Hacked and Attacked (Long)

[OVERKILL]

Originally Posted By: Quattro Pete
Originally Posted By: OVERKILL
This means remote access to your router is enabled. That's bad. VERY bad.

What if you do want to have remote access to your router?

BTW, even if I disable remote access to my router, ShieldsUp reports that port 443 is open. Not sure why.



You would use a VPN, LogMeIn or something that puts you INSIDE the network, so that it doesn't show up as vulnerable on the outside.

If your router is exhibiting that behaviour I would be suspect of it.

 

[OVERKILL]

Originally Posted By: dkryan
It ain't cheap, but obviously necessary!

I do not need to add Total Security with this router?


You have the option of adding various security packages to it. Once you get comfortable with it you may be inclined to add them.

 

[Quattro Pete]

Originally Posted By: OVERKILL
If your router is exhibiting that behaviour I would be suspect of it.

I figured it out. I had a senior moment there for a second and forgot that I have a router behind a router setup here. The port was open on my ATT gateway, but not on the Asus router that sits behind it. I have closed it now. Not sure why it was open in the first place.

 

[dkryan]

Originally Posted By: OVERKILL
Originally Posted By: dkryan
Interesting.

I had two runs at my wi-fi network.

Ports 21 through 8443.

All reflected "timed out" except two ports: 80 and 443.

80 was open and is the http web-server port.
443 was "closed" and is the https web server port.


This means remote access to your router is enabled. That's bad. VERY bad. It should be disabled by default, which points to either you turning it on or somebody else doing so via a script, shell or some other vulnerability/exploit or through something like UPNP and it pointing to an internal server behind the router. All of these things are not good.

Another remote scan is ShieldsUP! Which I believe somebody else mentioned earlier in the thread.

Go here and run the UPNP test:

Gibson Research ShieldsUP!

Please post the results.


I checked my router and my MIL's router.

Port 80 is open.

The UPNP test revealed no issues.

How do I close port 80 pending other "modifications"

 

[Killer223]

log onto the router and find the firewall setting and block all traffic on port 80 and 443. make sure remote management isn't enabled.

 

[OVERKILL]

Originally Posted By: Killer223
log onto the router and find the firewall setting and block all traffic on port 80 and 443. make sure remote management isn't enabled.


This.

Then run the scan again and confirm it is closed.

 

[dkryan]

Unfortunately, it does not appear to be that easy with the TP Link C7.

There is no "enable or disable" feature on the remote access page. What the page says is the web browser access uses port 80. The default remote management port is 80. You can change the port number to any number from
1 to 65535. Mine is set to 63547. I did that months ago.

It also says the remote management IP address is "the current address used when accessing the router from the internet. IT IS DIABLED WHEN THE IP ADDRESS IS SET TO 0.0.0.0! The IP address IS set to 0.0.0.0. It says in order to ENABLE remote management, change the zeros to a valid IP address. If set to 255.255.255.255, then all hosts can access the router from the internet.

Currently, there is nothing under virtual services or port triggering (it's empty). DMZ is disabled but shows a host address 0.0.0.0

My system routing table shows:

ID Destination Network. Subnet Host. Gateway Interface

1. 192.168.0.0. 255.255.255.0. 0.0.0.0. LAN & WLAN

2. 71.79.0.0. 255.255.254.0. 0.0.0.0. WAN

3. 0.0.0.0. 0.0.0.0. 71.79.0.1. WAN


My UPNP shows "enabled."

 

[OVERKILL]

Turn off UPNP as as starting point.

 

[Tomioka]

Check in the "Advanced Security" settings to make sure "DoS Protection" is enabled and "Ignore Ping Packet from WAN to Router" is enabled. They were disabled by default in my TPlink C8 router and failed the GRC Shieldsup Common Ports test because it was able to ping my router. The default settings in this router is weak IMO and took me a couple hours to fool around and have it set up the way I like it.

