Security Incidents mailing list archives

Re: DSL Modem or Router Cracked?

From: Ian Reynolds <ireynold () csc com>
Date: Thu, 13 Jun 2002 09:58:02 +0100


Aaron,

The packets to port 1900 (first sample) are SSDP,
(http://www.kb.cert.org/vuls/id/411059 for a little info) probably from MSN
messenger on the W2K machine.
Packets to 162 (second sample) are  SNMP Traps from your 192.168.1.1 host.
Packets to 53 are DNS queries and the packets to 123 are NTP (time)
queries/responses

All these are 'probably' the services they state they are, further
inspection of the packet payload should confirm this for you.

Ian.


                                                                                                                        
                      
                    "Klepinger,                                                                                         
                      
                    Aaron"               To:     "'incidents () securityfocus com'" <incidents () securityfocus com>    
                            
                    <Aaron.Klepin        cc:                                                                            
                      
                    ger                  Subject:     DSL Modem or Router Cracked?                                      
                      
                    @CompuCredit.                                                                                       
                      
                    com>                                                                                                
                      
                                                                                                                        
                      
                    12/06/2002                                                                                          
                      
                    21:03                                                                                               
                      
                                                                                                                        
                      
                                                                                                                        
                      




I believe my router or DSL modem has been compromised.  I'm basically a
newbie when it comes to security and setting up a server, but I set one up
just to mess around with it.  I'm not real worried about someone getting
info off of my machine, but they are really slowing down my connection and
it's annoying!  Here's my setup:

Win2K Server running IIS5, Exchange 2000, ZoneAlarm 3.x (with several shady
ports open:  113 and 25), Netshield w/latest defs, DNS2Go dns forwarding
enabled (advertising...come crack me!!!  bad, I know)
Mac OS X 10.1.5 with Brickhouse firewall
Alcatel Speed Touch Home with 3.2.7 firmware
Linksys BEFSR41 with 1.42.7 firmware (port 113 and 25 forwarded to LAN)

                ->Win2K Server
Alcatel->Linksys
                ->MacOS X

Anyone have any idea what happened?  Let me know if I missed anything.  I
found that port 1900 was SSDP, but I'm not sure what that even does.  Also,
my Win2K box has all the latest patches for Win2K, IIS, IE,
Exchange, etc., long & difficult admin password, iislockdown run, etc.

ZoneAlarm trusts the network (192.168.1.X...bad idea, I know) and doesn't
prompt when a new app hits the network (also bad, I know).  That feature
was
crashing my ZoneAlarm.

I tried restarting the router, but the traffic seemed to just continue.
I'll try some of the Alcatel updates later:
http://security.sdsc.edu/self-help/alcatel
http://www.cert.org/advisories/CA-2001-08.html

http://online.securityfocus.com/bid/3851
http://online.securityfocus.com/bid/2566
http://online.securityfocus.com/bid/2568

Does anyone have any idea what could be causing this?

Thanks in advance,
Aaron


06/12-00:45:01.774507 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:297
Len: 277
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.786698 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:8 IpLen:20 DgmLen:349
Len: 329
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.788292 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:9 IpLen:20 DgmLen:341
Len: 321
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





06/12-01:10:09.161243 192.168.1.2:20752 -> 205.152.37.254:53
UDP TTL:128 TOS:0x0 ID:32269 IpLen:20 DgmLen:61
Len: 41
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:10:09.178139 205.152.37.254:53 -> 192.168.1.2:20752
UDP TTL:251 TOS:0x0 ID:8301 IpLen:20 DgmLen:155 DF
Len: 135
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:10:09.182068 192.168.1.2:20753 -> 129.6.15.29:123
UDP TTL:128 TOS:0x0 ID:32270 IpLen:20 DgmLen:76
Len: 56
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:10:09.184166 192.168.1.1:1051 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:144
Len: 124








----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DSL Modem or Router Cracked? Klepinger, Aaron (Jun 12)
- <Possible follow-ups>
- Re: DSL Modem or Router Cracked? Ian Reynolds (Jun 13)
- RE: DSL Modem or Router Cracked? NESTING, DAVID M (SBCSI) (Jun 13)
- RE: DSL Modem or Router Cracked? Klepinger, Aaron (Jun 13)
  - RE: DSL Modem or Router Cracked? Ryan Russell (Jun 13)
- RE: DSL Modem or Router Cracked? Robert Starliper (Jun 13)
- Re: DSL Modem or Router Cracked? HggdH (Jun 13)