Hack attack on ST 510v4?

Hi all.

Some very strange goings on with my 510v4 router.

I left it all on when I went out earlier, and left a password protected VNC
client running, to show my in-laws how cool computers can be (I know ;-)

When I got back, I realised I'd not opened up a port correctly, to let my
dad view a web page I'm doing for him.

I looked on the NAT page - I open up a port, redirect it to a single port
internally, and have port based virtual servers under Apache 2.

There were 2 entries that I didn't make!

Immediately crapped myself, assumed someone had broken in through the VNC,
shut it down, reset all my passwords, virus check was clear, and netstat
didn't show any odd ports listening that shouldn't be.

I then cleared the NAT entries, and started watching them like a hawk.

I've just checked again, and found these...

5 Temp 10.0.1.3:8163 unspecified:57364 udp NONE
6 Temp 10.0.1.3:9298 unspecified:20783 tcp NONE

These aren't the same rules as before, but broadly the same. One on TCP, one
on UDP.

netstat -a doesn't show up anything listening on those ports, but how the
hell have the just appeared?

I've actually _changed_ the router password at both (router & plus) ends,
and shut down all unnecessary ports. I've only got one open now.

Anyone any ideas what's going on here?

I've not re-booted the router yet BTW. (in the middle of a download it took
45 minutes to queue for at Fileplanet!)

Thanks,

Pete.

--
NOTE! Email address is spamtrapped. Any email will be bounced to you
Remove the news and underscore from my address to reply by mail

Pete Smith wrote:

> Hi all.
>
> Some very strange goings on with my 510v4 router.
>
> I left it all on when I went out earlier, and left a password protected VNC
> client running, to show my in-laws how cool computers can be (I know ;-)
>
> When I got back, I realised I'd not opened up a port correctly, to let my
> dad view a web page I'm doing for him.
>
> I looked on the NAT page - I open up a port, redirect it to a single port
> internally, and have port based virtual servers under Apache 2.
>
> There were 2 entries that I didn't make!
>
> Immediately crapped myself, assumed someone had broken in through the VNC,
> shut it down, reset all my passwords, virus check was clear, and netstat
> didn't show any odd ports listening that shouldn't be.
>
> I then cleared the NAT entries, and started watching them like a hawk.
>
> I've just checked again, and found these...
>
> 5 Temp 10.0.1.3:8163 unspecified:57364 udp NONE
> 6 Temp 10.0.1.3:9298 unspecified:20783 tcp NONE
>
> These aren't the same rules as before, but broadly the same. One on TCP, one
> on UDP.
>
> netstat -a doesn't show up anything listening on those ports, but how the
> hell have the just appeared?
>
> I've actually _changed_ the router password at both (router & plus) ends,
> and shut down all unnecessary ports. I've only got one open now.
>
> Anyone any ideas what's going on here?
>
> I've not re-booted the router yet BTW. (in the middle of a download it took
> 45 minutes to queue for at Fileplanet!)
>
> Thanks,
>
> Pete.
>

UPnP can add rules automatically, I think...

In article <3fce6cdf$0$52882$(E-Mail Removed)>, (E-Mail Removed)
says...
> Pete Smith wrote:
>
> > Hi all.
> >
> > Some very strange goings on with my 510v4 router.

> > There were 2 entries that I didn't make!
> >

> > I've actually _changed_ the router password at both (router & plus) ends,
> > and shut down all unnecessary ports. I've only got one open now.
> >
> > Anyone any ideas what's going on here?
> >
> > I've not re-booted the router yet BTW. (in the middle of a download it took
> > 45 minutes to queue for at Fileplanet!)
> >

>
> UPnP can add rules automatically, I think...

I'm guessing that may be the case now.

I don't think I'm running anything that uses UPnP though. MSMessenger was
running in the background, despite being told not to.

Messenger 6.1 doesn't do anything, but I've just killed the MSMSGS.exe, and
removed the NAT entries, and re-run Windows Messenger, and the entries are
back (different ports though).

Looks like the panic's over, and I'll look into turning UPnP off. I don't
like things poking holes in my firewall without asking me!

It's not like MS stuff is renowned for its security ;-)

Pete.

--
NOTE! Email address is spamtrapped. Any email will be bounced to you
Remove the news and underscore from my address to reply by mail

On Wed, 03 Dec 2003 23:36:08 +0000, in article
<(E-Mail Removed)> Pete Smith
<(E-Mail Removed)> wrote:

> Looks like the panic's over, and I'll look into turning UPnP off. I don't
> like things poking holes in my firewall without asking me!
>
> It's not like MS stuff is renowned for its security ;-)

Can't understand why they have to play this sort of trick. Why not just
make it work on fixed ports and be done with it?

--

Brian Morrison

please observe reply-to address

In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> On Wed, 03 Dec 2003 23:36:08 +0000, in article
> <(E-Mail Removed)> Pete Smith
> <(E-Mail Removed)> wrote:
>
> > Looks like the panic's over, and I'll look into turning UPnP off. I don't
> > like things poking holes in my firewall without asking me!
> >
> > It's not like MS stuff is renowned for its security ;-)
>
> Can't understand why they have to play this sort of trick. Why not just
> make it work on fixed ports and be done with it?

I don't know. Each time it happened, Windows Messenger opened up _totally_
random ports on both ends of the connection, eg port 8192 on my PC
translated to 56888 on the outside.

The ports changed when I ran it a second time.

I suppose one thing is that it's chameleonic in some sense. If it constantly
changes the ports, an attacker won't know which port to attack next?

Pete.

--
NOTE! Email address is spamtrapped. Any email will be bounced to you
Remove the news and underscore from my address to reply by mail