Reply

DG834PN Remote Management/admin hack?

netgrrr
Aspirant

DG834PN Remote Management/admin hack?

been a lurker for many years on this forum, but couldnt find any further info to my incident.

my DG834PN Rangemax ADSL Modem Wirless Router has served me well.

running Firmware V1.03.39

I get a daily log which I cast an eye over (and its usually a few Send E-mail Success! and Send out NTP request). Oddly I've always got the daily log twice, but thats the least of my worries.

last week I got a one off PORT SCAN alert, but nothing further spurious

Then Saturday's log revelled somthing VERY alarming:

Fri, 2012-07-20 22:00:04 - Send E-mail Success!
Sat, 2012-07-21 01:35:27 - Administrator login failed - IP:109.163.233.201
Sat, 2012-07-21 01:48:57 - Administrator login failed - IP:109.163.233.200
Sat, 2012-07-21 05:39:52 - Administrator login successful - IP:109.163.233.205


the source IP is an anonymization service, but having got the password wrong twice they came straight in!

No idea what they got up to, but they changed the admin password.

Unfortunatly once you have a copy of the Current Settings, you can read it with a text editor and it reveals all your router related passwords (admin, smtp authentication, dynamic dns service etc)

as you can imagine I've had a busy day changing LOTS of stuff.

I was using an 11 character, alpha numeric password, so not the default.

I had foolishly left my Remote Management On from days of needing to access the outside interface (since turned off)...and I was also using a Dynamic DNS service (since turned off).

Having done some initial research it would seem that even with it off, if a user was tricked into runing a malicious script the router's debug mode can be enabled and the password changed WITHOUT THE NEED FOR AN ADMIN PASSWORD!

is anyone aware of an exploit that can be run on the outside interface that figures the password this quickly? or is there a way to protect against these behind the wall network script exploits? how did they get that password? is what I'm saying

Unfortunatley I have a 'lil man in the house who could easily click on something he shouldnt when hunting for Mario related material on Google, the adults are more aware of dont click past the warnings.

I was unaware how easy it is to break the admin door down on my box (from the inside) .....just very alarmed how easy they got in from the outside!

TIA
Message 1 of 6
jmizoguchi
Virtuoso

Re: DG834PN Remote Management/admin hack?

rule of thumb is not to open remote management of http base remote management.

depending on password you used to strengthen but very possible for someone to hack/exploits a router.

I remember long time ago my buddy from europe used to check security stuff for me and he told me I could hack router .....


Having done some initial research it would seem that even with it off, if a user was tricked into runing a malicious script the router's debug mode can be enabled and the password changed WITHOUT THE NEED FOR AN ADMIN PASSWORD!


I'm not aware of able to hit the remote management while off in the gui..
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 2 of 6
netgrrr
Aspirant

Re: DG834PN Remote Management/admin hack?

jmizoguchi wrote:
rule of thumb is not to open remote management of http base remote management.


hahah don't I know it :rolleyes:
but I've learnt the hard way and it was totally my fault and won't happen again Obi Won Smiley Wink

jmizoguchi wrote:
I'm not aware of able to hit the remote management while off in the gui..


that was my belief also, BUT....there are scripts that will turn the interface to ON and reset the password to something THEY know. I had a play with a couple of these command line scripts and they work :eek:

...I'm beginning to think a malware phoned home with my WiFi password, which foolishly was my admin password also (since split). I'm hoping that was the door key they needed (seeing as I left the door available to the outside world)

thanks J
Message 3 of 6
jmizoguchi
Virtuoso

Re: DG834PN Remote Management/admin hack?

hahah don't I know it
but I've learnt the hard way and it was totally my fault and won't happen again Obi Won


Very few home end router support https. All the prosafe router does with netgear. In this notes other device like linksys and dlink can choose to use both http and https so not sure why Netgear do not implement on home end routers ...


I had a play with a couple of these command line scripts and they work


Doesn't surprise me but cool to know that..


...I'm beginning to think a malware phoned home with my WiFi password, which foolishly was my admin password also (since split). I'm hoping that was the door key they needed (seeing as I left the door available to the outside world)


Not good idea to have wifi and guid admin to have same password.

Make sure to use upper/lower and numbers for your router admin pass.
Some special character may not work with router admin pass so you know that as well
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 4 of 6
netgrrr
Aspirant

Re: DG834PN Remote Management/admin hack?

jmizoguchi wrote:

Not good idea to have wifi and guid admin to have same password.

Make sure to use upper/lower and numbers for your router admin pass.
Some special character may not work with router admin pass so you know that as well


know that now Smiley Tongue cheers for the headsup.

...so having locked all the doors and windows, I now notice that my logfiles are a month out (clocks correct in the router, even changed the NTP server) but the logs file headers are showing as AUGUST and not JULY, most odd :confused:
Message 5 of 6
jmizoguchi
Virtuoso

Re: DG834PN Remote Management/admin hack?

sounds like NTP server sync is not correctly happening with router unless time shows correct right now in the the router GUI
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 5067 views
  • 0 kudos
  • 2 in conversation
Announcements