NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

RobnH's avatar
RobnH
Aspirant
Nov 24, 2016

N450 CG3000dv2 "LAN access from remote" log entries

Modem: Netgear N450 CG3000DV2 Firmware Version: V3.01.06 ISP: Time Warner   Hi folks, I’m concerned about the “LAN access from remote” entries in the attached logs.  I do not know how to configu...
Security
johnnyBrandom's avatar
johnnyBrandom
Aspirant
Dec 04, 2016

Hi Robn,

 

Yes - I'm having this issue too (and I replied to your post over at the TWC forum). So it looks like the combination of an N450 modem and Time Warner Cable is inviting remote attacks on our systems. I'm repeating myself from that TWC post here:

 

I am seeing the same type of remote accesses on my N450 modem too. These accesses appear to be exploiting a vulnerability in the N450 SNMP stack as the accesses are all on port 161 (same as what your logs show). The remote IP's I'm seeing trace back to Russia, Sweden, and Israel. This looks very much like our modems are being commandeered for use in botnets.

 

Unfortunately there is no way for the owner to control the WAN facing services so this problem must be fixed by Netgear (firmware upgrade) and rolled out by TWC. This is very troubling because I assume the attackers are able to hack systems on the LAN side once on the modem. I recommend powering off your modem when not in use - it will at least inconvenience the remote hackers. A dedicated firewall and new wap between the modem and your LAN devices will also help protect your personal systems but won't stop the modem from being used in botnets or as a beachhead to hack away at your LAN.

 

I think that it is possible that TWC isn't sufficiently locking down remote SNMP access on their subnets. It's also very likely that the N450 is running an old version of SNMP - there are known vulnerabilities in older SNMP versions.

 

Here's a link back to your TWC post for other TWC custoers to reply to if they see similar on their modems:

 

 http://forums.timewarnercable.com/t5/Home-Networking/LAN-access-from-remote-entries/td-p/119340

 

 

Thanks.

  • mattf1856's avatar
    mattf1856
    Tutor
    Jan 03, 2017

    I'm in the same situation with TWC.
    Would setting up a port 161 forward to an unused internal IP prevent this access?

    • RobnH's avatar
      RobnH
      Aspirant
      Jan 04, 2017

      Port forwarding was suggested on another forum. I set it up. It looks like the port forwarding activity should show up in the logs, but I have not seen it. I am continuing to see the "LAN access from remote" entries.  Please let me know if you have better luck.

       

      Thanks

      • mattf1856's avatar
        mattf1856
        Tutor
        Jan 04, 2017

        I set it up and got mixed results in my logs after testing.

        The probe from Speedguide.net's SG Security Scan targeted the external IP and reported the port as open.

        The probe from ShieldsUP on grc.com was forwarded to the unused IP and reported no response.

         

        What's different between these two services?

    • johnnyBrandom's avatar
      johnnyBrandom
      Aspirant
      Jan 05, 2017

      Sorry to hear you're in the same boat Mattf. Thanks for the tip, I think I will try forwarding 161 too - hopefully this weekend. Before I do that, I have some other tests I want to run. I will post back when I have some results.