Telkom D-LINK router security compromised

M@Yh3M · Feb 19, 2015

I have reason to believe that the security on the D-LINK DSL-2750U router range that Telkom supply their customers with has been compromised.
My router log files indicate scans, DDOS attacks and hack attempts from mainly Chinese based IP's but what is alarming are the amount of Telkom ADSL user's targeting my PC.
On closer investigation questionable scripts were executed on these routers. I have identified five Telkom account users who's PC's have been compromised who targeted me in one day alone. They are:

http://www.abuseipdb.com/report-history/105.227.197.27
http://www.abuseipdb.com/report-history/105.227.58.64
http://www.abuseipdb.com/report-history/105.227.124.231
http://www.abuseipdb.com/report-history/105.228.182.126

Wondering why your internet has been running so slow lately?

M@Yh3M · Feb 19, 2015

Example of compromised router log files:
Jul 18 00:00:03 user warn kernel: wl:loading /etc/wlan/bcm43225_map.bin
Jul 18 00:00:03 user warn kernel: s Controller 5.60.120.11.cpe4.406.8
Jul 18 00:00:03 user warn kernel: dgasp: kerSysRegisterDyingGaspHandler: wl0 registered
Jul 18 00:00:03 user warn """""""""""""""""": really_probe: bound device 0000:02:00.0 to driver wl
Jul 18 00:00:03 user info kernel: Broadcom 802.1Q VLAN Interface, v0.1
Jul 18 00:00:08 user info kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jul 18 00:00:08 user warn kernel: Netfilter messages via NETLINK v0.30.
Jul 18 00:00:08 user warn kernel: nf_conntrack version 0.5.0 (1008 buckets, 4032 max)
Jul 18 00:00:10 user info kernel: xt_time: kernel timezone is -0000
Jul 18 00:00:11 user info kernel: device eth0 entered promiscuous mode
Jul 18 00:00:13 user info kernel: device eth1 entered promiscuous mode
Jul 18 00:00:14 user info kernel: device eth2 entered promiscuous mode
Jul 18 00:00:15 user info kernel: device eth3 entered promiscuous mode
Jul 18 00:00:17 user warn kernel: BcmAdsl_Initialize=0xC00D60F8, g_pFnNotifyCallback=0xC00FD824
Jul 18 00:00:17 user warn kernel: pSdramPHY=0xA3FFFFF8, 0x0 0x0
Jul 18 00:00:17 user warn kernel: *** PhySdramSize got adjusted: 0x7B004 => 0x90B98 ***
Jul 18 00:00:17 user warn kernel: AdslCoreSharedMemInit: shareMemAvailable=455744
Jul 18 00:00:17 user warn kernel: AdslCoreHwReset: pLocSbSta=825d0000 bkupThreshold=1600
Jul 18 00:00:17 user warn kernel: AdslCoreHwReset: AdslOemDataAddr = 0xA3F716A8
Jul 18 00:00:17 user warn kernel: dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
Jul 18 00:00:19 user crit kernel: Line 0: xDSL G.994 training
Jul 18 00:00:19 user info kernel: message received before monitor task is initialized kerSysSendtoMonitorTask
Jul 18 00:00:20 user warn kernel: Broadcom Packet Flow Cache learning via BLOG disabled.
Jul 18 00:00:20 user warn kernel: Broadcom Packet Flow Cache unregistered with netdev chain
Jul 18 00:00:20 user warn kernel: Deleted Proc FS /procfs/fcache
Jul 18 00:00:20 user warn kernel: Active<0> = <0> - <0>
Jul 18 00:00:20 user warn kernel: Broadcom Packet Flow Cache Char Driver v2.1 Mar 18 2010 21:39:51 Unregistered<242>
Jul 18 00:00:20 user warn kernel: Destructed Broadcom Packet Flow Cache v2.1 Mar 18 2010 21:39:50
Jul 18 00:00:21 user info kernel: monitor task is initialized pid= 254
Jul 18 00:00:25 user warn kernel: wp2=00
Jul 18 00:00:26 user warn kernel: wp2=3c
Jul 18 00:00:27 user crit kernel: eth1 Link UP 100 mbps full duplex
Jul 18 00:00:27 user info kernel: br0: port 2(eth1) entering forwarding state
Jul 18 00:00:27 user crit kernel: eth2 Link UP 100 mbps full duplex
Jul 18 00:00:27 user info kernel: br0: port 3(eth2) entering forwarding state
Jul 18 00:00:28 user crit kernel: Line 0: ADSL G.992 started
Jul 18 00:00:29 user info kernel: wl0.1 (): not using net_device_ops yet
Jul 18 00:00:29 user info kernel: wl0.2 (): not using net_device_ops yet
Jul 18 00:00:29 user info kernel: wl0.3 (): not using net_device_ops yet
Jul 18 00:00:30 user info kernel: USB Serial support registered for 3G_USB_modem
Jul 18 00:00:30 user info kernel: usbcore: registered new interface driver 3g_modem
Jul 18 00:00:30 user info kernel: device wl0 entered promiscuous mode
Jul 18 00:00:31 user info kernel: br0: port 5(wl0) entering forwarding state
Jul 18 00:00:33 user crit kernel: eth0 Link UP 100 mbps full duplex
Jul 18 00:00:33 user info kernel: br0: port 1(eth0) entering forwarding state
Jul 18 00:00:33 user crit kernel: Line 0: ADSL G.992 channel analysis
Jul 18 00:00:34 user info kernel: dhcpd uses obsolete (PF_INET,SOCK_PACKET)
Jul 18 00:00:37 user crit kernel: Line 0: ADSL link down
Jul 18 00:00:37 user warn kernel: bcmxtmcfg: XTM Link Information, portid = 0, State = DOWN, Service Support = PTM
Jul 18 00:00:43 user crit kernel: Line 0: xDSL G.994 training
Jul 18 00:00:52 user crit kernel: Line 0: ADSL G.992 started
Jul 18 00:00:57 user crit kernel: Line 0: ADSL G.992 channel analysis
Jul 18 00:01:01 user crit kernel: Line 0: ADSL G.992 message exchange
Jul 18 00:01:02 user crit kernel: Line 0: ADSL link up, Bearer 0, us=507, ds=4096
Jul 18 00:01:02 user warn kernel: bcmxtmcfg: XTM Link Information, portid = 0, State = UP, Service Support = ATM
