[trouble] has my verizon supplied modem/router been hacked? in Verizon Online DSL http://www.dslreports.com/forum/r20321518 en Fri, 04 Dec 2009 08:22:23 EDT Fri, 04 Dec 2009 08:22:23 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20350462 freemypc : No its not any newer, believer or not mine seemed to have somewhat older firmware on it or I think it may have been a refurbished unit as it doesnt have a Verizon logo on the frontend page that comes up when you first log into the device just the Actiontec logo on the left side but it had apparently all the flashy Verizon supplied icons and such as it resembles nothing like the screens shown in the Actiontec manual for it at their site. The thing seemed to fix the weirdness when it was flashed to the upgrade but now it's got the wireless settings screwed up and seemingly reversed in the MAC address athentication. In other words if I want only certain MAC address allowed I now have to make sure the disallow button is ticked and to block all devices I have to have the Allow devices ticked. So I don't know exactly what's up with that but very annoying. I don't even know if the device's security can even be trusted at this point. ]]> http://www.dslreports.com/forum/remark,20350462 Thu, 17 Apr 2008 20:54:42 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20346394 myvoip07 : What firmware version are you running on your GT704-WG now? Is it newer then 3.20.3.3.5.0.9.1.5?
If yes do you mind providing a link to it. Thanks]]> http://www.dslreports.com/forum/remark,20346394 Wed, 16 Apr 2008 21:50:23 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20337433 freemypc : Thanks for all the info. I did as suggested by the Verizon tech on the other direct forum and updated the firmware and so far all that weird stuff seems to have stopped. One thing this modem has always done that I don't quite understand is it constantly has from the time I got it logged dns failures. They must be false, because if it truly was not making dns connections then wouldn't it in effect be disabled from using the internet at all? Anyhow I never mentioned this because I do not seem to have any kind of connectivity problems despite the router logging dns failures on numerous occasions.]]> http://www.dslreports.com/forum/remark,20337433 Tue, 15 Apr 2008 12:09:52 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20336748 YqE41k24 : busybox.net »www.busybox.net/about.html explains what busybox is.]]> http://www.dslreports.com/forum/remark,20336748 Tue, 15 Apr 2008 10:13:14 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20331405 freemypc : Ok I understand that you can't remove or disabled the embedded Linux Busybox, but when doing some research I've come across some interesting details. Verizon's firmware leave's out a setting to in effect turn off the router part of the box whereas people have been reflashing the bios to get the original Actiontec OEM supplied firmware. I just do not understand why Verizon does not allow or supply such an option in their firmware. I would try this if I knew it wouldn't harm or change the settings that it needs for connection to Verizon DSL. Also this version of the busybox on this device seems rather old as it list itself as v0.61pre, I believe that it is now up to like a version 2 or something like that now.

Someone posted in a different post about flashing their GT704 with a more advanced Verizon firmware. Where can one find Verizon supplied firmware updates?]]> http://www.dslreports.com/forum/remark,20331405 Mon, 14 Apr 2008 11:39:06 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20330435 dslfan : freemypc wrote:
Is there a way to disable the built in Linux without it disabling the modem's modeming capabilities? This modem has behaved poorly from way back when I first got Verizon's service. One more new thing is when I first login to the router it isn't showing my main PC or any other for that matter on the home status page where it says my network. And it is often reporting the wrong PC that is actually connecting to the net quite often such as my father will be on his PC located in the dining room and it will report the one in the room where the router itself is located as the online active PC.

==================================================

You can't turn the linux off, think of it as controlling a Micro controller. The linux "operating system" (embedded this time so it can fit on a limited space in that type of device. Most of these routers only have 2 mb flash and 1 mb other), on the device controls the physical device. What to turn on or off... or... Hope someone can explain better then I did. Basically the device is "dum" nothing without the operating system controlling the chip and circuits. As in analogy to a computer. However they could have used another OS if they wanted to. A home grown one or from another Company. Linux is free I guess, I would assume it uses iptables to run (firewall) it as well. I'm not sure what busybox is but it seems some bootloader into the embedded OS. If you turn off linux it would be like turning windows off. You would not have anything to run the computer.]]> http://www.dslreports.com/forum/remark,20330435 Mon, 14 Apr 2008 06:13:13 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20327882 freemypc : I do not have UPnP enabled it says its off in the modem settings, although I did have this once before in the past to see if it was the root of my xbox disconnects, it wasn't since it was when Microsoft was having all those xbox live server issues back right after Christmas. The only thing different now is I now finally got one of those hard to get Nintendo Wii's and have that setup for net access. Could it possibly be what has started all of this? Even though I did remove it and reset the modem and then it started all over again with this strangeness. Is it normal for the router to be accessing and or storing cookie files, and or doing something with passwords? Is there a way to disable the built in Linux without it disabling the modem's modeming capabilities? This modem has behaved poorly from way back when I first got Verizon's service. One more new thing is when I first login to the router it isn't showing my main PC or any other for that matter on the home status page where it says my network. And it is often reporting the wrong PC that is actually connecting to the net quite often such as my father will be on his PC located in the dining room and it will report the one in the room where the router itself is located as the online active PC.
Anyhow thanks for your help I have also posted to the other forum where official Verizon employees assist and hopefully will here something from them very soon.
One last thing is I do not believe my PC is infected with a virus as I done a complete wipe and reformat due to some issues with buggy hardware drivers that I could not seem to get uninstalled and replace with the originals.]]> http://www.dslreports.com/forum/remark,20327882 Sun, 13 Apr 2008 16:09:42 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20327556 sashwa : freemypc, you might want to jump over to our »Security Cleanup Forum if you think your modem/computer has been compromised.

