP 81.200.61.23:60296->71.170.238.87:4567 on eth1
Oct  9 20:23:27 2010    Firewall Info    Rate Limit    59 messages of type [15] Default policy suppressed in 1 second(s)

Oct  9 20:23:27 2010    Inbound Traffic    Blocked - Default policy    TCP 81.200.61.23:60289->71.170.238.87:2000 on eth1
Oct  9 20:23:28 2010    Firewall Info    Rate Limit    74 messages of type [15] Default policy suppressed in 1 second(s)

Oct  9 20:23:28 2010    Inbound Traffic    Blocked - Default policy    TCP 81.200.61.23:60290->71.170.238.87:2749 on eth1
Oct  9 20:23:29 2010    Inbound Traffic    Accepted Traffic - Remote administration    TCP 81.200.61.23:60297->71.170.238.87:4567 on eth1
Oct  9 20:23:29 2010    Firewall Info    Rate Limit    74 messages of type [15] Default policy suppressed in 1 second(s)

I went ahead and reset whatever settings he changed, but how do I close this port to prevent this guy from gaining access to my router in the future?

1 Solution
vzanon
Enthusiast - Level 1
You can disable port 4567 and Verizon's remote access by performing the following. Please note, you might need to re-enable it if you ever need their technicians to diagnose a problem in the future. 1) Login to the web admin interface on your VZ router. 2) Select Advanced from the menu at the top (answer Yes to continue). 3) Select Local Administration from the list in the main panel. 4) Enable Primary Telnet on port 23 and hit Apply. 5) Telnet to your VZ router and use the same web admin interface login credentials. 6) Enter the following at the the prompt once authenticated: conf set cwmp/enabled 0 conf reconf 1 7) Close down the telnet connection 😎 Disable the Primary Telnet on port 23 by repeating steps 1-4, but deselecting the option in step 4. Re-enabling is possible by repeating the above and changing the cwmp/enabled value to 1 in step 6.

View solution in original post

14 Replies
Hubrisnxs
Legend

that is a verizon administration port   how are you sure it wasn't verizon?

it's a verizon ip in texas and they have a huge NOC in DFW

whokebe1
Enthusiast - Level 2

I live in the DFW and {edited for privacy} is my home ip address.

The accepted inbound traffic is a proxy from the Czech Republic: http://www.ip-adress.com/whois/81.200.61.2

I have an adept stalker/hacker chasing after me who's been monitoring my gchats and internet activity for whatever reason. I would guess he has some extremely hidden spyware or hijacked the browser in a way that isn't being picked up by zonealarm or norton, as the router attacks only happened AFTER i started googling insecure network ports on my router (I'll reformat, I guess?)

From what I've been reading all he needed to get in was the router's ethernet MAC address and some administrator password that's supposedly available online. Is this correct?

whokebe1
Enthusiast - Level 2

also, my router is a westell 9100 BHR ultra series not actiontec. sorry

and when the stalker had access to my router he changed this under the port forwarding settings:

Local Host:
255.255.255.255
    Local Address:
    255.255.255.255 (Unresolved)     Verizon FIOS Service     Any     Application - TCP Any -> 0     Disabled

Does that mean anything, or was he just trying to see what he could do?

and here's a few failed attempts so you guys get the point that it was a hacker attack:



Oct  9 20:25:25 2010    Inbound Traffic    Blocked - Remote administration    TCP 222.186.26.72:12200->71.170.238.87:8080 on eth1
Oct  9 20:19:03 2010    Inbound Traffic    Blocked - Remote administration    ICMP type 8 code 0 94.112.161.102->71.170.238.87 on eth1
Oct  9 20:19:47 2010    Inbound Traffic    Blocked - Default policy    TCP 81.200.61.23:60289->71.170.238.87:22 on eth1
Oct  9 20:19:48 2010    Firewall Info    Rate Limit    9 messages of type [15] Default policy suppressed in 1 second(s)

Oct  9 20:19:49 2010    Firewall Info    Rate Limit    10 messages of type [15] Default policy suppressed in 1 second(s)

Oct  9 20:19:49 2010    Inbound Traffic    Blocked - Remote administration    TCP 81.200.61.23:60289->71.170.238.87:23 on eth1
Oct  9 20:19:50 2010    Firewall Info    Rate Limit    14 messages of type [15] Default policy suppressed in 1 second(s)

Oct  9 20:19:50 2010    Firewall Info    Rate Limit    5 messages of type [16] Remote administration suppressed in 1 second(s)

Oct  9 20:19:51 2010    Firewall Info    Rate Limit    18 messages of type [15] Default policy suppressed in 1 second(s)

Oct  9 20:19:51 2010    Inbound Traffic    Blocked - Default policy    TCP 81.200.61.23:60289->71.170.238.87:1540 on eth1

etc.

prisaz
Legend

I run more than one router. Verizon's 192.168.1.x subnet is considered the DMZ with my set top boxes only on that subnet. Cool to see my paranoia is valid.

