1

I noticed some weird traffic in my router's admin panel logs:

2021-03-25 06:27:19 [Critical][Config-Log] Terminal:WEB(10.181.189.71),Result:Fail,Type:Login,Username:-
2021-03-25 06:27:22 [Critical][Config-Log] Terminal:WEB(10.181.189.71),Result:Fail,Type:Login,Username:-
2021-03-25 06:27:26 [Critical][Config-Log] Terminal:WEB(10.181.189.71),Result:Success,Type:Login,Username:root
2021-03-25 06:27:50 [Critical][Config-Log] Terminal:WEB(10.181.189.71),Result:Success,Type:Logout,Username:root
2021-03-28 11:43:15 [Critical][Config-Log] Terminal:WEB(10.181.189.62),Result:Fail,Type:Login,Username:-
2021-03-28 11:43:19 [Critical][Config-Log] Terminal:WEB(10.181.189.62),Result:Fail,Type:Login,Username:-
2021-03-28 11:43:27 [Critical][Config-Log] Terminal:WEB(10.181.189.62),Result:Fail,Type:Login,Username:-
2021-03-28 11:43:27 [Error][Alarm-Log] AlarmID:104032,AlarmLevel:Error,Administrator exceeded maximum number of attempted logins.Terminal:WEB
2021-03-28 11:44:27 [Error][Alarm-Log] AlarmID:104519,AlarmLevel:Error,[WEB]unlocked!
2021-04-18 04:54:06 [Critical][Config-Log] Terminal:WEB(10.181.189.61),Result:Fail,Type:Login,Username:-
2021-04-18 04:54:08 [Critical][Config-Log] Terminal:WEB(10.181.189.61),Result:Fail,Type:Login,Username:-
2021-04-18 04:54:11 [Critical][Config-Log] Terminal:WEB(10.181.189.61),Result:Fail,Type:Login,Username:-
2021-04-18 04:54:11 [Error][Alarm-Log] AlarmID:104032,AlarmLevel:Error,Administrator exceeded maximum number of attempted logins.Terminal:WEB
2021-04-18 04:55:11 [Error][Alarm-Log] AlarmID:104519,AlarmLevel:Error,[WEB]unlocked!

The address of my router is 192.168.100.1 and it leases addresses only for 192.168.100.0/24, yet some unknown A class private IPs that were never connected to my network tried to access the panel in the early hours. The event logging is quite verbose so each operation of making changes to the configuration (including deleting entries) is explicitly mentioned, however in this case there were only login attempts, one of which was successful.

Is it possible that these were my ISP's attempts or am I a target of the attack?

concerned
  • 11
  • 2
  • 1
    The best i would guess is that while the `10/24` network is meant for *"private"* use, you will still see a lot of ISP's using them for their internal routing structure, where your next hop can be an RFC1918 address, and the hop after that, and after that; until you finally are on the real publicly routable internet. Your LAN is the `192.168.100.x` subnet, which means any traffic outside that subnet should go to your *default gateway*. So it will dutifully send responses out the WAN port to `10.181.189.x`, and the real device that's listening out there - inside your ISP's infrastructure. – Ian Boyd Apr 25 '21 at 00:57
  • It's a bit worrying that 10.181.189.71 succeeded in logging in. Can you confirm at which interface those requests are made - WAN or LAN? Can you get their MAC addresses - perhaps something in your network has a 10.... address? Is any other logging/tracing possible with this router, e.g. `tcpdump`? Can you configure the router to block logins from external addresses? – berndbausch Apr 25 '21 at 02:59
  • Adding low priority [blackhole routes](https://en.wikipedia.org/wiki/Black_hole_(networking)#Black_hole_filtering) for rfc 1918 (and 5737) addresses could be an idea to avoid this: as long as you're not using them, they will be discarded. If you add more specific routes using them, they'll supersede these default settings. – A.B Apr 25 '21 at 07:57
  • @IanBoyd This is what I suspected too, I tried to traceroute my way out to WAN hoping to get lucky enough to see some of these ```10.181.189.X``` addresses along the way, none of them showed up unfortunately. – concerned Apr 25 '21 at 10:41
  • @berndbausch Up until this point I thought that this interface is accessible exclusively in LAN (as this is a regular home network modem/router combo provided by the ISP) but somehow the addresses that never belonged to my network made it through. I'll try to do some diagnostics with tcpdump but these events took place few weeks ago and I haven't noticed anything like it ever since so I don't know if I'll "catch" anything. As for now I changed the root password in the router but suprisingly I can't manage the device ACL - the tab with that option is completely blank. – concerned Apr 25 '21 at 11:00
  • @concered do you have qnap device? – piotros May 19 '21 at 17:07

2 Answers2

1

You need to do some hardening on your router. There are lots of bots that just crawl the web looking for open servers / services.

  • Block inbound connections that are not absolutely necessary.
  • Add blackhole routes for the RFC 1918 address blocks, as suggested in the comments.
  • Change your admin credentials to something complex.

Is it possible that these were my ISP's attempts or am I a target of the attack?

The two are not mutually exclusive. The source could be a bot installed on a computer somewhere in the ISPs network.

Good luck.

tomjedrz
  • 5,974
  • 1
  • 16
  • 26
0

I have also a huawei gpon and the logs show the same entries but any kind of address not just 10.... So yes, unfortunately, the administrative page is accessible from the WAN side. My guess is you will eventually see attempts from all over the world IPs, most likely this 10. address is IP spoofing. I activated the firewall, which produces issues, but I am planning to replace with a neutral router. On the other hand you could ask the ISP to close the administrative interface on the WAN port.

Jesus Marval
  • 21
  • 3