lixoman1
join:2008-04-07
|  User Authentication Failure.Unauthorized.Hundreds of Times!
I went into my verizon fios actiontec router and noticed in the system log tons of entries like this:
Apr 7 19:32:41 2008 Security Log Failed GUI Authentication Unauthorized User "" [repeated 80 times, last time on Apr 7 20:09:50 2008]
Apr 7 18:33:39 2008 Security Log Failed GUI Authentication Unauthorized User "" [repeated 126 times, last time on Apr 7 19:31:44 2008]
Apr 7 18:32:39 2008 Security Log Failed GUI Authentication Unauthorized User "" [repeated 2 times, last time on Apr 7 18:32:43 2008]
It is just constant in my logs some saying over 300 times. The last time I checked the logs was probably 3 months ago and I never had any of this. Nor anytime before that.
Any Ideas? |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
 ·Verizon FIOS
| It looks like a GUI login failure to the router, not remote administration, for user "".
At 18:32:39 it went 2 or 3 times over a span of 7 seconds.
At 18:33:39 it started for 58 minutes, repeated 126 times, not necessarily at regular intervals. Some other message did not intervene.
At 19:32:41 it started for 37 minutes, repeated 80 times.
I would guess someone accessed the router login page, which defaults to a blank username and password, and hit enter a bunch of times. Or something fell on the keyboard. Or a wireless keyboard interface had some interference. Or something.
I did the first part and just hit enter a bunch of times and got what you reported. |
|
lixoman1
join:2008-04-07
| Interesting...but why would it continue to keep doing this everyday for over a week? My logs start on March 30 with this happening throughout the day, everyday, and it is still happening.
We do have wireless enabled but restricted to only our laptops. I know that nobody in my house have tried to access the router everyday. |
|
lixoman1
join:2008-04-07 | reply to lixoman1
Oh plus, my logs only go back as far as March 30. So, it could have been doing this for more than just a week. |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
 ·Bay Area Internet ..
| reply to lixoman1
said by lixoman1  :I went into my verizon fios actiontec router and noticed in the system log tons of entries like this: Apr 7 19:32:41 2008 Security Log Failed GUI Authentication Unauthorized User "" [repeated 80 times, last time on Apr 7 20:09:50 2008] Do you by chance have REMOTE ADMIN enabled?
1) Login to the router.
2) Click ADVANCED icon
3) YES
4) Select Remote Administration
5) All check boxes under Telnet Server and Wireless Broadband Router should be clear.
If any of them are checked, the admin interface to your router is visible to the outside world.
The last two under Diagnostic Tools are up to you. If you leave them checked, your router will be visible on the internet and the target of random probes. If you leave these off, your router will be more or less invisible. |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| said by More Fiber :Do you by chance have REMOTE ADMIN enabled? I think the error would be similar to "WBM Login Failure" if it was an attempt from outside. See this topic. |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
·Bay Area Internet ..
| said by birdfeedr :[I think the error would be similar to "WBM Login Failure" if it was an attempt from outside. See this topic. I see your point about the WBM vs. GUI message. Although with multiple possible admin paths into the router, it's not clear they all produce the same message. An unsecured wireless connection is another possibility. These are certainly things that should be checked.
However since all the login attempts are with a blank username "", it seems much more likely an enter key or space bar got stuck. |
|
lixoman1
join:2008-04-07
| reply to lixoman1
I looked into Remote Admin the other day and :
Allow Incoming ICMP Echo Requests (e.g. pings and ICMP traceroute queries)
was checked but I did uncheck that.
I could understand if an enter key or space bar got stuck one time. But nobody is logging into the router everyday, all day, for over a week.
That was only an excerpt from my log that I posted. I have over 30 pages spanning over 7days of 24/7 of this with hundreds of entries like I posted. Very Strange. |
|
lixoman1
join:2008-04-07
1 edit | reply to lixoman1
I mean no one in my house has tried to log into the router everyday accidentally hitting the wrong key or space bar. |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI | Reboot the router and see if the problem still occurs.
