What's new

Was my router owned?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

no I did not use the default password. I used a randomly generated 8 symbol password. One that I thought was secure. anyway changing the password to a new one did in deed put a bandage on. And ssh is no longer exposed to the wan. But there are still attempts.
Code:
Mar  4 04:46:37 dropbear[29942]: Bad password attempt for 'admin' from 27.72.233.207:39365
Mar  4 04:46:40 dropbear[29942]: Exit before auth (user 'admin', 1 fails): Exited normally
Mar  4 05:54:30 dropbear[1347]: Bad password attempt for 'admin' from 188.72.166.216:44423
Mar  4 05:54:36 dropbear[1347]: Exit before auth (user 'admin', 1 fails): Exited normally


You've confirmed that your password was something other than the default password, but you haven't answered Colin's question: "Did you have "Web Access from WAN" enabled?"
https://www.snbforums.com/threads/was-my-router-owned.37860/#post-311497

It's quite important we know: if the answer's yes, people will be relieved, and if no, there will be concern.
 
You've confirmed that your password was something other than the default password, but you haven't answered Colin's question: "Did you have "Web Access from WAN" enabled?"
https://www.snbforums.com/threads/was-my-router-owned.37860/#post-311497

It's quite important we know: if the answer's yes, people will be relieved, and if no, there will be concern.

Oh sorry yes web access via wan was open and I read in the other thread that that was most likely the weakness.
 
Thanks for confirming that access from WAN was enabled. That reinforces the current theory that they get in via a flaw in the web server.
And ssh is no longer exposed to the wan. But there are still attempts.
Code:
Mar  4 04:46:37 dropbear[29942]: Bad password attempt for 'admin' from 27.72.233.207:39365
Mar  4 04:46:40 dropbear[29942]: Exit before auth (user 'admin', 1 fails): Exited normally
Mar  4 05:54:30 dropbear[1347]: Bad password attempt for 'admin' from 188.72.166.216:44423
Mar  4 05:54:36 dropbear[1347]: Exit before auth (user 'admin', 1 fails): Exited normally
This attack sets up second SSH server, so that's probably still running. It's interesting (sort of) that the other devices in the botnet are still trying to connect to you using your previous password.

P.S. What firmware version are you running? There were some security fixes in the recent versions. It would be useful to know whether they mitigate against this attack.
 
Until shortly I was running an ancient firmware because I did not realize the update was not happening, because I did not do the intermediate CFE upgrade. Then I directly patched to 380.65 but without a factory reset. My laziness serves me right...
 
Until shortly I was running an ancient firmware because I did not realize the update was not happening, because I did not do the intermediate CFE upgrade. Then I directly patched to 380.65 but without a factory reset. My laziness serves me right...
Then it's a timely reminder to the rest of us against complacency.
 
Change default username and use puttygen to generate public key. I think it's can solve the problem. Or just disable wan access to ssh.
 
yeah I did all those things
Factory reset -> re-flash -> reset again -> closed previous vulnerabilities
 
I need to have my ssh port exposed, but I changed the default port and use pubkey authentication. Attempts are much less frequent, and never succeeds (I keep tabs on attempts).

Edit: Sorry I just noticed @Heighast59 already mentioned this
 
I need to have my ssh port exposed, but I changed the default port and use pubkey authentication. Attempts are much less frequent, and never succeeds (I keep tabs on attempts).

Edit: Sorry I just noticed @Heighast59 already mentioned this

Have you tried moving the ssh port from 22 to an obscure, uncommon port number? Of course, it won't stop someone prepared to spend 30 mins or so scanning all your ports, but it would beat someone looking only for a target of opportunity on port 22.

I used to have my ssh port open (on an obscure port) until I was talked out of doing so:
https://www.snbforums.com/threads/w...can-login-my-router-easily.36564/#post-298721
 
Very cool. I do the same thing too, except I have disabled password authentication completely. I too scan syslog (have a script monitor it) and have it add to my custom blocklist. In addition I have the SSHBFP in iptables (enabled from web GUI)
 
Have you tried moving the ssh port from 22 to an obscure, uncommon port number? Of course, it won't stop someone prepared to spend 30 mins or so scanning all your ports, but it would beat someone looking only for a target of opportunity on port 22.
Yes, it's not default, and password authentication is disabled. Ports scans are very routine.
I used to have my ssh port open (on an obscure port) until I was talked out of doing so
To each his own :) I need to keep mine open for tunneling in from outside.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top