When you post there, you will need to follow all these steps first:

»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
--
TH ~ NE ~ EPN ~ NC ~ TD]]> http://www.dslreports.com/forum/remark,20327556 Sun, 13 Apr 2008 14:43:25 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20327410 YqE41k24 : Did you turn on Universal Plug and Play (UPnP) recently on the router or a computer? The SOAP message refers to "InternetGatewayDev" which is part of UPnP.

said by freemypc See Profile :

(GMT-06:00)12:28:19 Sat Apr 12 2008 stunnel[446]: SSL_read (ERROR_SYSCALL): Connection reset by peer (131)
(GMT-06:00)12:28:56 Sat Apr 12 2008 thttpd[51]: Error with DigestResponse auth file = /var/.sys/.htpasswd-digest_tr69
(GMT-06:00)12:29:05 Sat Apr 12 2008 syslog: tr-69-client end with: HTTP/1.1 200 OK^M Date: Sat, 12 Apr 2008 17:28:54 GMT^M Content-Length: 455^M Content-Type: text/xml; charset=UTF-8^M Set-Cookie: JSESSIONID=LQxWsl1hyfzJP4C21L5pNDJqL7flvmPJyqG5971QW17Xrvv
tp://www.w3.org/2001/XMLSchema-instance > oapenv:Header/> oapenv:Body> wmp:InformResponse> axEnvelopes>1MaxEnvelopes> cwmp:InformResponse> soapenv:Body> soapenv:Envelope>
(GMT-06:00)12:29:16 Sat Apr 12 2008 syslog: [truncated] tr-69-client end with: HTTP/1.1 200 OK^M Date: Sat, 12 Apr 2008 17:29:06 GMT^M Content-Length: 900^M Content-Type: text/xml; charset=UTF-8^M ^M oapenv:Envelope xmlns:soap= »schemas.xmlsoap.org/
ustUnderstand= 1 >68251444cwmp:ID> soapenv:Header> oapenv:Body> wmp:SetParameterValues> arameterList soap:arrayType= cwmp:ParameterValueStruct[1] > arameterValueStruct> ame>InternetGatewayDev
>
Messages such as this
said by freemypc See Profile :

"GMT-06:00)16:02:11 Sun Oct 29 2006 syslog: All DNS servers tried, no response.
(GMT-06:00)16:02:11 Sun Oct 29 2006 syslog: failed dns request len=56,srcip=192.168.1.1, url=isatap.VZN
(GMT-06:00)16:02:12 Sun Oct 29 2006 stunnel[423]: VERIFY ERROR: depth=0, error=certificate is not yet valid: /C=US/ST=Texas/L=Irving/O=Verizon Data Services Inc./OU=sslr/CN=cpe-ems1.verizon.com
could be due to your router not having connected to Verizon yet. The timestamp for these messages refers to 2006. Your router then acquires a connection and determines the correct time.

This is a normal message
said by freemypc See Profile :

"(GMT-06:00)12:28:19 Sat Apr 12 2008 stunnel[446]: SSL_read (ERROR_SYSCALL): Connection reset by peer (131)"
It happens all the time and isn't indicative of an error.]]> http://www.dslreports.com/forum/remark,20327410 Sun, 13 Apr 2008 14:04:33 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20327270 Jodokast96 : Honestly, I'd take this over to the Security forum.]]> http://www.dslreports.com/forum/remark,20327270 Sun, 13 Apr 2008 13:30:49 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20323320 sashwa : You might try here:

»/forum/vzdirect]]> http://www.dslreports.com/forum/remark,20323320 Sat, 12 Apr 2008 14:53:07 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20323115 freemypc : Re: [trouble] has my verizon supplied modem/router been hacked?

