Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


dstove

20 posts

Geek


#119318 28-May-2013 10:40
Send private message

Hi All,
I have a WAG200G that is sending out about 500k+ of traffic without any apparant source. (I'm an IT Manager, so have a couple of clues) I've shut down every device attached tot he network, turned off Wifi and blocked outgoing traffic from my pc running PRTG SNMP monitoring, but it doesn't stop.
The LAN and Wifi ports don't have any matching traffic as you would expect. This has been going on for about 3 weeks. I noticed it when I went through last months data faster than usual and I've already used 80Gb after 10 days in to this month!
I've reset the router, and it's running the latest firmware (updated afew months ago)
Below is what PRTG shows me on the interfaces (Port 1 is loopback, the other ports are disconnected)
Hope someone can help
Traffic

Create new topic
freitasm
BDFL - Memuneh
68871 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #826853 28-May-2013 10:46
Send private message

A couple of days ago someone had a similar problem and was found that his router had DNS open to the world. Obviously someone was using that as a node in a DNS amplifier/smurf DDoS attack.

Is there a log or feature showing what ports/services are being used on each interface? 

Do you have ANY open ports in this router? Perhaps use a web service for a port scan and a web service for open DNS scan?




 

 

These links are referral codes

 

Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


dstove

20 posts

Geek


  #826909 28-May-2013 12:13
Send private message

Hi Mauricio,
Thanks for your quick response. I've done a lookup on www.mxtoolbox.com and DNS is blocked according to them, as are all the other nasties. Ports 25, 80, 110, 143, 443 are the only ones that were open and these are all handled by the server correctly (these are the first things I checked).
I would be interested in seeing how the other person's issue was resolved if you have a link to the thread? Perhaps there are similarities...
Thanks
Dominic.

 
 
 
 


freitasm
BDFL - Memuneh
68871 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #826912 28-May-2013 12:16
Send private message

This discussion about Tenda modem/routers.




 

 

These links are referral codes

 

Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


raytaylor
3468 posts

Uber Geek

Trusted

  #827246 28-May-2013 18:53
Send private message

Can you clarify why those other ports are open?
Are they just open, or are they opened for a reason - eg. port forwards to a server?

If they are not port forwards then its possible someone is trying a brute force attack to get into the modem.
I have found this with TP-Links lately that have port 80 open to the web. The attacker logs in, changes the DNS settings so they can inject advertisements into websites etc.

Problem with the tplink one is that when they change the settings, their script or whatever seems to switch off the DHCP service on the LAN and not the WLAN interface so it doesnt stay compromised for long.




Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




dstove

20 posts

Geek


  #827311 28-May-2013 20:39
Send private message

Hi Ray,
Thanks for your input.
The other ports are open because I run a business from home, including webserver, exchange server, etc. I've changed the router passwords to non-default, and disabled anything I'm not using. All the boxes are patched up and I run a fairly tight ship - I've been managing corporate web servers and firewalls for about 15 years at some fairly large NZ companies, so I'm reasonably clued up on this.
Don't get me wrong - I'm open to suggestions, I'm fairly confident that what I've got is fairly secure and I've been monitoring things like teenagers with downloads etc. (he was the first to get unplugged!)regular malware scanning, checking open relays on the mail server/mail server logs etc. but I've obviously got an issue that I can't solve. I'm just trying to
I've just swapped the modem out with a spare HG556a, and this has a lot of DOS checks built in, so hopefully this will pick up any issues, as well as give me a new IP address!

freitasm
BDFL - Memuneh
68871 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #827407 28-May-2013 22:24
Send private message

Are you sure your Exchange server is not an open SMTP relay, being used for people to send out spam? There are some open relay tests around as well to check that.

Is you webserver secure? Have you looked at the webserver log files to make sure there isn't anything there being downloaded that shouldn't be?




 

 

These links are referral codes

 

Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


dstove

20 posts

Geek


  #827416 28-May-2013 22:36
Send private message

Hi Mauricio,
Yes - pretty sure it's not an open relay. I've tested it on www.mxtoolbox.com (great resource!) and it came back clean. I'm also running a greylisting server that picks up all smtp traffic before it hits Exchange, so that should highlight any problems as well.
The webserver should be fine - I check the logs regularly.
In any case, Since swapping the routers out, the excessive traffic has stopped. (assuming I got the SNMP working correctly) I'm still wary though, as I always like to be able to pinpoint an issue.
Thanks to those that contributed, and I hope that this information is helpful to soemone else who might have the same issue.
D.

Create new topic





News »

Huawei launches IdeaHub Pro in New Zealand
Posted 27-Oct-2020 16:41


Southland-based IT specialist providing virtual services worldwide
Posted 27-Oct-2020 15:55


NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30


Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05


Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34


Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.