Also, hope you retain a good IP address.  |
|
lixoman1
join:2008-04-07 | reply to lixoman1
Is Verizon Fios static or dynamic assigned IP address for the router?
Dynamic would be nice. So, I am not stuck the same IP forever like Comcast was. |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| Dynamic. Addresses are often in the 71., 72., or 96. address block. When you reboot, you may pick up an different address that has problems for a number of reasons.
Problem addresses seem to be in the 96.2something. block, but not always. I work with such an address that does not exhibit problems. |
|
lixoman1
join:2008-04-07 | reply to lixoman1
Ok, I will try to reboot the router later tonight and see if that works. I will let you all know. |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
·Bay Area Internet ..
| reply to lixoman1
said by lixoman1 :Is Verizon Fios static or dynamic assigned IP address for the router? As Birdfeedr said, they are dynamic for residential. Static IP addresses are only available on business accounts as an extra cost option.
My IP address tends to be pretty sticky. I've gone several months at a time with the same IP address, even though the Actiontec renegotiates the DHCP lease every hour. |
|
lixoman1
join:2008-04-07
| reply to lixoman1
well rebooted the router and no go..
Looking through the logs and the times. I have pinned it down to 1 PC that is causing all the trouble. Every time it logs on the problems start...shut it off and no problems.
I still don't know why. I will run more scans on that pc to see if infected or something.
|
|
lixoman1
join:2008-04-07
| reply to lixoman1
Here is the system log from my router in the advanced section
over and over again it says this:
Apr 9 19:39:13 2008 System Log Message daemon.info web-login: [69] User authentication failure (Unauthorized User "")
Apr 9 19:39:13 2008 Security Log User authentication failure Unauthorized User ""
Here it is in the basic log:
Apr 9 18:55:17 2008 Security Log Failed GUI Authentication Unauthorized User "" [repeated 103 times, last time on Apr 9 19:42:13 2008]
...this is just one excerpt from my logs which are filled with these. |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
·Bay Area Internet ..
| reply to lixoman1
said by lixoman1 :I have pinned it down to 1 PC that is causing all the trouble. Every time it logs on the problems start...shut it off and no problems. Some thoughts:
1) Do the messages stop if you unplug the keyboard from that PC?
2) Do the messages stop if you unplug the WAN cable from the Actiontec? (unlikely since you now think it's coming from a local PC).
3) In an earlier post Birdfeedr referred to WBM authentication failures (as opposed to GUI). The Actiontec can also produce CLI authentication failure messages for the command line (telnet) interface. This got me to wondering about what would cause a GUI authentication failure as opposed to a WBM authentication failure. Since we know the WBM message comes from the login page on the built-in web server, the only place I can think of that a GUI authentication failure message might be coming from is VZ's remote management port (4567).
This port supports a protocol called TR-069 for remote management of end-user devices.
»en.wikipedia.org/wiki/TR-069
It the latest version of the firmware, it no longer possible to block this port. Port 4567 is infamous for the FILENAIL TROJAN
»www.symantec.com/security_respon···-1754-99
Since this seems to be coming from one local PC, is not a stuck keyboard (per #1) and not from VZ (per #2), I would suggest scanning that PC specifically for the following:
Hack A Tack, Girlfriend, Filenail, DeepThroat, Coma, Bugs, or Backdoor/SubSeven. |
|
lixoman1
join:2008-04-07
| reply to lixoman1
Follow up: So, the pc (wirless) that is the culprit. This is my father's pc. He supposedly ran virus scans and did not find anything. But did find that when he disconnected Network Magic the problems stopped. I verified this in the logs.
He had both Network Magic and Linksys wirless installed. But now just uses the Linksys with no problems (so far). If anything changes, I'll post more but let's hope not. |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA | Glad you found it. |
|