Do you mean I need to send it back to Verizon and let them look at it? Will they send me a replacement before or after I send mine back? Again this has got me very concerned and worried as its never done this before. I do notice however that whenever I do a fresh reboot of the modem/router it first contacts Verizon such as

"GMT)16:01:15 Sun Oct 29 2006 syslogd started: BusyBox v0.61.pre
(GMT)16:01:15 Sun Oct 29 2006 init: Waiting for enter to start `/bin/sh` (pid 86, terminal /dev/tts/0)
(GMT-06:00)16:01:16 Sun Oct 29 2006 logic: stunnel conf 2: TR-069 1 /var/etc/stunnel2.conf »»https://cpe-ems1.verizon.com/cwmpWeb/CPEMgt 1 8080
(GMT-06:00)16:01:18 Sun Oct 29 2006 logic: dhcps starting
(GMT-06:00)16:01:24 Sun Oct 29 2006 udhcpd: udhcp server (v0.9.7) started
(GMT-06:00)16:01:24 Sun Oct 29 2006 udhcpd: ADD" It then goes through the process of adding my PC's and devices with one odd thing one of my PC's that I have taken offline is still being added to this router. I dunno if thats normal behavior or not but I wouldn't think after I did a hard reset and that PC is not been connected or powered on it should still be detectable.

Also here is more of the strangeness of the syslog activity,

"GMT-06:00)16:02:11 Sun Oct 29 2006 syslog: All DNS servers tried, no response.
(GMT-06:00)16:02:11 Sun Oct 29 2006 syslog: failed dns request len=56,srcip=192.168.1.1, url=isatap.VZN
(GMT-06:00)16:02:12 Sun Oct 29 2006 stunnel[423]: VERIFY ERROR: depth=0, error=certificate is not yet valid: /C=US/ST=Texas/L=Irving/O=Verizon Data Services Inc./OU=sslr/CN=cpe-ems1.verizon.com
(GMT-06:00)16:02:12 Sun Oct 29 2006 stunnel[423]: SSL_connect: 14090086: error:14090086:lib(20):func(144):reason(134)
(GMT-06:00)12:28:19 Sat Apr 12 2008 stunnel[446]: SSL_read (ERROR_SYSCALL): Connection reset by peer (131)
(GMT-06:00)12:28:56 Sat Apr 12 2008 thttpd[51]: Error with DigestResponse auth file = /var/.sys/.htpasswd-digest_tr69
(GMT-06:00)12:29:05 Sat Apr 12 2008 syslog: tr-69-client end with: HTTP/1.1 200 OK^M Date: Sat, 12 Apr 2008 17:28:54 GMT^M Content-Length: 455^M Content-Type: text/xml; charset=UTF-8^M Set-Cookie: JSESSIONID=LQxWsl1hyfzJP4C21L5pNDJqL7flvmPJyqG5971QW17Xrvv
tp://www.w3.org/2001/XMLSchema-instance > oapenv:Header/> oapenv:Body> wmp:InformResponse> axEnvelopes>1MaxEnvelopes> cwmp:InformResponse> soapenv:Body> soapenv:Envelope>
(GMT-06:00)12:29:16 Sat Apr 12 2008 syslog: [truncated] tr-69-client end with: HTTP/1.1 200 OK^M Date: Sat, 12 Apr 2008 17:29:06 GMT^M Content-Length: 900^M Content-Type: text/xml; charset=UTF-8^M ^M oapenv:Envelope xmlns:soap= »schemas.xmlsoap.org/
ustUnderstand= 1 >68251444cwmp:ID> soapenv:Header> oapenv:Body> wmp:SetParameterValues> arameterList soap:arrayType= cwmp:ParameterValueStruct[1] > arameterValueStruct> ame>InternetGatewayDev
>
(GMT-06:00)12:29:16 Sat Apr 12 2008 syslog: cli_settings.sh lan0 hostname:settings/ACS_PeriodicInformInterval 604800 > t
(GMT-06:00)12:29:17 Sat Apr 12 2008 cli: Second instance already running
(GMT-06:00)12:29:17 Sat Apr 12 2008 cli: Second instance already running
(GMT-06:00)12:29:18 Sat Apr 12 2008 cli: Second instance already running
(GMT-06:00)12:29:33 Sat Apr 12 2008 pc: act_hnm not exist, restart it"

Again I am not familar with how these things work of Linux but I believe SSL is that thing in your webbrowser that is supposed to make secured closed sessions, am I correct on this?

