How did they hack my modem?

D

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
173
Reaction score
1
Location
Cresta, Johannesburg
For the past few days someone has been using up my bandwidth. I have a 3GB ADSL account with MWeb and a Planet ADE-3100 modem.

I was horrified to find that if I switched the modem off, unplugged all network cables, leaving just the phone line and the power cord connected, and then switched it back on, that within a minute or so the TX and RX lights would go crazy, as though I had just started a major download. :eek:

The last time I checked a modem doesn't download stuff on its own. I guess the people who configured the modem "forgot" to change the default admin and user passwords, so it was just a matter of time for it to be reconfigured.

So what did the hacker do to redirect the bandwidth? i.e. what modem settings were changed? Needless to say the modem passwords are fixed, and the password on my mweb account is different, but is this enough? Is my modem still vulnerable?
 
It sounds more likely that you have spyware or a virus on your computer. Or is the computer not connected to the modem via a newwork cable (or wireless) when this happens.
 
The computer was not connected to the modem at all. The only thing connected to the modem was the phone line, and the power cable. NOTHING else.
 
This can happen if you happen to get the IP address of someone who was recently using p2p software like edonkey.

You will be getting requests from the peers who haven’t realized the other guy is gone, this can go on for quite some time, and can be quite bad depending on what p2p protocol was being used.
 
I am waiting for my ADSL usage stats to update, but we're talking about sending over 100MB and receiving about the same.

Surely these requests would stop once I disconnected and reconnected, because the IP number would change. And I'm sure the IP number did change. What port does edonkey use? Limewire/Gnutella uses 6346, but it is blocked on the modem. Does the modem reply with a "closed" signal, or does it just ignore the request completely?

Also, it doesn't explain why the traffic would stop once I changed the modem and Mweb passwords.

I used the port scanner at GRC.com and it shows most ports closed, including all common ports. Only 22 and 80 were being forwarded to the firewall PC.

"Curioser and curioser" ...
 
how do u send 100MB from your router ? :_)

Im confident your firmware on there would havta be uploaded 400x + or what else do you store on your router?
 
Clipse said:
how do u send 100MB from your router ? :_)

Im confident your firmware on there would havta be uploaded 400x + or what else do you store on your router?
Click to expand...

I don't store anything on my router, as far as I know. I wasn't aware you could store stuff on it.

Tuesday's bandwidth usage was, in part: 46MB sent, 172MB received. Not bad since I was at work the whole day.

Today's bandwidth, between midnight and 2pm today: 70.6MB sent, 482MB received. That's a total of 778MB in 36 hours.

What puzzles me is why it would receive 6 times more than it sent. If it was being used as a proxy server, the amounts should be the same.

Here's another interesting one: for the 15 minutes the firewall was switched off and the modem was the only thing connected, it sent 0.92MB and received 9.89MB. That works out at 40MB/hour download. It just doesn't make any sense.
 
Have you changed your password with your ISP? It is more likely that your user details have been stolen.
 
I mentioned this in a previous thread a while back (data usage not belonging to you, but perhaps due to port scans, slammer worm etc). Should be interesting when the pay-per-gb charging model comes into play...say it after me "it wasnt me" :-)

I see 3 possibilities

1) you got the ip address of a recent p2p user (as mentioned above)
2) you got the ip address of a recent online gamer (perhaps hosted a server, and people have saved the server ip and are trying to connect)
3) the net is a busy place these last few days, loads of scans going on http://www.microsoft.com/security/incident/zotob.mspx

*if* someone has your actual modem/router passwords, what could they do? Look at the inbuilt config pages? 480~mb? doubt it. They would have to be online, and already using adsl to do that amount of traffic.
 
Werner, i think you're right, even though I'd love to know what kind of repeated request can generate 400+ MB.

Initially I thought "they" had turned my modem into an open proxy, and I had visions of becoming the next Sentech for a few days. But then the send and recieve traffic would be about the same. So I think port scanning or invalid requests are more likely.

The next obvious question would be how to reconfigure the router so that ports are set to "stealth" and not "closed", i.e. no response whatsoever to requests on closed ports. I'd also like to be able to prevent ping replies, but how?
 
arf9999 said:
Have you changed your password with your ISP? It is more likely that your user details have been stolen.
Click to expand...

If my details were stolen then someone else would be downloading stuff using another modem, and the logon times would overlap in my usage report. There is no overlap. I checked very carefully. Also, it wouldn't explain why my modem lights were going crazy.

I did change the password, and the abuse seemed to stop. But that may only be because I reconnected with a different IP address. Weird. :confused:
 
It happened again! Today I connected using IP 165.165.155.26 and the modem went crazy the whole day. I noticed it at 10am and immediately called M-Web.

Their ADSL guys suggested I speak to their abuse department. They finally logged a support call to SAIX at 3.51pm after I EVENTUALLY got to speak to a real support person at M-Web at around 2pm. After all they were in a meeting at 10am and even when they were finished they had other calls to attend to. :(

In the meantime I discovered that there are some firmware upgrades for my modem, which I have downloaded (that was fun because it must have a real email address for the "anonymous" FTP) an installed.

