Telkom D-Link modems causing Internet connection problems

[jes]

Telkom D-Link modems causing Internet connection problems

Telkom is working on a fix for D-Link modem users who are experiencing Internet connection problems

 

[Franna]

That's only half of the story! It seems hackers got access to the Telkom D-Link routers and changed the DNS servers:
http://mybroadband.co.za/vb/showthr...2750-U-router-with-slow-to-no-internet-access

The default password for the support account is 'support' OR 'TelkomDlink12345'.

PS: Is TelkomZA the official Telkom rep on the forum?

 

[GreGorGy]

That's only half of the story! It seems hackers got access to the Telkom D-Link routers and changed the DNS servers:
http://mybroadband.co.za/vb/showthr...2750-U-router-with-slow-to-no-internet-access

The default password for the support account is 'support' OR 'TelkomDlink12345'.

PS: Is TelkomZA the official Telkom rep on the forum?

My father's was compromised the weekend of the birthday bash - Afrihost had some story on this that went largely unnoticed, so this is a little more widespread, the news is a little old as well.

 

[FuLL_MeT4L]

yeah mine was changed during the past week too =/

 

[Jan]

What in the actual [redacted]?

When I reported on this in *May*, D-Link told me the Support account is disabled by default: http://mybroadband.co.za/news/security/78873-adsl-router-security-concern-in-sa.html

This right after ISPs were starting to report a dramatic increase in DNS amplification attacks.

If it is due to the spate of hacks we saw earlier this year that folks' ADSL isn't working properly then D-Link (and perhaps to a degree the ISPs that sold these routers and knew about the security hole and didn't do anything about it) should really get the ICT numbskull of the year award.

 

[HavocXphere]

That's only half of the story! It seems hackers got access to the Telkom D-Link routers and changed the DNS servers:
http://mybroadband.co.za/vb/showthr...2750-U-router-with-slow-to-no-internet-access

The default password for the support account is 'support' OR 'TelkomDlink12345'.

Fckin incompetent. Shipping devices with passwords like that is just plain reckless.

I just changed mine (it was support / support).

Also disabled the TP069.

Does anybody know what the pass is for the "user" account? If they configured one account like retards then I definitely want to check the other one too.

Seeing a lot of this too:

kernel: Intrusion -> IN=ppp0.1 OUT= MAC= SRC=2.135.28.142 DST=196.210.220.63 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=60262 DF PROTO=TCP SPT=1127 DPT=64517 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

I'm not familiar with DLink logs...anybody know whats going on there?

 

[HavocXphere]

Does anybody know what the pass is for the "user" account? If they configured one account like retards then I definitely want to check the other one too.

Make that 2 accounts configured by retards.

The password for the account "user" is *drumroll* "user".

 

[])ragon_\/oid]

Hmmm, changed my passwords (All three - Can only remember the admin password), and DNS settings (using Google's open dns) on day 1. Also, I changed the remote access port (Directed port 80 to an Ubuntu VM), and disabled TP069.

 

[Hectic]

Most routers come out with standard passwords and this info can be found on the internet on the various Home pages.

 

[PsyWulf]

Opening web interface to wan was the bogger snafu

 

[bridgetroll]

While you are changing it go into maintenance/access controls/services and disable all the remote access controls as well.

 

[kwaggawerner]

Another reason why I won't touch D-Link junk.

 

[deweyzeph]

The fact that Telkom distributes any D-Link product just shows you with how much contempt it regards its customers. D-Link is rubbish, through and through.

 

[LinuxMan]

Can't remember how many of these I have replaced for clients, as well as securing their routers correctly.
It really is bad!

 

[iMcJaz]

I bought a D-Link router back in the day when I was DSL uneducated, it made me very sad.

 

[Bern]

Most routers come out with standard passwords and this info can be found on the internet on the various Home pages.

Yes, but when your ISP provides one that is open to WAN connections while leaving default user password combinations that borders on criminal negligence. Normal kit by default can only be accessed from the internal network to avoid being hacked from outside in the above manner.

Can we get more info on the issue - Is the problem D-Link provided factory default equipment that has WAN control access by default or was this a custom firmware+config implementation by the ISPs providing the kit? This is pretty serious, I wonder how many people have had banking and personal details stolen due to this - this might lead to some pretty big lawsuits.

 

[Awesum]

I have a D-Link2500U modem that I bought a few years ago. Its not a Telkom modem.
Why does everyone say its a *** modem? I havent had any issues with it. In fact the reason I bought it was that it came highly recommended on this forum.

 

[Bern]

I have a D-Link2500U modem that I bought a few years ago. Its not a Telkom modem.
Why does everyone say its a *** modem? I havent had any issues with it. In fact the reason I bought it was that it came highly recommended on this forum.

If it comes flashed by your ISP to allow WAN connections in to your management console using defaults user pass it is not ideal. The hardware seems to be fine, I have also had a couple of those and had no issues - but then I use them as a pure modem only - bridge mode, so they do very little work and this attack vector wouldn't work.

 

[Denyed]

I also get a lot of those intrusions. Not sure what it is?

 

[Bern]

I also get a lot of those intrusions. Not sure what it is?

Go in to the web management console and turn off admin rights from the WAN link. That deals with this specific problem - its not full security, but it gets you back to normal.