Modem (NetComm NB-14) appears to be hacked

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › Modem (NetComm NB-14) appears to be hacked - ideas?

Curiosity

7 posts

Wannabe Geek

#120906 18-Jun-2013 00:04

For my ADSL connection, I'm using the Orcon-provided NetComm NB-14. Single ethernet port, no wi-fi.

Out of curiosity, I decided to look up my current usage. Over the last couple of months, I've used about 50 GB. This is just within my 30 GB/month limit, so that's fine. The catch is that for all but a handful of those days, there hasn't been anything connected to the modem!

I'm in a long, drawn out, house move, so a couple of months ago I packed up all my computer stuff, and have just been directly plugging my laptop in to the modem on the odd few days I'm there. So there's been no wi-fi router, in fact not even anything with an ethernet port (besides the modem), running in the house. Being the lazy guy I am, I just left the modem turned on and plugged in to the phone jack with nothing connected to the ethernet port.

However, over those couple of months there's been about 40 GB of usage clocked up during days when there's been nothing plugged in to the modem. It's varied between 10 MB a day all the way up to 3.5 GB a day. There was a definite peak from the 10th of May until the end of May, where it was averaging a couple of gig a day. On a per-day basis, it's a very consistent download:upload ratio of somewhere between 4.7:1 and 5.0:1, averaging 4.82:1.

I've had a look through the web UI, and there's no port forwards or anything else set up. Also, I would expect a 1:1 ratio of downloads and uploads if someone had hacked my modem and set it to relay traffic. If it was bot-net-ized and pumping out spam I'd expect to see a lot more upload traffic than download traffic.

Has anyone seen anything like this? I've got the modem completely unplugged now as it was getting very close to blowing my data cap this month. From a forensics point of view, does anyone know how to pull the full firmware from the modem? It's currently running "NetComm_NZ(LEM_86)_A01_(21230_3112140)" according to the status page (matching the label on the bottom of the modem), so if I can get the full firmware off my modem and the original firmware I might be able to identify what's been done to it.

freitasm

BDFL - Memuneh
79278 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#838452 18-Jun-2013 01:52

Perhaps the router configuration allows DNS to be accessed by outside the network and it is being used in DDoS attacks?

Make sure its firewalll is on as well.

Zeon

3916 posts

Uber Geek

Trusted

#838466 18-Jun-2013 07:09

PM your public IP and we can run a porrt scan

Speedtest 2019-10-14

flygirlnz

33 posts

Geek

#838686 18-Jun-2013 13:28

freitasm: Perhaps the router configuration allows DNS to be accessed by outside the network and it is being used in DDoS attacks?

Make sure its firewalll is on as well.

I have tried to look for the router's own firewall, but cannot find it.

Ragnor

8220 posts

Uber Geek

Trusted

#839922 19-Jun-2013 22:25

Most likely it's exposing dns on the WAN and botnet's are using it in DNS amplification attacks, otherwise less likely but possible it could be compromised by malware too.

Most of the malware target consumer modems can't alter the "saved" config or firmware only the "running" config injecting their own scripts to run.

Use the hardware reset button and make sure it's running the latest firmware update from Netcomm.

MadEngineer

4278 posts

Uber Geek

Trusted

#841729 22-Jun-2013 21:19

Most likely this is due to an accounts issue

You're not on Atlantis anymore, Duncan Idaho.

Sounddude

I fix stuff!
1928 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#841739 22-Jun-2013 21:38

MadEngineer: Most likely this is due to an accounts issue

How do you figure that?

freitasm

BDFL - Memuneh
79278 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#841772 22-Jun-2013 22:21

Go to this page to check if your router is acting as an open DNS resolver.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

openmedia

3328 posts

Uber Geek

Trusted

#841889 23-Jun-2013 10:26

Had a similar issue about a year ago. Bad firewall rule meant I was getting lots of DNS traffic on my WAN port.

Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.

johnr

19282 posts

Uber Geek
Inactive user

#841891 23-Jun-2013 10:39

MadEngineer: Most likely this is due to an accounts issue

Huh?

Curiosity

7 posts

Wannabe Geek

#841902 23-Jun-2013 11:12

Quick update:
* Forgot to mention in the first post, but GRC ShieldsUp showed no reply from any of the first ~1K or common ports (might be listening on a higher one - didn't have time to d oa full 64K scan). Flicking off the firewall changed this to RSTs, and poking a port shows up as expected.
* Not DNS amplification - as mentioned in the first post, it's receiving ~5x what it's sending. ThinkBroadband shows no resolver also.
* Firewall is enabled on the modem.
* I had the modem off for the past week (hence no earlier reply). After plugging it in again, it averaged 3 MB/hr downloads Thursday night/Friday morning, but absolutely nothing last night. I was using it later on Friday and most of Saturday, so can't say what it was doing there.

MadEngineer

4278 posts

Uber Geek

Trusted

#841916 23-Jun-2013 12:25

johnr:
MadEngineer: Most likely this is due to an accounts issue

Huh?

a metering issue.

Edit: in light of there being two of these threads with the same router I'm thinking otherwise. Still sounds like an accounting (usage) issue is exasperating the problem.

You're not on Atlantis anymore, Duncan Idaho.