Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)WAG200G sending out copious amounts of data through ADSL port
dstove

20 posts

Geek


#119318 28-May-2013 10:40
Send private message

Hi All,
I have a WAG200G that is sending out about 500k+ of traffic without any apparant source. (I'm an IT Manager, so have a couple of clues) I've shut down every device attached tot he network, turned off Wifi and blocked outgoing traffic from my pc running PRTG SNMP monitoring, but it doesn't stop.
The LAN and Wifi ports don't have any matching traffic as you would expect. This has been going on for about 3 weeks. I noticed it when I went through last months data faster than usual and I've already used 80Gb after 10 days in to this month!
I've reset the router, and it's running the latest firmware (updated afew months ago)
Below is what PRTG shows me on the interfaces (Port 1 is loopback, the other ports are disconnected)
Hope someone can help
Traffic

Create new topic
freitasm
BDFL - Memuneh
79310 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #826853 28-May-2013 10:46
Send private message

A couple of days ago someone had a similar problem and was found that his router had DNS open to the world. Obviously someone was using that as a node in a DNS amplifier/smurf DDoS attack.

Is there a log or feature showing what ports/services are being used on each interface? 

Do you have ANY open ports in this router? Perhaps use a web service for a port scan and a web service for open DNS scan?




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 



dstove

20 posts

Geek


  #826909 28-May-2013 12:13
Send private message

Hi Mauricio,
Thanks for your quick response. I've done a lookup on www.mxtoolbox.com and DNS is blocked according to them, as are all the other nasties. Ports 25, 80, 110, 143, 443 are the only ones that were open and these are all handled by the server correctly (these are the first things I checked).
I would be interested in seeing how the other person's issue was resolved if you have a link to the thread? Perhaps there are similarities...
Thanks
Dominic.

freitasm
BDFL - Memuneh
79310 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #826912 28-May-2013 12:16
Send private message

This discussion about Tenda modem/routers.




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 



raytaylor
4017 posts

Uber Geek

Trusted

  #827246 28-May-2013 18:53
Send private message

Can you clarify why those other ports are open?
Are they just open, or are they opened for a reason - eg. port forwards to a server?

If they are not port forwards then its possible someone is trying a brute force attack to get into the modem.
I have found this with TP-Links lately that have port 80 open to the web. The attacker logs in, changes the DNS settings so they can inject advertisements into websites etc.

Problem with the tplink one is that when they change the settings, their script or whatever seems to switch off the DHCP service on the LAN and not the WLAN interface so it doesnt stay compromised for long.




Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

dstove

20 posts

Geek


  #827311 28-May-2013 20:39
Send private message

Hi Ray,
Thanks for your input.
The other ports are open because I run a business from home, including webserver, exchange server, etc. I've changed the router passwords to non-default, and disabled anything I'm not using. All the boxes are patched up and I run a fairly tight ship - I've been managing corporate web servers and firewalls for about 15 years at some fairly large NZ companies, so I'm reasonably clued up on this.
Don't get me wrong - I'm open to suggestions, I'm fairly confident that what I've got is fairly secure and I've been monitoring things like teenagers with downloads etc. (he was the first to get unplugged!)regular malware scanning, checking open relays on the mail server/mail server logs etc. but I've obviously got an issue that I can't solve. I'm just trying to
I've just swapped the modem out with a spare HG556a, and this has a lot of DOS checks built in, so hopefully this will pick up any issues, as well as give me a new IP address!

freitasm
BDFL - Memuneh
79310 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #827407 28-May-2013 22:24
Send private message

Are you sure your Exchange server is not an open SMTP relay, being used for people to send out spam? There are some open relay tests around as well to check that.

Is you webserver secure? Have you looked at the webserver log files to make sure there isn't anything there being downloaded that shouldn't be?




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 

dstove

20 posts

Geek


  #827416 28-May-2013 22:36
Send private message

Hi Mauricio,
Yes - pretty sure it's not an open relay. I've tested it on www.mxtoolbox.com (great resource!) and it came back clean. I'm also running a greylisting server that picks up all smtp traffic before it hits Exchange, so that should highlight any problems as well.
The webserver should be fine - I check the logs regularly.
In any case, Since swapping the routers out, the excessive traffic has stopped. (assuming I got the SNMP working correctly) I'm still wary though, as I always like to be able to pinpoint an issue.
Thanks to those that contributed, and I hope that this information is helpful to soemone else who might have the same issue.
D.

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright