Re: Massive attack to Alcatel Speed Touch Home & Pro (fwd)

[Rick Byers <rb-bugtraq () BigScaryChildren net>]

Can you elaborate on the mechanism you believe the attackers are using to
install the software?  My understanding of the vulnerability in the STH is
that it allows access from the INTERNAL LAN interface, or from the TelCo
ATM interface - NOT over the public IP interface.  Besides, any traffic to
my public IP will go to my server over the PPPoE link.  Assuming an
attacker cannot generate packets from inside my LAN (through a bounce
attack or something) and doesn't have direct access to my ATM link to the
TelCo - I see no way for them to install new firmware (or interact with
the configuration in any way) on my modem.

Or are you saying that an improperly secured FTP server inside you network
is being used to transfer files to the modem?  I'm not completely sure how
this could work either....

I thought I had myself protected (without patching my Firmware - since I
rent my modem from my ISP), but your message raises some new concerns.  My
firmware is still the KHDSBA.133 that came on the modem, but I wan't to
make sure I'm protected against outside (not TelCo) modification...

Thanks!

On Sun, 5 Aug 2001, Andrea Costantino wrote:

> It seems that a particular version is being installed by someone on the
> Alcatel after a portscan to detect it.
> I've recorded a large portscan against port 21 (the one used to upgrade
> the new version) to ALL my public IP, and all IPs of my ISP.
>
> It seems that the intruder scanned with a SYN/FIN portscan to detect the
> Alcatel and after he/she put the new firmware version.
>
> I don't know what the hell the new version does, but sometimes during the
> upgrade the configuration is lost, so many people blame their ISP or the
> telco company for service interruptions, but in truth their ADSL is
> running flawlessy, while the modem has became unconfigured.