Bem-vindo ao Fórum Vodafone
I am moderately satisfied customer of TV-Net-Voz with router HG8247H.
I have configured DynamicDNS for my “router.my.domain.tld” using the template “no-ip” and customized “Nome de anfitrião” to 194.ext.ip.srv being the IP of a server to which I have full access. On that server I receive requests like
188.vdf.net.ip "GET /nic/update?hostname=router.my.domain.tld &myip=188.vdf.net.ip&offline=NO HTTP/1.0" 200 3 "-" "HW-FTTH"
where “188.vdf.net.ip” is my external IP and this is the expected behaviour.
However starting 4 of November on an average once a day appear requests like:
184.108.40.206 "GET /hostname=router.my.domain.tld %26myip=188.vdf.net.ip%26offline=no HTTP/1.1" 200 26 "http://www.bing.com/search?q=amazon" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
This is very worrying because:
- 220.127.116.11 is a well know scanner/abuser and
- I have never mentioned anywhere else the combination of “router.my.domain.tld”, “188.vdf.net.ip” and “194.ext.ip.srv” and
- I suspect somehow this information leaked from the HG8247H or the vodafone networks to some unknown, most likely malicious, third party.
I changed the name in DynamicDNS from “router” to something else and a day later the requests for the new name started to appear in the logs which suggests that the information leak continues.
The CPU load reported by the HG8247H seems to be normal, and I haven’t notice any other erratic behaviour excepts the web interface is unusable in Firefox (in other browsers works).
Is my HG8247H is hacked? Is it dragged some kind botnet and abused for some unwanted/illegal activity (spam,proxy,DDoS,mining)?
What kind of information could be also exposed?
Is there a sniffer in vodafone networks?
How to prevent future leaks of information?
(answers in Portuguese shall be welcome)
Update: I was informed in a private message that my router was checked and there were found no indications that the security was compromised.
I have disabled and deleted DynamicDNS configuration and the suspicious activity coming from 18.104.22.168 stopped. Later I created new DynamicDNS similar to the old one but using the template “dyndns-static” which has similar behaviour, only the user agent is
“ez-update-3.0.11b7 arm-wap-linux-gnu [daemon] (by Angus Mackay)”.
Now the updates work correctly and no suspicious activity is noticed so far.
I examined the available sources of “ez-update” which seems to be used for all DynamicDNS templates but haven’t find any code that could sent the configuration to third party.
So, the problem is solved, but remains unclear how the DDNS configuration in “no-ip” template ended in “Palo Alto Networks” and why resulted in periodic security scan of my server.