 

[Tomioka]

Originally Posted By: dkryan
Unfortunately, it does not appear to be that easy with the TP Link C7.

There is no "enable or disable" feature on the remote access page. What the page says is the web browser access uses port 80. The default remote management port is 80. You can change the port number to any number from
1 to 65535. Mine is set to 63547. I did that months ago.

It also says the remote management IP address is "the current address used when accessing the router from the internet. IT IS DIABLED WHEN THE IP ADDRESS IS SET TO 0.0.0.0! The IP address IS set to 0.0.0.0. It says in order to ENABLE remote management, change the zeros to a valid IP address. If set to 255.255.255.255, then all hosts can access the router from the internet.

Currently, there is nothing under virtual services or port triggering (it's empty). DMZ is disabled but shows a host address 0.0.0.0

My system routing table shows:

ID Destination Network. Subnet Host. Gateway Interface

1. 192.168.0.0. 255.255.255.0. 0.0.0.0. LAN & WLAN

2. 71.79.0.0. 255.255.254.0. 0.0.0.0. WAN

3. 0.0.0.0. 0.0.0.0. 71.79.0.1. WAN


My UPNP shows "enabled."


Your router settings appear identical to my router settings. I have remote mgmt disabled and no entries in the virtual servers and port forwarding settings.

 

[dkryan]

Originally Posted By: Kibitoshin
Originally Posted By: dkryan
Unfortunately, it does not appear to be that easy with the TP Link C7.

There is no "enable or disable" feature on the remote access page. What the page says is the web browser access uses port 80. The default remote management port is 80. You can change the port number to any number from
1 to 65535. Mine is set to 63547. I did that months ago.

It also says the remote management IP address is "the current address used when accessing the router from the internet. IT IS DIABLED WHEN THE IP ADDRESS IS SET TO 0.0.0.0! The IP address IS set to 0.0.0.0. It says in order to ENABLE remote management, change the zeros to a valid IP address. If set to 255.255.255.255, then all hosts can access the router from the internet.

Currently, there is nothing under virtual services or port triggering (it's empty). DMZ is disabled but shows a host address 0.0.0.0

My system routing table shows:

ID Destination Network. Subnet Host. Gateway Interface

1. 192.168.0.0. 255.255.255.0. 0.0.0.0. LAN & WLAN

2. 71.79.0.0. 255.255.254.0. 0.0.0.0. WAN

3. 0.0.0.0. 0.0.0.0. 71.79.0.1. WAN


My UPNP shows "enabled."


Your router settings appear identical to my router settings. I have remote mgmt disabled and no entries in the virtual servers and port forwarding settings.


Thanks!

Yet, my Port 80 is still more wide open than a San Diego hooker when the Seventh Fleet's in port!!

 

[dishdude]

I have one of the Google OnHub routers. It's awesome.

 

[dkryan]

I trust Google (Alphabet) less than I trust Vladimir Putin and the [censored] dictator of North Korea.

 

[dkryan]

Originally Posted By: Kibitoshin
Check in the "Advanced Security" settings to make sure "DoS Protection" is enabled and "Ignore Ping Packet from WAN to Router" is enabled. They were disabled by default in my TPlink C8 router and failed the GRC Shieldsup Common Ports test because it was able to ping my router. The default settings in this router is weak IMO and took me a couple hours to fool around and have it set up the way I like it.


Confirmed! Thanks.

 

[dishdude]

Originally Posted By: dkryan
I trust Google (Alphabet) less than I trust Vladimir Putin and the [censored] dictator of North Korea.


Not surprised after rereading the first post in this thread.

 

[dkryan]

Originally Posted By: dishdude
Originally Posted By: dkryan
I trust Google (Alphabet) less than I trust Vladimir Putin and the [censored] dictator of North Korea.


Not surprised after rereading the first post in this thread.


It's absolutely crazy what some of the Android apps from the Google Play Store wanted to access on one's phone. 90% of which had no correlation to the purpose of the app.