Rookie

LAN access from remote entries

Modem: Netgear N450 CG3000DV2

Firmware Version: V3.01.06

 

Hi folks,

I’m concerned about the “Lan access from remote” entries in the attached logs.  I do not know how to configure the router to block this access. I’m not even sure what device is being accessed.  

 

Remote Management is off.

I’ve disabled UPnP.

There are no port forwarding/port triggering rules.

I’ve disabled the bulk of the services that were enabled when I hard reset the modem. 

The admin password has been changed. 

Wireless is disabled. (I have a DLink access point handling the wireless traffic.)

Guest Network is disabled. 

 

Any suggestions are appreciated.

 

Thanks!

-Robin

 

 

Description

Count

Last Occurrence

Target

Source

[TCP- or UDP-based Port Scan ]

19

Mon Nov 14 04:49:19 2016

172.88.22x.xxx:15323

209.18.47.62:53

[TCP- or UDP-based Port Scan ]

3

Sun Nov 13 21:58:34 2016

172.88.22x.xxx:34631

209.18.47.62:53

[LAN access from remote ]

1

Sun Nov 13 20:01:35 2016

172.88.22x.xxx:161

185.128.40.162:60635

[TCP- or UDP-based Port Scan ]

1

Sun Nov 13 19:16:39 2016

172.88.22x.xxx:39298

209.18.47.62:53

[LAN access from remote ]

1

Sun Nov 13 17:57:46 2016

172.88.22x.xxx:161

12.28.6.226:59491

[TCP- or UDP-based Port Scan ]

7

Sun Nov 13 17:17:32 2016

172.88.22x.xxx:14943

209.18.47.62:53

[LAN access from remote ]

1

Sun Nov 13 15:22:36 2016

172.88.22x.xxx:161

94.23.203.208:58384

[TCP- or UDP-based Port Scan ]

4

Sun Nov 13 15:03:10 2016

172.88.22x.xxx:54700

209.18.47.62:53

[LAN access from remote ]

1

Sun Nov 13 13:03:49 2016

172.88.22x.xxx:161

212.80.185.174:80

[TCP- or UDP-based Port Scan ]

5

Sun Nov 13 10:11:40 2016

172.88.22x.xxx:33502

192.99.8.58:54890

[LAN access from remote ]

1

Sun Nov 13 07:48:57 2016

172.88.22x.xxx:161

185.35.62.81:60729

[TCP- or UDP-based Port Scan ]

4

Sun Nov 13 07:44:21 2016

172.88.22x.xxx:65185

209.18.47.62:53

[LAN access from remote ]

1

Sun Nov 13 06:33:13 2016

172.88.22x.xxx:161

184.105.139.67:1402

[TCP- or UDP-based Port Scan ]

3

Sun Nov 13 06:11:28 2016

172.88.22x.xxx:42295

209.18.47.62:53

[TCP- or UDP-based Port Scan ]

17

Sun Nov 13 03:15:38 2016

172.88.22x.xxx:53839

209.18.47.62:53

9 REPLIES 9
Expert

Re: LAN access from remote entries

209.18.47.61/62 is TWC's DNS but it's interesting to see multiple ports...

You'll also see your antivirus with a connection

 

run the source IP's thru whois ... http://www.speedguide.net

inetnum:        185.128.40.160 - 185.128.40.175
netname:        PA-GRUPO-20151124
country:        CH
admin-c:        FB14051-RIPE
tech-c:         FB14051-RIPE
status:         SUB-ALLOCATED PA
descr:          Person: antonio jose de maia santos
descr:          Contact Info: 00447700089071
descr:          Address: vilamiramar , cerro da maritenda , maritenda
descr:          Phone: 00447700089071
descr:          Abuse Email: ademaiasantos@gmail.com
descr:          Email: ademaiasantos@gmail.com
descr:          Abuse Email: ademaiasantos@gmail.com
descr:          City: boliqueime
descr:          State: Faro
descr:          Country: portugal
mnt-by:         pa-grupo-1-mnt
created:        2016-06-11T01:30:49Z
last-modified:  2016-06-11T22:05:49Z
source:         RIPE

person:         Ezequiel Pineda
address:        Punta Pacifica Torre Trump, 3905, att Alberto Yemail
address:        00000
address:        Panama City
address:        PANAMA
phone:          +50766671969
nic-hdl:        FB14051-RIPE
mnt-by:         pa-grupo-1-mnt
created:        2015-10-21T06:42:46Z
last-modified:  2016-08-03T03:52:11Z
source:         RIPE


route:          185.128.40.0/24
origin:         AS60392
mnt-by:         pa-grupo-1-mnt
created:        2016-06-22T04:37:07Z
last-modified:  2016-06-22T04:37:07Z
source:         RIPE

