Re: N450 CG3000dv2 "LAN access from remote" log entries

RobnH · ‎2016-11-23

Modem: Netgear N450 CG3000DV2

Firmware Version: V3.01.06

ISP: Time Warner

Hi folks,

I’m concerned about the “LAN access from remote” entries in the attached logs. I do not know how to configure the router to block this access. I’m not even sure what device is being accessed.

Remote Management is off.

I’ve disabled UPnP.

There are no port forwarding/port triggering rules.

I’ve disabled the bulk of the services that were enabled when I hard reset the modem.

The admin password has been changed.

Wireless is disabled. (I have a DLink access point handling the wireless traffic.)

Guest Network is disabled.

No torrents are being run.

Any suggestions are appreciated.

Thanks!

-Robin

Description	Count	Last Occurrence	Target	Source
[TCP- or UDP-based Port Scan ]	2	Thu Nov 24 06:35:56 2016	172.xxx.xxx.xxx:59763	209.18.47.62:53
[TCP- or UDP-based Port Scan ]	24	Thu Nov 24 06:30:13 2016	172.xxx.xxx.xxx:62922	209.18.47.61:53
[LAN access from remote ]	1	Wed Nov 23 21:52:08 2016	172.xxx.xxx.xxx:161	12.35.230.2:63433
[TCP- or UDP-based Port Scan ]	3	Wed Nov 23 21:37:31 2016	172.xxx.xxx.xxx:22347	209.18.47.62:53
[LAN access from remote ]	1	Wed Nov 23 21:10:53 2016	172.xxx.xxx.xxx:161	196.15.222.185:52181
[TCP- or UDP-based Port Scan ]	10	Wed Nov 23 21:10:13 2016	172.xxx.xxx.xxx:57185	209.18.47.62:53
[LAN access from remote ]	1	Wed Nov 23 17:56:46 2016	172.xxx.xxx.xxx:161	12.28.6.226:49679
[TCP- or UDP-based Port Scan ]	7	Wed Nov 23 17:07:01 2016	172.xxx.xxx.xxx:35617	209.18.47.62:53
[LAN access from remote ]	1	Wed Nov 23 07:43:10 2016	172.xxx.xxx.xxx:161	185.94.111.1:58981
[TCP- or UDP-based Port Scan ]	1	Wed Nov 23 07:36:03 2016	172.xxx.xxx.xxx:20604	209.18.47.62:53
[LAN access from remote ]	2	Wed Nov 23 07:35:40 2016	172.xxx.xxx.xxx:161	212.80.185.174:80
[TCP- or UDP-based Port Scan ]	4	Wed Nov 23 07:31:25 2016	172.xxx.xxx.xxx:42479	209.18.47.62:53
[LAN access from remote ]	1	Wed Nov 23 06:54:13 2016	172.xxx.xxx.xxx:161	184.105.139.67:30404
[TCP- or UDP-based Port Scan ]	1	Wed Nov 23 06:43:12 2016	172.xxx.xxx.xxx:34215	209.18.47.62:53
[LAN access from remote ]	1	Wed Nov 23 06:42:34 2016	172.xxx.xxx.xxx:161	185.128.40.162:51808
[TCP- or UDP-based Port Scan ]	16	Wed Nov 23 05:31:39 2016	172.xxx.xxx.xxx:54957	209.18.47.62:53
[LAN access from remote ]	1	Tue Nov 22 22:10:00 2016	172.xxx.xxx.xxx:161	80.82.64.42:49895
[TCP- or UDP-based Port Scan ]	5	Tue Nov 22 22:00:49 2016	172.xxx.xxx.xxx:62649	209.18.47.62:53
[LAN access from remote ]	2	Tue Nov 22 20:38:30 2016	172.xxx.xxx.xxx:161	89.248.168.6:18564
[TCP- or UDP-based Port Scan ]	21	Tue Nov 22 17:30:26 2016	172.xxx.xxx.xxx:31657	209.18.47.62:53
[LAN access from remote ]	1	Tue Nov 22 07:49:36 2016	172.xxx.xxx.xxx:161	204.42.253.130:56921
[TCP- or UDP-based Port Scan ]	6	Tue Nov 22 07:41:18 2016	172.xxx.xxx.xxx:41197	209.18.47.62:53

johnnyBrandom · ‎2016-12-04

Hi Robn,

Yes - I'm having this issue too (and I replied to your post over at the TWC forum). So it looks like the combination of an N450 modem and Time Warner Cable is inviting remote attacks on our systems. I'm repeating myself from that TWC post here:

I am seeing the same type of remote accesses on my N450 modem too. These accesses appear to be exploiting a vulnerability in the N450 SNMP stack as the accesses are all on port 161 (same as what your logs show). The remote IP's I'm seeing trace back to Russia, Sweden, and Israel. This looks very much like our modems are being commandeered for use in botnets.

Unfortunately there is no way for the owner to control the WAN facing services so this problem must be fixed by Netgear (firmware upgrade) and rolled out by TWC. This is very troubling because I assume the attackers are able to hack systems on the LAN side once on the modem. I recommend powering off your modem when not in use - it will at least inconvenience the remote hackers. A dedicated firewall and new wap between the modem and your LAN devices will also help protect your personal systems but won't stop the modem from being used in botnets or as a beachhead to hack away at your LAN.

I think that it is possible that TWC isn't sufficiently locking down remote SNMP access on their subnets. It's also very likely that the N450 is running an old version of SNMP - there are known vulnerabilities in older SNMP versions.

Here's a link back to your TWC post for other TWC custoers to reply to if they see similar on their modems:

http://forums.timewarnercable.com/t5/Home-Networking/LAN-access-from-remote-entries/td-p/119340

Thanks.

mattf1856 · ‎2017-01-03

I'm in the same situation with TWC.
Would setting up a port 161 forward to an unused internal IP prevent this access?

RobnH · ‎2017-01-04

Port forwarding was suggested on another forum. I set it up. It looks like the port forwarding activity should show up in the logs, but I have not seen it. I am continuing to see the "LAN access from remote" entries. Please let me know if you have better luck.

Thanks

mattf1856 · ‎2017-01-04

I set it up and got mixed results in my logs after testing.

The probe from Speedguide.net's SG Security Scan targeted the external IP and reported the port as open.

The probe from ShieldsUP on grc.com was forwarded to the unused IP and reported no response.

What's different between these two services?

mattf1856 · ‎2017-01-04

Still getting [LAN access from remote ] on port 161 from IPs all over the world.

I might have to purchase a more secure router/modem.

RobnH · ‎2017-01-04

I understand needing a more secure router. I was a bit more successful this time. The logs show that the accesses are being routed to my dummy address. If this doesn't stay "fixed", I will go shopping for a new router. Good luck.

johnnyBrandom · ‎2017-01-04

Sorry to hear you're in the same boat Mattf. Thanks for the tip, I think I will try forwarding 161 too - hopefully this weekend. Before I do that, I have some other tests I want to run. I will post back when I have some results.

johnnyBrandom · ‎2017-01-04

Thanks RobnH! That's encouraging! I'm going to try this too and will let you know how it goes. Ultimately, my plan is to buy a dumb modem and then put a more secure device behind that - something that I can flash with OpenWRT or DD-WRT. I'm really disappointed in this device from Netgear - the logging is pretty awful and basic features don't seem to work correctly. And I still experience the wi-fi dop from time to time. However, I also want to restore factory defaults again just to be sure some of these issues are not being caused by the remote activity.

RobnH · ‎2017-01-05

Well, that didn't work for long. The logs are showing unforwarded accesses again.

JohnnyB, I hope your tests are more successful.

DarrenM · ‎2017-01-06

Hello RobnH

Our internal test team tested this in their lab and they found this log will be created when WAN side PC trys to connect to N450 WAN IP SNMP port 161. So that’s why you could see log “ “LAN access from remote” on WAN 161 port. While 161 port is disabled by default on WAN interface. So there is no vulnerability issue, but log ‘LAN Access from remote ’ may make you confused, actually it is Remote access on device on WAN site, not LAN access.