Yes you are right. This is not Verizon.

Oct  9 20:23:29 2010    Inbound Traffic    Accepted Traffic - Remote administration    TCP 81.200.61.23:60297->71.170.238.87:4567 on eth1


Name: ip61-23.nettel.cz
IP Address: 81.200.61.23
Location: Unknown
Network: 81-RIPE

0 Likes
Reply
prisaz
Legend

I hate the Verizon routers. Give very to little information in the log files now with the Rev 2 Version E. it seems worse. What is a type 15 message?

It would be nice to know where this is being suppressed from. Just make all things work for CID and Remote DVR. The Actiontec routers suck!

Jul 23 12:12:21 2011Firewall InfoRate Limit5 messages of type [15] Default policy suppressed in 1 second(s)

smith6612
Community Leader
Community Leader

The ActionTecs are physically good units. I've never seen an issue with them in regards to the hardware (minus reports of them failing from time to time, but that just happens). The software on the other hand, the Verizon-branded firmware, yeah, that sucks. I think at this point it might be a good idea for Verizon to talk to the guys behind the DD-WRT/OpenWRT projects, since their firmware runs rock solid on the ActionTec routers with no problem what so ever.

As far as CWMP/Remote Access Agents, I've always voiced out against them. This thread shows exactly why. Get someone on your tail they'll find a way to break into a router. This makes it a lot easier. It's bad when I find ISPs giving away residential routers/gateways that have remote administration not defined anywhere in the router but can be reached simply by entering in an IP address and port number into a web browser from any connection. You can really have all sorts of fun once you find something like that, especially if the Username and Password is simply a default User/Pass.

As for the OP: I would have someone (local computer geek who knows what they are doing, perhaps) take a very close look at your PC, first of all to make sure you aren't infected with malware or have keylogging software installed. A lot of machine compromises I find tend to take place using a hidden Administrator Account, usually created from malware install or from automated commands coming from say, a botnet. If any signs of compromise are found I would highly suggest a reformat and reinstall of Windows since you do not know what they might have gotten into. When setting up Windows, make sure you have created two user accounts. One account would be the Administrator Account with a password, the second being a Limited User Account also with a password which will be the account you will use. Fully patch the PC from Windows Update, including any and all service packs and new versions of software such as Internet Explorer using the Administrator Account. From there, install the programs you use and check each program for patches using the Administrator Account. Install Security Software (I suggest Avast! with Malwarebytes and/or SUPERAntiSpyware) and verify that at least the Windows Firewall is enabled for a basic stance. Use Firefox as your web browser, running it with the Ad-block Plus extension installed. Finally, using the Limited User account, copy any files you may have backed up back onto your PC.

To ensure that none of your IM/chat accounts have been compromised, I would also use a PC running a Linux LiveCD to change the passwords on those accounts, at a minimum. In addition, I would unplug the Coaxial connection from the Verizon router temporarilly, give it a factory reset, and then configure it with a different password. From there, I would make sure UPnP is disabled, a Firewall rule is configured for Port 4567 to drop inbound requests to that port, and your Wireless is configured to use WPA2-PSK AES Encryption. From there, switch off the FiOS router, connect the coaxial cable, and leave the router off for a few hours. Finally, turn it back on and you should have connectivity.

prisaz
Legend

Yea the Rev E and greater routers have a little more memory or better management for the NAT table. I myself like my Linux based IP-Cop 1.9 which is now running behind the Actiontec. Since my Rev D locked up last month and went South, I decided to put the new Rev. E back on the front lines for Remote DVR and CID if they get it working for me again. I too run Avast and Malwarebytes. CSR wanted remote access to my desktop, I said no IHA, and no I am behind double NAT. If someone is hammering my router, I like to be able to see who and for how long. The Actiontec logs are bogus in size and information. Now the hard drive logs on my IP-COP stay for 60 days or what ever, and log every connection. I can't see paying for the full version of Smoothwall. And I am not that much of a Linux Geek to roll my own. I did manage to get Dan's Guardian to run with the new Cop 1.9 which is a darn good proxy filter.