 

Newcomer

Re: LAN access from remote entries

Hi,

I am seeing the same type of remote accesses on my N450 modem too. These accesses appear to be exploiting a vulnerability in the N450 SNMP stack as the accesses are all on port 161 (same as what your logs show). The remote IP's I'm seeing trace back to Russia, Sweden, and Israel. This looks very much like our modems are being commandeered for use in botnets.

 

Unfortunately there is no way for the owner to control the WAN facing services so this problem must be fixed by Netgear (firmware upgrade) and rolled out by TWC. This is very troubling because I assume the attackers are able to hack systems on the LAN side once on the modem. I recommend powering off your modem when not in use - it will at least inconvenience the remote hackers. A dedicated firewall and new wap between the modem and your LAN devices will also help protect your personal systems but won't stop the modem from being used in botnets or as a beachhead to hack away at your LAN. You can also report this issue in Netgear's forum so that they are aware of it and get to work on a fix (I did that too).

Rookie

Re: LAN access from remote entries

Same here. I'm getting SNMP connections from Russian Federation, Netherlands, China, Viet Nam. Something tells me that these aren't TWC contractors. :-P
If TWC is allowing SNMP access from outside of their network, they're going to have a bit of zombie router problem on their hands. I contacted a TWC tech about this and he told me to install McAfee Antivirus...
Expert

Re: LAN access from remote entries

this is a netgear issue.

complain to them and on their forums or get a different mfg's router

 

 

Rookie

Re: LAN access from remote entries

Thanks for the dismissive answer.  I already have a ticket open with Netgear as well.  

I don't doubt that the router is at the heart of the problem here but I'm just saying that the ISP should bear some responsibility here since they push out firmware updates to devices that they have supposedly checked with their networks.  I do not recall this being a problem until TWC sent the last firmware update to my device.

Proven Sharer

Re: LAN access from remote entries


@mattf1856 wrote:

Thanks for the dismissive answer.  I already have a ticket open with Netgear as well.  

I don't doubt that the router is at the heart of the problem here but I'm just saying that the ISP should bear some responsibility here since they push out firmware updates to devices that they have supposedly checked with their networks.  I do not recall this being a problem until TWC sent the last firmware update to my device.



TWC doesn't "check out" or send updates to a standalone router connected downstream of the modem's ethernet port, just to your modem itself.  There is a well-known serious weakness in the Netgear family that is being exploited worldwide.   You can look at this site to see how serious the problem is:    https://threatmap.checkpoint.com/ThreatPortal/livemap.html

Highlighted
Rookie

Re: LAN access from remote entries

I think that you are mistaken here, this device is NOT a downstream router. It is a modem/router combo unit that TWC has pushed firmware to in the past.  My logs are showing port 161 connections to the ISP-assigned IP address of the modem, not to any internal addresses.

Proven Sharer

Re: LAN access from remote entries

Sorry, I misunderstood your CPE configuration. 

First suggestion is to set the router to block all traffic on port 161.  That said, it's not only possible but highly likely that the security flaw will TELL you that you were successful, but port 161 is really still left open for malware. 

Go buy a different combo modem+router+WiFi, and the sooner the better.  If your wallet can take the hit, buy a 16 x 4 model this time to be better equipped for network changes expected as part of the Spectrum realignment.

Rookie

Re: LAN access from remote entries

Thank you for the info.  

I know that my current configuration is set to block port 161 traffic but that's not actually happening according multiple port scans in addition to my own logs. I have a scheduled call with a netgear tech this weekend to try to figure this out.  If I can't get them to acknowledge this as an issue that they need to patch then I'll probably get a different modem.