DarrenM

RobnH · ‎2017-01-06

Hi DarrenM,

Thanks for your research into this problem. I guess I'm still perplexed by SpeedGuide.net's Security Scan reporting port 161/upd as open. I appreciate your help with this problem.

Robn

johnnyBrandom · ‎2017-01-06

Hi Robn,

The reason why SpeedGuide is reporting port 161 as being open on your N450 modem is because it is open. I have verified this using another service against my N450 - it is open - no question about that. So the question I have for DarrenM is what do you mean by "161 port is disabled by default"? To me disabled means port 161 is not open but my tests show that it is open. As the owner of this device, I am very concerned about what that means for the security of my network - especially since I have no visible means of correcting this.

Perhaps one bit of comfort we can take at this point is that it's possible that these messages are due to UDP scans hitting our devices and not that the modems are actually being compromised. I have verified that the modem is logging a UDP scan against port 161 with the same message: "LAN access from remote" - so it's most likely that our devices are just being scanned. It also appears that the version of SNMP implemented on the N450 is v3 which is the latest and more secure than v2. But it's no comfort to know that the port is open when Netgear is telling us it's not. I plan to do more testing when I get a chance and will report back if I learn anything more.

edit: to correct typos.

johnnyBrandom · ‎2017-01-06

Hi Darren - thanks but what do you mean by "161 port is disabled by default"? When I scan my modem from the WAN side, I see that port 161 is open and I have no means to close it. What do you mean by "161 port is disabled"?

Thanks.

mattf1856 · ‎2017-01-09

If those log entries are for failed access attempts, why are they only showing up for port 161 and not for any of the other common attack vectors like SSH or FTP? I had many attempted FTP connections to my server recorded in the router log when my server listened on port 21. As soon as I moved it to a non-standard port, those attempted connections (and router log entries) stopped showing up.

Port 161 is the ONLY port that has these "LAN access from remote" entries.

johnnyBrandom · ‎2017-01-10

Hi Mattf,

I think we only see these logged for port 161 because that's the only port that is opened on the WAN side. If you open up other ports with port forwarding, you may begin to see similar messages being logged for those ports too - but I haven't actually tested this myself. What I have tested is that merely scanning the SNMP port produces these messages.

Unfortunately, problems maintaining wireless connectivity with the N450 after firmware update 3.01.06 as well as newly discovered problems with logging delays (events are not showing up in the logs for sometimes hours after they occur) and Netgear's policy of not permitting customers to submit bug reports without paying for support have made me realize that it's time to abandon this device for something more reliable and secure. I was a loyal Netgear customer but this experience has forced me to re-evaluate that loyalty

mattf1856 · ‎2017-01-12

After doing a full factory reset via the physical reset button and then using the Netgear Genie interface, I was able to solve the wifi disconnect issue after the firmware update. It's been going strong for about 2 weeks without any issues.

When I opened and forwarded other ports (specifically port 21) the log entries showed the internal address of my server as the "target". With port 161, the "target" is always shown as the external IP address assigned by my ISP.

johnnyBrandom · ‎2017-01-30

Factory reset did not fix the issue for me - tried twice. But thanks for the suggestion.

shuli · ‎2017-02-28

Hello everyone. I am having this same issue of "LAN access from remote" but Cox Communications is my ISP. I am no expert but have read as much as I can, and the issue persists. Is it the general consensus of those in this discussion that the best solution is to buy a new modem and router? Many thanks for your insight,

mattf1856 · ‎2017-03-02

The factory reset fix to stop the disconnects is still holding strong for me months later. I have no idea why it seems to work for some but not for others. I'm still getting the "LAN access from remote" entries about 3-4 a day from all over the world on port 161. I contacted Netgear support about this and they told me that a technician would be calling me to do some diagnostics. The call never came.

I assume this unit is going to be another Netgear modem that gets identified as being hopelessly insecure like the JNR1010v2 / WNR614 / WNR618 / JWNR2000v5 / WNR2020 / JWNR2010v5 / WNR1000v4 / WNR2020v2 / R6220 / WNDR3700v5 units. I just ended up buying a replacement from a different company, I just have yet to get it installed.