NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
N450 CG3000dv2 "LAN access from remote" log entries
Modem: Netgear N450 CG3000DV2
Firmware Version: V3.01.06
ISP: Time Warner
Hi folks,
I’m concerned about the “LAN access from remote” entries in the attached logs. I do not know how to configure the router to block this access. I’m not even sure what device is being accessed.
Remote Management is off.
I’ve disabled UPnP.
There are no port forwarding/port triggering rules.
I’ve disabled the bulk of the services that were enabled when I hard reset the modem.
The admin password has been changed.
Wireless is disabled. (I have a DLink access point handling the wireless traffic.)
Guest Network is disabled.
No torrents are being run.
Any suggestions are appreciated.
Thanks!
-Robin
Description | Count | Last Occurrence | Target | Source |
[TCP- or UDP-based Port Scan ] | 2 | Thu Nov 24 06:35:56 2016 | 172.xxx.xxx.xxx:59763 | 209.18.47.62:53 |
[TCP- or UDP-based Port Scan ] | 24 | Thu Nov 24 06:30:13 2016 | 172.xxx.xxx.xxx:62922 | 209.18.47.61:53 |
[LAN access from remote ] | 1 | Wed Nov 23 21:52:08 2016 | 172.xxx.xxx.xxx:161 | 12.35.230.2:63433 |
[TCP- or UDP-based Port Scan ] | 3 | Wed Nov 23 21:37:31 2016 | 172.xxx.xxx.xxx:22347 | 209.18.47.62:53 |
[LAN access from remote ] | 1 | Wed Nov 23 21:10:53 2016 | 172.xxx.xxx.xxx:161 | 196.15.222.185:52181 |
[TCP- or UDP-based Port Scan ] | 10 | Wed Nov 23 21:10:13 2016 | 172.xxx.xxx.xxx:57185 | 209.18.47.62:53 |
[LAN access from remote ] | 1 | Wed Nov 23 17:56:46 2016 | 172.xxx.xxx.xxx:161 | 12.28.6.226:49679 |
[TCP- or UDP-based Port Scan ] | 7 | Wed Nov 23 17:07:01 2016 | 172.xxx.xxx.xxx:35617 | 209.18.47.62:53 |
[LAN access from remote ] | 1 | Wed Nov 23 07:43:10 2016 | 172.xxx.xxx.xxx:161 | 185.94.111.1:58981 |
[TCP- or UDP-based Port Scan ] | 1 | Wed Nov 23 07:36:03 2016 | 172.xxx.xxx.xxx:20604 | 209.18.47.62:53 |
[LAN access from remote ] | 2 | Wed Nov 23 07:35:40 2016 | 172.xxx.xxx.xxx:161 | 212.80.185.174:80 |
[TCP- or UDP-based Port Scan ] | 4 | Wed Nov 23 07:31:25 2016 | 172.xxx.xxx.xxx:42479 | 209.18.47.62:53 |
[LAN access from remote ] | 1 | Wed Nov 23 06:54:13 2016 | 172.xxx.xxx.xxx:161 | 184.105.139.67:30404 |
[TCP- or UDP-based Port Scan ] | 1 | Wed Nov 23 06:43:12 2016 | 172.xxx.xxx.xxx:34215 | 209.18.47.62:53 |
[LAN access from remote ] | 1 | Wed Nov 23 06:42:34 2016 | 172.xxx.xxx.xxx:161 | 185.128.40.162:51808 |
[TCP- or UDP-based Port Scan ] | 16 | Wed Nov 23 05:31:39 2016 | 172.xxx.xxx.xxx:54957 | 209.18.47.62:53 |
[LAN access from remote ] | 1 | Tue Nov 22 22:10:00 2016 | 172.xxx.xxx.xxx:161 | 80.82.64.42:49895 |
[TCP- or UDP-based Port Scan ] | 5 | Tue Nov 22 22:00:49 2016 | 172.xxx.xxx.xxx:62649 | 209.18.47.62:53 |
[LAN access from remote ] | 2 | Tue Nov 22 20:38:30 2016 | 172.xxx.xxx.xxx:161 | 89.248.168.6:18564 |
[TCP- or UDP-based Port Scan ] | 21 | Tue Nov 22 17:30:26 2016 | 172.xxx.xxx.xxx:31657 | 209.18.47.62:53 |
[LAN access from remote ] | 1 | Tue Nov 22 07:49:36 2016 | 172.xxx.xxx.xxx:161 | 204.42.253.130:56921 |
[TCP- or UDP-based Port Scan ] | 6 | Tue Nov 22 07:41:18 2016 | 172.xxx.xxx.xxx:41197 | 209.18.47.62:53 |
19 Replies
Hi Robn,
Yes - I'm having this issue too (and I replied to your post over at the TWC forum). So it looks like the combination of an N450 modem and Time Warner Cable is inviting remote attacks on our systems. I'm repeating myself from that TWC post here:
I am seeing the same type of remote accesses on my N450 modem too. These accesses appear to be exploiting a vulnerability in the N450 SNMP stack as the accesses are all on port 161 (same as what your logs show). The remote IP's I'm seeing trace back to Russia, Sweden, and Israel. This looks very much like our modems are being commandeered for use in botnets.
Unfortunately there is no way for the owner to control the WAN facing services so this problem must be fixed by Netgear (firmware upgrade) and rolled out by TWC. This is very troubling because I assume the attackers are able to hack systems on the LAN side once on the modem. I recommend powering off your modem when not in use - it will at least inconvenience the remote hackers. A dedicated firewall and new wap between the modem and your LAN devices will also help protect your personal systems but won't stop the modem from being used in botnets or as a beachhead to hack away at your LAN.
I think that it is possible that TWC isn't sufficiently locking down remote SNMP access on their subnets. It's also very likely that the N450 is running an old version of SNMP - there are known vulnerabilities in older SNMP versions.
Here's a link back to your TWC post for other TWC custoers to reply to if they see similar on their modems:
http://forums.timewarnercable.com/t5/Home-Networking/LAN-access-from-remote-entries/td-p/119340
Thanks.
I'm in the same situation with TWC.
Would setting up a port 161 forward to an unused internal IP prevent this access?Port forwarding was suggested on another forum. I set it up. It looks like the port forwarding activity should show up in the logs, but I have not seen it. I am continuing to see the "LAN access from remote" entries. Please let me know if you have better luck.
Thanks