Menu Toggle

Bem-vindo ao Fórum Vodafone

Tv / Equipamentos

Information leak from HG8247H

Highlighted
Novo Utilizador
Novo Utilizador

I am moderately satisfied customer of TV-Net-Voz with router HG8247H.

I have configured DynamicDNS for my “router.my.domain.tld” using the template “no-ip” and customized “Nome de anfitrião” to 194.ext.ip.srv being the IP of a server to which I have full access. On that server I receive requests like

188.vdf.net.ip "GET /nic/update?hostname=router.my.domain.tld &myip=188.vdf.net.ip&offline=NO HTTP/1.0" 200 3 "-" "HW-FTTH"

where “188.vdf.net.ip” is my external IP and this is the expected behaviour.

However starting 4 of November on an average once a day appear requests like:

70.42.131.170 "GET /hostname=router.my.domain.tld %26myip=188.vdf.net.ip%26offline=no HTTP/1.1" 200 26 "http://www.bing.com/search?q=amazon" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"

This is very worrying because:

- 70.42.131.170 is a well know scanner/abuser and

- I have never mentioned anywhere else the combination of “router.my.domain.tld”, “188.vdf.net.ip” and “194.ext.ip.srv” and

- I suspect somehow this information leaked from the HG8247H or the vodafone networks to some unknown, most likely malicious, third party.

I changed the name in DynamicDNS from “router” to something else and a day later the requests for the new name started to appear in the logs which suggests that the information leak continues.

The CPU load reported by the HG8247H seems to be normal, and I haven’t notice any other erratic behaviour excepts the web interface is unusable in Firefox (in other browsers works).

 

Is my HG8247H is hacked? Is it dragged some kind botnet and abused for some unwanted/illegal activity (spam,proxy,DDoS,mining)?

What kind of information could be also exposed?

Is there a sniffer in vodafone networks?

How to prevent future leaks of information?

 

(answers in Portuguese shall be welcome)

Mostrar mais
3 RESPOSTAS 3
Moderador

Olá @y1b

 

A situação exposta encontra-se em análise. Assim que possível daremos feedback.

 

Obrigado

BrunoC_Vodafone

Mostrar mais
Moderador

Olá @y1b

 

Enviámos uma mensagem privada, consulte a sua inbox aqui no fórum.

 

Obrigado

BrunoC_Vodafone

Mostrar mais
Novo Utilizador
Novo Utilizador

Update: I was informed in a private message that my router was checked and there were found no indications that the security was compromised.

I have disabled and deleted DynamicDNS configuration and the suspicious activity coming from 70.42.131.170 stopped. Later I created new DynamicDNS similar to the old one but using the template “dyndns-static” which has similar behaviour, only the user agent is

ez-update-3.0.11b7 arm-wap-linux-gnu [daemon] (by Angus Mackay)”.

Now the updates work correctly and no suspicious activity is noticed so far.

I examined the available sources of “ez-update” which seems to be used for all DynamicDNS templates but haven’t find any code that could sent the configuration to third party.

So, the problem is solved, but remains unclear how the DDNS configuration in “no-ip” template ended in “Palo Alto Networks” and why resulted in periodic security scan of my server.

Mostrar mais