Jul 18 00:01:02 user warn kernel: bcmxtmrt: MAC address: 84 c9 b2 d9 6c e2
Jul 18 00:01:02 user warn kernel: [DoCreateDeviceReq.2367]: register_netdev
Jul 18 00:01:02 user warn kernel: [DoCreateDeviceReq.2369]: register_netdev done
Jul 18 00:01:02 user warn kernel: bcmxtmcfg: Connection UP, LinkActiveStatus=0x1, US=507000, DS=4096000
Jul 18 00:01:03 user warn kernel: BCMVLAN : atm0 mode was set to RG
Jul 18 00:01:03 user warn kernel: [ERROR vlan] bcmVlan_insertTagRule,1602: Invalid Number of Tags: 2 (max 2)
Jul 18 00:01:03 user warn kernel: [ERROR vlan] vlanIoctl ,530: Failed to Insert Tag Rule in atm0 (tags=2, dir=0)
Jul 18 00:01:03 user info kernel: device atm0.1 entered promiscuous mode
Jul 18 00:01:03 user info kernel: device atm0 entered promiscuous mode
Jul 18 00:01:03 user info kernel: br0: port 6(atm0.1) entering forwarding state
Jul 18 00:01:03 daemon notice syslog: pppd 2.4.1 started by admin, uid 0
Jul 18 00:01:03 daemon notice syslog: PPP: Start to connect ...
Jul 18 00:01:11 user crit kernel: eth2 Link DOWN.
Jul 18 00:01:11 user info kernel: br0: port 3(eth2) entering disabled state
Jul 18 00:01:13 user crit kernel: eth2 Link UP 100 mbps full duplex
Jul 18 00:01:13 user info kernel: br0: port 3(eth2) entering forwarding state
Jul 18 00:01:15 daemon crit syslog: PPP server detected.
Jul 18 00:01:15 daemon crit syslog: PPP session established.
Jul 18 00:01:16 user warn kernel: wp1=3c wp2=00
Jul 18 00:01:16 user warn kernel: e127wp1=00 wp2=3c
Jul 18 00:01:16 daemon crit syslog: PPP LCP UP.
Jul 18 00:01:16 daemon crit syslog: Received valid IP address from server. Connection UP.
Feb 16 07:27:32 user warn kernel: wp2=00
Feb 16 07:27:33 user warn kernel: wp1=00 wp2=3c
Feb 16 08:26:08 syslog info -- MARK --
Feb 16 09:26:08 syslog info -- MARK --
Feb 16 10:26:08 syslog info -- MARK --
Feb 16 11:26:08 syslog info -- MARK --
Feb 16 12:26:09 syslog info -- MARK --
Feb 16 13:26:08 syslog info -- MARK --
Feb 16 14:26:09 syslog info -- MARK --
Feb 16 15:26:08 syslog info -- MARK --
Feb 16 16:26:08 syslog info -- MARK --
Feb 16 17:26:09 syslog info -- MARK --
Feb 16 18:26:08 syslog info -- MARK --
Feb 16 19:26:08 syslog info -- MARK --
Feb 16 20:26:08 syslog info -- MARK --
Feb 16 21:26:08 syslog info -- MARK --
Feb 16 22:26:09 syslog info -- MARK --
Feb 16 23:26:08 syslog info -- MARK --
Feb 17 00:26:09 syslog info -- MARK --
Feb 17 01:26:08 syslog info -- MARK --
Feb 17 02:26:08 syslog info -- MARK --
Feb 17 03:26:08 syslog info -- MARK --
Feb 17 04:26:08 syslog info -- MARK --
Feb 17 05:17:45 user crit kernel: eth0 Link DOWN.
Feb 17 05:17:45 user info kernel: br0: port 1(eth0) entering disabled state
Feb 17 05:19:37 user crit kernel: eth0 Link UP 100 mbps full duplex
Feb 17 05:19:37 user info kernel: br0: port 1(eth0) entering forwarding state
Feb 17 05:26:09 syslog info -- MARK --
Feb 17 05:46:17 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 05:46:17 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 06:26:08 syslog info -- MARK --
Feb 17 07:26:09 syslog info -- MARK --
Feb 17 08:26:08 syslog info -- MARK --
Feb 17 09:26:09 syslog info -- MARK --
Feb 17 10:26:08 syslog info -- MARK --
Feb 17 11:26:09 syslog info -- MARK --
Feb 17 11:29:21 user info kernel: device bcmsw entered promiscuous mode
Feb 17 11:29:21 user info kernel: device br0 entered promiscuous mode
Feb 17 11:29:21 user info kernel: device wl0.1 entered promiscuous mode
Feb 17 11:29:21 user info kernel: device wl0.2 entered promiscuous mode
Feb 17 11:29:21 user info kernel: device wl0.3 entered promiscuous mode
Feb 17 12:26:08 syslog info -- MARK --
Feb 17 13:26:09 syslog info -- MARK --
Feb 17 14:26:08 syslog info -- MARK --
Feb 17 14:27:33 user crit kernel: eth1 Link DOWN.
Feb 17 14:27:33 user info kernel: br0: port 2(eth1) entering disabled state
Feb 17 14:27:46 user crit kernel: eth1 Link UP 100 mbps full duplex
Feb 17 14:27:46 user info kernel: br0: port 2(eth1) entering forwarding state
Feb 17 15:26:08 syslog info -- MARK --
Feb 17 16:26:09 syslog info -- MARK --
Feb 17 17:26:08 syslog info -- MARK --
Feb 17 17:59:31 user crit kernel: eth0 Link DOWN.
Feb 17 17:59:31 user info kernel: br0: port 1(eth0) entering disabled state
Feb 17 18:26:09 syslog info -- MARK --
Feb 17 19:26:08 syslog info -- MARK --
Feb 17 20:26:08 syslog info -- MARK --
Feb 17 20:33:59 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:33:59 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:02 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:02 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:04 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:04 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:10 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:10 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:13 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:13 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:15 daemon warn syslog: 104051 FTP Server Login UserName or Password Error
Feb 17 20:34:15 daemon warn syslog: 104051 FTP Server Login UserName or Password Error