Of course once I had completed the install my IP address changed to 165.165.142.123 and the problem has gone away (for now). I pity the poor sucker who got 165.165.155.26 because he's going to hev to donate 195MB of bandwidth to a faulty router (unless it was mine).

Today my router recieved 177MB and sent 16.4MB, of which 99% was unsolicited, and happened when the router was not connected to anything other than the power supply and the phone line.

:confused:
 
don have you changed your router default admin password? If this is the case, change that and see what happens.

Theres alot of generic router user/pass that can be easily collected with minor brute force attempts and some scripts ive seen do all this in a few milliseconds upon discovering a open host.
 
Clipse said:
don have you changed your router default admin password? If this is the case, change that and see what happens.
Click to expand...

It was my first suspicion. I have changed it, and the user password, and diabled the command line mode and just about everything else. I have even re-loaded (and upgraded) the firmware.

I wrote to Steve Gibson, of Spinrite fame, asking him about the 6:1 ratio of data. He writes:

>>>

The thing that occurs to me is that since last week, as you know, we've had a whole collection of new Internet worms out propagating. Infected machines actively scan for others. I haven't researched the specific scanning IP generation logic, but many of the newer worms scan preferentially in the same IP neighborhood as where they are located. So if a number of other ADSL users with unprotected Windows 2000 machines have been affected you might be seeing scanning traffic from many locally infected machines.

The inbound packets could be larger -- TCP SYN packets to open a connection or larger payload-carrying UDP packets -- and your router is replying with a small ICMP "port unavailable" packet ... so that could account for the fact that you're seeing a difference in total send and receive data.

From what you've send, the only thing you can do to avoid being billed is
to keep your connection down unless you're actively using it.

What a pain!! ;(

<<<

FWIW my current theory is that it may have been a SYN Flood attack that the crappy software on the router didn't deal with in the correct way.

Does anyone know who the Planet distributors are in SA?
 
Now that my modem router actually has a firewall, I have noted the following log entries:

>>>
08/24/2005 05:54:29> Firewall:Winnuke detected,from 165.165.85.119 to 165.165.153.189
08/24/2005 07:26:40> Firewall:SYN Flood detected,from 4.79.142.206 to 165.165.153.189
08/24/2005 07:27:33> Firewall:SYN Flood detected,from 4.79.142.206 to 165.165.153.189
<<<

The characteristic traffic has gone, but until I reconnect as 165.165.155.26 who can be sure?
 
simons said:
Planet Is Distributed by Eurobyte 011-234-0142
Click to expand...

I phoned them and spoke to Murray, the product manager for Planet modems. He'd never heard of this problem before, but promised to investigate further.

I strongly recommend that everyone with a Planet ADE-3100 modem visit the planet web site (when it works!) and download the following files from

ftp://ftp1.planet.com.tw/ADSL/ADE-3100

FW-ADE3100_41029B.zip
ADE3100_Firewall Patch.zip
EM-ADE3100.pdf

Unfortunately you can's just log in anonymously. You have to give an email address. Also, the manual is older than the firewall patch, so you're on your own there.

Here are the default passwords:

User Level: User Name: user Password: password
Administration Level: User Name: admin Password: epicrouter
FTP login: User Name: admin Password: epicrouter
Telnet: Password: epicrouter

Make sure you change them before you reconnect to the web!!!!
 
with their "highly encrypted"/difficult to guess usernames and passwords im not suprised their modems get hacked...
 
I have just spent 30 minutes on the phone to Telkom Internet trying to get to the bottom of this. It turns out that my modem wasn't hacked but attacked by a user with a virus on both of his machines, each of them using a different IP address.

It has taken several days to get Telkom Internet to get off their couches and do something about it. I originally contacted M-Web abuse last Tuesday. They still say they are "working" on it. :mad: Like I believe them.

The on Monday I phoned 0800DSLDSL and tried to report it as a fault. They said SAIX must deal with it. So I spoke to Willie, who eventually tracked down the IP numbers as belonging to a TelkomInternet user, and he then emailed [email protected] because you can't get hold of them on the phone.

No kidding! I tried calling their 08600 08700 number, which doesn't work. Oh the bitter irony! So I called their 0800 500 200 number, toll free. I asked for their technical support department, and was told that there was no one answering their abuse extension. So I said I would like to speak to the general manager and would be happy to hold because I was calling their toll free number. They put him on and he said he would investigate and call back. I said I would hold.

Eventually i spoke to a real technician from abuse, who said he had just spoken to the user and "they weren't aware they had a problem". Not a bad response time don't you think? :(

It turns out the only way you can report a problem to them is via email, and they get hundreds of emails and they just plod through them with no prioritisation at all, and they don't take calls. I guess you have to throw your toys to get anything done about it.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X