And that one error seems to happen at frequent intervals the one listed as this,
"(GMT-06:00)12:28:19 Sat Apr 12 2008 stunnel[446]: SSL_read (ERROR_SYSCALL): Connection reset by peer (131)"

Where can you contact official Verizon employees for help in these forums?

Thanks again for your help and support.]]> http://www.dslreports.com/forum/remark,20323115 Sat, 12 Apr 2008 14:00:45 EDT Re: [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20322440 dslfan : Maybe it has, "group `123`", is a group under linux. It seems this router is running an embedded linux, os and it has been breached. Additionally it seems it wants to restart a service(s) normally in: /etc/init.d. Someone is trying to access a property but the router did not understand it. Hence, bad request, maybe looking to exploit the os. It seems they are trying to activate (bash) scripts that end with .sh. If a bug did not set this off or you somehow through a bug. Seems the router needs to be taken offline in my view for inspection.]]> http://www.dslreports.com/forum/remark,20322440 Sat, 12 Apr 2008 11:04:38 EDT [trouble] has my verizon supplied modem/router been hacked? http://www.dslreports.com/forum/remark,20321518 freemypc : hello, recently I've noticed some odd behavior in the systems log of my modem gateway model Actiontec GT704-WG. I am starting to get very concerned that this modem's backdoor has been breached as it keeps periodically listing things such as this,

"(GMT-06:00)00:33:12 Sat Apr 12 2008 syslog: cli_settings.sh lan0 hostname:settings/ACS_ConnectionRequestPassword 5a99939e227281c7b9e54daf7db7faad > t
(GMT-06:00)00:33:13 Sat Apr 12 2008 syslog: cli_settings.sh lan0 hostname:settings/ACS_PeriodicInformInterval 600 > t
(GMT-06:00)00:33:15 Sat Apr 12 2008 logic: another group `123` is already open, close it first
(GMT-06:00)00:33:41 Sat Apr 12 2008 syslog: tr-69-client end with: HTTP/1.1 400 Bad Request^M Date: Sat, 12 Apr 2008 05:33:32 GMT^M Content-Length: 138^M Content-Type: text/html^M Set-Cookie: JSESSIONID=LQJMQyggMp17VD16lJ9pvMz2spKlZsLQQ1BpRhTKqnd8nGvWJ4t1
(GMT-06:00)00:34:02 Sat Apr 12 2008 pc: act_hnm not exist, restart it
(GMT-06:00)00:42:27 Sat Apr 12 2008 syslog: tr-69-client end with: HTTP/1.1 200 OK^M Date: Sat, 12 Apr 2008 05:42:18 GMT^M Content-Length: 455^M Content-Type: text/xml; charset=UTF-8^M Set-Cookie: JSESSIONID=LQLhDtC87bx1nGjH1xsmXHNt9BN238qdQvhvKnsT9tH8pb7
ttp://www.w3.org/2001/XMLSchema-instance > oapenv:Header/> oapenv:Body> wmp:InformResponse> axEnvelopes>1MaxEnvelopes> cwmp:InformResponse> soapenv:Body> soapenv:Envelope>
(GMT-06:00)00:42:38 Sat Apr 12 2008 syslog: [truncated] tr-69-client end with: HTTP/1.1 200 OK^M Date: Sat, 12 Apr 2008 05:42:28 GMT^M Content-Length: 1645^M Content-Type: text/xml; charset=UTF-8^M ^M oapenv:Envelope xmlns:soap= »schemas.xmlsoap.org
mustUnderstand= 1 >nullcwmp:ID> soapenv:Header> oapenv:Body> wmp:SetParameterValues> arameterList soap:arrayType= cwmp:ParameterValueStruct[4] > arameterValueStruct> ame>InternetGatewayDevice
serna
(GMT-06:00)00:42:38 Sat Apr 12 2008 syslog: cli_settings.sh lan0 hostname:settings/ACS_PeriodicInformEnable 1 > t
(GMT-06:00)00:42:38 Sat Apr 12 2008 syslog: cli_settings.sh lan0"

As I am not familiar with Linux which I believe the modem runs on I can only make out that it seems to be sending and receiving storing cookie files and also seems to be making requests for passwords and that the tsr69 client thing seems to now be enabled which is never has been before and Ive had Verizon for a little over a year now. Again I have always periodically checked the systems log and this has never happened before. I had to spend a few days in the hospital and when I got home and felt well enough to get on-line is when I noticed this odd behavior. Can anyone here shed some light as to what is going on? Has my modem/router been hacked and compromised? Should I call Verizon and ask for a new modem replacement?

Thanks in advance for any help that you can provide.]]> http://www.dslreports.com/forum/remark,20321518 Sat, 12 Apr 2008 02:20:18 EDT