ghostR · Feb 19, 2015

Telkom Internet dynamically assigns ips to different users, So one ip can be used by hundreds/thousands of users.

M@Yh3M · Feb 19, 2015

Notice the promiscuous mode running listening in on ports and several failed FTP server login attempts?

M@Yh3M · Feb 19, 2015

ghostR read the abuseipd reports. I supplied the Telkom user accounts....

Hamish McPanji · Feb 19, 2015

M@Yh3M said:
I have reason to believe that the security on the D-LINK DSL-2750U router range that Telkom supply their customers with has been compromised.
My router log files indicate scans, DDOS attacks and hack attempts from mainly Chinese based IP's but what is alarming are the amount of Telkom ADSL user's targeting my PC.
On closer investigation questionable scripts were executed on these routers. I have identified five Telkom account users who's PC's have been compromised who targeted me in one day alone. They are:

You need to change all three user account passwords:

Admin
Support
User

The Support user has a default password

Read here:
http://mybroadband.co.za/news/security/78873-adsl-router-security-concern-in-sa.html

http://mybroadband.co.za/news/security/84811-slow-adsl-your-router-could-be-hacked.html

M@Yh3M · Feb 19, 2015

Thank you I see it has been dealt with in the forums before. scary.

Join the MyBroadband community

Get started

Telkom D-LINK router security compromised

M@Yh3M

Member

M@Yh3M

Member

ghostR

Executive Member

M@Yh3M

Member

M@Yh3M

Member

Hamish McPanji

Honorary Master

M@Yh3M

Member