vzanon
Enthusiast - Level 1
You can disable port 4567 and Verizon's remote access by performing the following. Please note, you might need to re-enable it if you ever need their technicians to diagnose a problem in the future. 1) Login to the web admin interface on your VZ router. 2) Select Advanced from the menu at the top (answer Yes to continue). 3) Select Local Administration from the list in the main panel. 4) Enable Primary Telnet on port 23 and hit Apply. 5) Telnet to your VZ router and use the same web admin interface login credentials. 6) Enter the following at the the prompt once authenticated: conf set cwmp/enabled 0 conf reconf 1 7) Close down the telnet connection 😎 Disable the Primary Telnet on port 23 by repeating steps 1-4, but deselecting the option in step 4. Re-enabling is possible by repeating the above and changing the cwmp/enabled value to 1 in step 6.
LawrenceC
Moderator Emeritus

As this thread is now over two years old, it will be locked in order to keep discussions current. If you have the same or a similar question/issue we invite you to start a new thread on the topic.

0 Likes
Reply
Anti-Phish1
Master - Level 1

@whokebe1 wrote:

From what I've been reading all he needed to get in was the router's ethernet MAC address and some administrator password that's supposedly available online. Is this correct?


No.  What you are seeing is an attack from the WAN port on VZ's CPE management port.

There was a vunerability published that allows attacking the router from the LAN side using a malicious browser script and the default "admin/password" or "admin/password1" credentials.

These two attack vectors are unrelated.

0 Likes
Reply
Anti-Phish1
Master - Level 1

@whokebe1 wrote:

Some  dude has been running botnet attacks to gain access to my actiontec router and this past weekend he was successful:


You're being probed from a number of different addresses, which is not uncommon.

74.125.227.33

173.192.226.198

65.60.38.194

74.125.227.49

78.141.177.62

77.67.87.105

The above probes are simply discarded because you have no application listening on that port.

The probes from 81.200.61.23 (Czech Republic) to the VZ CPE management port (4567) are logged as accepted because there is an application listening on that port.  The log message simply means the initial inbound TCP connect packet was passed on to the application rather than being dropped by the firewall.  Port 4567 is protected by SSL encryption, so it is highly unlikely that the hacker was able to crack the both the logon credentials and the SSL certificate.

There used to be ways to block port 4567, however VZ has disabled those methods.

Bottom line.  I wouldn't worry about it.

0 Likes
Reply
whokebe1
Enthusiast - Level 2

@Anti-Phish wrote:
 Port 4567 is protected by SSL encryption, so it is highly unlikely that the hacker was able to crack the both the logon credentials and the SSL certificate.


So it must have taken him a while, I hope?

Here's a screenshot I uploaded of the changes made to my Port Forwarding page: http://img708.imageshack.us/f/55548062.png/

I'm pretty certain I didn't see that bottom entry the previous week. And if you'll notice, I can't undo it without reseting the router.

0 Likes
Reply
Anti-Phish1
Master - Level 1

whokebe1 wrote
I'm pretty certain I didn't see that bottom entry the previous week. And if you'll notice, I can't undo it without resetting the router.

That certainly doesn't look like anything I've seen VZ add.

I have seen VZ add a UDP from from ANY address / ANY port to DVR port 63145 which effective blocks port forwarding needed for third party VOIP.

VZ recently encrypted the Actiontec config file.  However the config file for Westells remains unencrypted.

If you want to block access to the CPE Management port. 

  • Save your current configuration to a file.
  • Open it with a text editor.
  • About 3/4 of the way down the file you will see the following lines:

(cwmp
    (enabled(1))

  • Change it to:

(cwmp
    (enabled(0))

That should block remote CPU access.

viafax999
Community Leader
Community Leader

@whokebe1 wrote:

So it must have taken him a while, I hope?

Here's a screenshot I uploaded of the changes made to my Port Forwarding page: http://img708.imageshack.us/f/55548062.png/

I'm pretty certain I didn't see that bottom entry the previous week. And if you'll notice, I can't undo it without reseting the router.


Interesting that you have no port forwarding entries for the stb's.  I have many of them, looks like 8 for each stb now.  I reset the router and they come back as does the port 4567 forwarding.  There have been several dicussions on this in this forum in the past.

As you can see from the attachment I have the same forwarding that you do and I believe everybody else does.  Maybe it's a Westell thing . 

If it's a hacker it would seem to be rather pointless as there is nothing on the lan segment addressed by the westell router except the stbs and another router that has no port forwarding rules.