Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Forums2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus)Modem (NetComm NB-14) appears to be hacked - ideas?
Curiosity

7 posts

Wannabe Geek
+1 received by user: 1


#120906 18-Jun-2013 00:04
Send private message

For my ADSL connection, I'm using the Orcon-provided NetComm NB-14. Single ethernet port, no wi-fi.

Out of curiosity, I decided to look up my current usage. Over the last couple of months, I've used about 50 GB. This is just within my 30 GB/month limit, so that's fine. The catch is that for all but a handful of those days, there hasn't been anything connected to the modem!

I'm in a long, drawn out, house move, so a couple of months ago I packed up all my computer stuff, and have just been directly plugging my laptop in to the modem on the odd few days I'm there. So there's been no wi-fi router, in fact not even anything with an ethernet port (besides the modem), running in the house. Being the lazy guy I am, I just left the modem turned on and plugged in to the phone jack with nothing connected to the ethernet port.

However, over those couple of months there's been about 40 GB of usage clocked up during days when there's been nothing plugged in to the modem. It's varied between 10 MB a day all the way up to 3.5 GB a day. There was a definite peak from the 10th of May until the end of May, where it was averaging a couple of gig a day. On a per-day basis, it's a very consistent download:upload ratio of somewhere between 4.7:1 and 5.0:1, averaging 4.82:1.

I've had a look through the web UI, and there's no port forwards or anything else set up. Also, I would expect a 1:1 ratio of downloads and uploads if someone had hacked my modem and set it to relay traffic. If it was bot-net-ized and pumping out spam I'd expect to see a lot more upload traffic than download traffic.

Has anyone seen anything like this? I've got the modem completely unplugged now as it was getting very close to blowing my data cap this month. From a forensics point of view, does anyone know how to pull the full firmware from the modem? It's currently running "NetComm_NZ(LEM_86)_A01_(21230_3112140)" according to the status page (matching the label on the bottom of the modem), so if I can get the full firmware off my modem and the original firmware I might be able to identify what's been done to it.

Create new topic
freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41028

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #838452 18-Jun-2013 01:52
Send private message

Perhaps the router configuration allows DNS to be accessed by outside the network and it is being used in DDoS attacks?

Make sure its firewalll is on as well.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 



Zeon
3926 posts

Uber Geek
+1 received by user: 759

Trusted

  #838466 18-Jun-2013 07:09
Send private message

PM your public IP and we can run a porrt scan




Speedtest 2019-10-14

flygirlnz
33 posts

Geek
+1 received by user: 4


  #838686 18-Jun-2013 13:28
Send private message

freitasm: Perhaps the router configuration allows DNS to be accessed by outside the network and it is being used in DDoS attacks?

Make sure its firewalll is on as well.


I have tried to look for the router's own firewall, but cannot find it. 



Ragnor
8279 posts

Uber Geek
+1 received by user: 585

Trusted

  #839922 19-Jun-2013 22:25
Send private message

Most likely it's exposing dns on the WAN and botnet's are using it in DNS amplification attacks, otherwise less likely but possible it could be compromised by malware too.

Most of the malware target consumer modems can't alter the "saved" config or firmware only the "running" config injecting their own scripts to run.

Use the hardware reset button and make sure it's running the latest firmware update from Netcomm.

MadEngineer
4591 posts

Uber Geek
+1 received by user: 2570

Trusted

  #841729 22-Jun-2013 21:19
Send private message

Most likely this is due to an accounts issue




You're not on Atlantis anymore, Duncan Idaho.

Sounddude
I fix stuff!
1935 posts

Uber Geek
+1 received by user: 640

Trusted
2degrees
Lifetime subscriber

  #841739 22-Jun-2013 21:38
Send private message

MadEngineer: Most likely this is due to an accounts issue


How do you figure that?

HP

 
 
 
 

Shop now for HP laptops and other devices (affiliate link).
freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41028

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #841772 22-Jun-2013 22:21
Send private message

Go to this page to check if your router is acting as an open DNS resolver.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

openmedia
3449 posts

Uber Geek
+1 received by user: 877

Trusted

  #841889 23-Jun-2013 10:26
Send private message

Had a similar issue about a year ago. Bad firewall rule meant I was getting lots of DNS traffic on my WAN port.




Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.

johnr
19282 posts

Uber Geek
+1 received by user: 2526
Inactive user


  #841891 23-Jun-2013 10:39
Send private message

MadEngineer: Most likely this is due to an accounts issue


Huh?

Curiosity

7 posts

Wannabe Geek
+1 received by user: 1


  #841902 23-Jun-2013 11:12
Send private message

Quick update:
* Forgot to mention in the first post, but GRC ShieldsUp showed no reply from any of the first ~1K or common ports (might be listening on a higher one - didn't have time to d oa full 64K scan). Flicking off the firewall changed this to RSTs, and poking a port shows up as expected.
* Not DNS amplification - as mentioned in the first post, it's receiving ~5x what it's sending. ThinkBroadband shows no resolver also.
* Firewall is enabled on the modem.
* I had the modem off for the past week (hence no earlier reply). After plugging it in again, it averaged 3 MB/hr downloads Thursday night/Friday morning, but absolutely nothing last night. I was using it later on Friday and most of Saturday, so can't say what it was doing there.

MadEngineer
4591 posts

Uber Geek
+1 received by user: 2570

Trusted

  #841916 23-Jun-2013 12:25
Send private message

johnr:
MadEngineer: Most likely this is due to an accounts issue


Huh?
a metering issue.

Edit: in light of there being two of these threads with the same router I'm thinking otherwise. Still sounds like an accounting (usage) issue is exasperating the problem.




You're not on Atlantis anymore, Duncan Idaho.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright