Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)WAG200G sending out copious amounts of data through ADSL port
dstove

20 posts

Geek
+1 received by user: 1


#119318 28-May-2013 10:40
Send private message

Hi All,
I have a WAG200G that is sending out about 500k+ of traffic without any apparant source. (I'm an IT Manager, so have a couple of clues) I've shut down every device attached tot he network, turned off Wifi and blocked outgoing traffic from my pc running PRTG SNMP monitoring, but it doesn't stop.
The LAN and Wifi ports don't have any matching traffic as you would expect. This has been going on for about 3 weeks. I noticed it when I went through last months data faster than usual and I've already used 80Gb after 10 days in to this month!
I've reset the router, and it's running the latest firmware (updated afew months ago)
Below is what PRTG shows me on the interfaces (Port 1 is loopback, the other ports are disconnected)
Hope someone can help
Traffic

Create new topic
freitasm
BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41068

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #826853 28-May-2013 10:46
Send private message

A couple of days ago someone had a similar problem and was found that his router had DNS open to the world. Obviously someone was using that as a node in a DNS amplifier/smurf DDoS attack.

Is there a log or feature showing what ports/services are being used on each interface? 

Do you have ANY open ports in this router? Perhaps use a web service for a port scan and a web service for open DNS scan?




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 



dstove

20 posts

Geek
+1 received by user: 1


  #826909 28-May-2013 12:13
Send private message

Hi Mauricio,
Thanks for your quick response. I've done a lookup on www.mxtoolbox.com and DNS is blocked according to them, as are all the other nasties. Ports 25, 80, 110, 143, 443 are the only ones that were open and these are all handled by the server correctly (these are the first things I checked).
I would be interested in seeing how the other person's issue was resolved if you have a link to the thread? Perhaps there are similarities...
Thanks
Dominic.

freitasm
BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41068

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #826912 28-May-2013 12:16
Send private message

This discussion about Tenda modem/routers.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 



raytaylor
4076 posts

Uber Geek
+1 received by user: 1296

Trusted

  #827246 28-May-2013 18:53
Send private message

Can you clarify why those other ports are open?
Are they just open, or are they opened for a reason - eg. port forwards to a server?

If they are not port forwards then its possible someone is trying a brute force attack to get into the modem.
I have found this with TP-Links lately that have port 80 open to the web. The attacker logs in, changes the DNS settings so they can inject advertisements into websites etc.

Problem with the tplink one is that when they change the settings, their script or whatever seems to switch off the DHCP service on the LAN and not the WLAN interface so it doesnt stay compromised for long.




Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

dstove

20 posts

Geek
+1 received by user: 1


  #827311 28-May-2013 20:39
Send private message

Hi Ray,
Thanks for your input.
The other ports are open because I run a business from home, including webserver, exchange server, etc. I've changed the router passwords to non-default, and disabled anything I'm not using. All the boxes are patched up and I run a fairly tight ship - I've been managing corporate web servers and firewalls for about 15 years at some fairly large NZ companies, so I'm reasonably clued up on this.
Don't get me wrong - I'm open to suggestions, I'm fairly confident that what I've got is fairly secure and I've been monitoring things like teenagers with downloads etc. (he was the first to get unplugged!)regular malware scanning, checking open relays on the mail server/mail server logs etc. but I've obviously got an issue that I can't solve. I'm just trying to
I've just swapped the modem out with a spare HG556a, and this has a lot of DOS checks built in, so hopefully this will pick up any issues, as well as give me a new IP address!

freitasm
BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41068

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #827407 28-May-2013 22:24
Send private message

Are you sure your Exchange server is not an open SMTP relay, being used for people to send out spam? There are some open relay tests around as well to check that.

Is you webserver secure? Have you looked at the webserver log files to make sure there isn't anything there being downloaded that shouldn't be?




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

 
 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.
dstove

20 posts

Geek
+1 received by user: 1


  #827416 28-May-2013 22:36
Send private message

Hi Mauricio,
Yes - pretty sure it's not an open relay. I've tested it on www.mxtoolbox.com (great resource!) and it came back clean. I'm also running a greylisting server that picks up all smtp traffic before it hits Exchange, so that should highlight any problems as well.
The webserver should be fine - I check the logs regularly.
In any case, Since swapping the routers out, the excessive traffic has stopped. (assuming I got the SNMP working correctly) I'm still wary though, as I always like to be able to pinpoint an issue.
Thanks to those that contributed, and I hope that this information is helpful to soemone else who might have the same issue.
D.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright