Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




539 posts

Ultimate Geek


# 208483 13-Feb-2017 22:59
Send private message

Whilst changing some wifi settings on my 7490 I noticed 5 entries this evening:

 

Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password).

 

IP geo lookup shows the connection is from the Seychelles.

 

Googling the IP address shows that it is has been banned for allegedly being the source of hacking in from the last few years.

 

I have a static ip address and have had one for a few years. Any point in asking for a new static ip address.

 

I spoke to a 2degrees rep but she didn't really know what I was going on about. She did confirm that 2degrees weren't behind the access attempts via the Seychelles.

 

Any suggestions as to what I should/can do or is this merely run of the mill random attacks?


Filter this topic showing only the reply marked as answer Create new topic
3416 posts

Uber Geek


  # 1719761 13-Feb-2017 23:28
One person supports this post
Send private message

I think the term is.. were all being brute forced.

 

 You get the idea but I have pages of it.

 

 

      13.02.17 23:14:29 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 23:00:25 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 22:46:21 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 21:21:59 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 21:07:55 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password).       13.02.17 20:39:47 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 20:25:43 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 20:11:39 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 19:57:34 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password).                                                                                                                   

 

 

 

 

Guess thats why the rename the default admin name. They need to nullroute that IP


3416 posts

Uber Geek


  # 1719762 13-Feb-2017 23:35
One person supports this post
Send private message

Infact. lets turn off HTTPs/internet from the services section for a while.


 
 
 
 




539 posts

Ultimate Geek


  # 1719764 13-Feb-2017 23:38
Send private message

Thanks that makes me feel "better". Not seen this activity in many years of Snap and 2D patronage, mind you I only scan the logs when there is a problem, which is rare.

 

 

Oblivian:

 

I think the term is.. were all being brute forced.

 

 You get the idea but I have pages of it.

 

 

      13.02.17 23:14:29 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 23:00:25 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 22:46:21 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 21:21:59 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 21:07:55 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password).       13.02.17 20:39:47 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 20:25:43 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 20:11:39 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password). 13.02.17 19:57:34 Login of user admin to the FRITZ!Box user interface from the IP address 80.82.64.127 failed (incorrect password).                                                                                                                   

 

 

 

 

 

 


3416 posts

Uber Geek


  # 1719765 13-Feb-2017 23:40
Send private message

You mean like... http://www.geekzone.co.nz/forums.asp?forumid=85&topicid=208479

 

I noticed from early january the external hits from India, Vietnam, Poland, Russia.. all increased


Mr Snotty
8921 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1719766 13-Feb-2017 23:40
One person supports this post
Send private message

I'd strongly recommend turning off any external access to your routers services. It only takes a single exploit then they've got control over your whole network.




3416 posts

Uber Geek


  # 1719767 13-Feb-2017 23:43
Send private message

michaelmurfy: I'd strongly recommend turning off any external access to your routers services. It only takes a single exploit then they've got control over your whole network.

 

 

 

It would appear its how they manage the configurations and updates with CPS. They put a snapadmin user on with remote access afterall. And have seen it update before by them.


Mr Snotty
8921 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1719774 14-Feb-2017 00:49
Send private message

Oblivian:

 

michaelmurfy: I'd strongly recommend turning off any external access to your routers services. It only takes a single exploit then they've got control over your whole network.

 

It would appear its how they manage the configurations and updates with CPS. They put a snapadmin user on with remote access afterall. And have seen it update before by them.

 

Crap that is bad. Opened to the world and not whitelisted to their own management network is a terribly bad security practice no matter how secure they think the Fritz!Box is. Any open ports on an embedded system is a terrible idea. I would say it could well be Mirai attempting to brute force.





 
 
 
 


1537 posts

Uber Geek

Trusted
2degrees

  # 1720123 14-Feb-2017 16:53
Send private message

Hi All,

 

This sounds a lot like the old exploit in the fritzbox firmware that has been patched for some time, it's almost as if the exploit remained after firmware updates, and is just now having access attempted (and failing as a result of the changes from the patching). Can those affected please message me with your broadband usernames, CWMP numbers from the bottom of the modems and current firmware version, and I'll check it out for you.

 

michaelmurfy:

 

Oblivian:

 

michaelmurfy: I'd strongly recommend turning off any external access to your routers services. It only takes a single exploit then they've got control over your whole network.

 

It would appear its how they manage the configurations and updates with CPS. They put a snapadmin user on with remote access afterall. And have seen it update before by them.

 

Crap that is bad. Opened to the world and not whitelisted to their own management network is a terribly bad security practice no matter how secure they think the Fritz!Box is. Any open ports on an embedded system is a terrible idea. I would say it could well be Mirai attempting to brute force.

 

 

Our CPE management is restricted to our management range only, and is only enabled on-request from our systems through TR-069 with our unique tokens. If the device has a snapadmin credential in it, this will be a very old config that has likely not successfully been migrated on to our managed system.

 

Thanks,

 

Ralph ^JOB


3416 posts

Uber Geek


  # 1720203 14-Feb-2017 21:23
Send private message

2degreesCare:

 

Hi All,

 

This sounds a lot like the old exploit in the fritzbox firmware that has been patched for some time, it's almost as if the exploit remained after firmware updates, and is just now having access attempted (and failing as a result of the changes from the patching). Can those affected please message me with your broadband usernames, CWMP numbers from the bottom of the modems and current firmware version, and I'll check it out for you.

 

michaelmurfy:

 

Oblivian:

 

michaelmurfy: I'd strongly recommend turning off any external access to your routers services. It only takes a single exploit then they've got control over your whole network.

 

It would appear its how they manage the configurations and updates with CPS. They put a snapadmin user on with remote access afterall. And have seen it update before by them.

 

Crap that is bad. Opened to the world and not whitelisted to their own management network is a terribly bad security practice no matter how secure they think the Fritz!Box is. Any open ports on an embedded system is a terrible idea. I would say it could well be Mirai attempting to brute force.

 

 

Our CPE management is restricted to our management range only, and is only enabled on-request from our systems through TR-069 with our unique tokens. If the device has a snapadmin credential in it, this will be a very old config that has likely not successfully been migrated on to our managed system.

 

Thanks,

 

Ralph ^JOB

 

 

 

 

Interesting. I'm still on a 7340 BTW. However thought it was managed fine as it's had FW updates applied that aren't public? I had to get it added at some point as it was missed.

 

FRITZ!OS 06.10-29288 BETA 

 

Or should I still be sending you deets (and probably turning remote access back on? :) )


1537 posts

Uber Geek

Trusted
2degrees

  # 1721131 16-Feb-2017 11:54
Send private message

Hi Oblivion,

 

If you are on a 7340, they are at the end of their support life through the manufacturer,t he firmware you have indicated there is the latest version, with that beta built to remedy past security issues and a couple of fixes of NZ use.

 

Can you please message the details, and we'll check this out further for you. It's likely the box just needs a reset, but we'd like to check it out first :)

 

Cheers,

 

Ralph ^JOB


32 posts

Geek


  # 1745961 22-Mar-2017 17:14
Send private message

Hi Ralph

 

My FritzBox 7490 shows over 70 failed wireless logins.

 

I am assuming these are from nearby networks just chancing their hand??

 

Is there any way of clearing this list other than the tedium of one at a time?? -

 


32 posts

Geek


  # 1745966 22-Mar-2017 17:23
Send private message

Duuh

 

Upgraded to Fritzbox OS and it cleared to list for me :-)


Filter this topic showing only the reply marked as answer Create new topic



Switch your broadband provider now - compare prices


Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.