Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Home network used to attack someone else


  • Please log in to reply
7 replies to this topic

#1 WheresMyOS

WheresMyOS

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 03 March 2015 - 02:32 AM

My ISP informed me today that a device on our home network had been configured and used in an attack. It suggested our router as the most likely culprit. The router is a password-protected Linksys EA6500. I turned off UPnP and changed the wifi password, and ran a vulnerability test from a link sent by the ISP. The first test showed no vulnerabilities, but when I ran the test again a couple of minutes later, the test found an SSDP vulnerability again. I couldn't change the router password because the " old password" didn't match my records. I'm not sure how to figure out what the cited IP address belongs to. Everything attached to the network looked normal, except that I have one Chromecast stick and the router said two were active )and listed another 3 as inactive. I couldn't find any way to block or redirect specific ports in this router. Any suggestions on how to isolate and fix the offending device?

Here's the message, in part:

> A public-facing device on your network, running on IP address

>[ 75.101....] operates an open SSDP service on port 1900 and participated in a large-scale attack against a customer of ours, generating UDP responses to spoofed M-SEARCH requests that claimed to be from the attack target.

> Please consider reconfiguring this SSDP-speaking server in one or more of these ways:

> 1. Adding a firewall rule to block outside access to this host, or the network overall, on port 1900.
2. Disabling UPnP entirely (SSDP is a component of the overall UPnP subsystem and can't usually be disabled separately).

> 3. Reconfiguring the device to not respond to outside M-SEARCH requests, or to rate-limit its responses (the process to follow for
this would differ from device to device and may not be possible for many devices)."

BC AdBot (Login to Remove)

 


#2 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 03 March 2015 - 03:07 AM

Check the Linksys web page for upgraded firmware and download it if there is. I'd also get something like malwarebytes or adaware on all the machines and get them updated. And get them off your LAN.

 

Then I'd unplug the router from your modem or whatever lets you connect to your ISP and reset it(normally by the power plug or on the bottom, there is a recessed button a ballpoint pen can reach it, push it and hold it for a count of 10 and release) This will set it back to factory defaults. So it will have the default password and IP to get into the GUI. I'd upgrade the firmware if there was one. Then set it up the way you had it before. But don't plug it back into the ISP equipment.

 

I'd boot all the PCs into safe mode and run the malware scanner you chose. If it finds anything get it cleaned or don't let that PC connect to the network just yet.

 

Once they're all clean, plug the router back in and get the PCs online.

 

Good luck


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#3 mralias518

mralias518

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 03 March 2015 - 08:09 AM

My ISP informed me today that a device on our home network had been configured and used in an attack. It suggested our router as the most likely culprit. The router is a password-protected Linksys EA6500. I turned off UPnP and changed the wifi password, and ran a vulnerability test from a link sent by the ISP. The first test showed no vulnerabilities, but when I ran the test again a couple of minutes later, the test found an SSDP vulnerability again. I couldn't change the router password because the " old password" didn't match my records. I'm not sure how to figure out what the cited IP address belongs to. Everything attached to the network looked normal, except that I have one Chromecast stick and the router said two were active )and listed another 3 as inactive. I couldn't find any way to block or redirect specific ports in this router. Any suggestions on how to isolate and fix the offending device?

Here's the message, in part:

> A public-facing device on your network, running on IP address

>[ 75.101....] operates an open SSDP service on port 1900 and participated in a large-scale attack against a customer of ours, generating UDP responses to spoofed M-SEARCH requests that claimed to be from the attack target.

> Please consider reconfiguring this SSDP-speaking server in one or more of these ways:

> 1. Adding a firewall rule to block outside access to this host, or the network overall, on port 1900.
2. Disabling UPnP entirely (SSDP is a component of the overall UPnP subsystem and can't usually be disabled separately).

> 3. Reconfiguring the device to not respond to outside M-SEARCH requests, or to rate-limit its responses (the process to follow for
this would differ from device to device and may not be possible for many devices)."

 

 

 

 

In addition to what was said above I would also call my ISP by phone to make sure they sent the email you are reading from just to make sure this is not some sort of attempt to make you change settings on your router. I'm sure it is legit but I seen this type of stuff before. (Unless you have already done this)

 

Edited by mralias518, 03 March 2015 - 08:10 AM.

Linux Mint 17.1 Rebecca & Windows 8.1 Dual Boot.

Dell E6410 i5 7.60518 Gib of ram

 


#4 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 03 March 2015 - 11:05 AM

Really doubt the router is the source.  More likely a device on the lan has been hacked and is the culprit sending the attack.  Using torrents, emule or such?

 

https://www.us-cert.gov/ncas/alerts/TA14-017A



#5 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 03 March 2015 - 11:44 AM

I have to stop answering things on here at 3 AM. Wand3r3r has a point, to your ISP your router = the only thing technically connected to their network so of course they say it's the router. It really doesn't change what I suggested but I should have mentioned that about your router.


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#6 WheresMyOS

WheresMyOS
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 03 March 2015 - 02:14 PM

Really doubt the router is the source.  More likely a device on the lan has been hacked and is the culprit sending the attack.  Using torrents, emule or such?


No, no torrents or P2P stuff. There are a lot of devices that connect to the network, though. Some of them are almost always on--the DSL modem itself, a Roku, 2 iPads, 3 phones, an hp officejet printer, and my laptop. My laptop is running a firewall, antivirus, and winpatrol. Scans on the laptop come up clean, and removing it from the network doesn't remove the SSDP vulnerability on scans. There's a dish network that's connected to a second TV using the home network thru what looks like a usb dongle (provided and installed by the dish people.) There's also a chromecast stick. Two other computers and a wii are occasionally connected but usually off. If one if these devices is initiating the problems, shouldn't the vulnerability disappear when the device is disconnected?

We tried disconnecting the Linksys router, resetting the DSL modem, and setting up a newer asus router--which has more security options than the Linksys, but even so doesn't seem to have options to block ports or turn off UPnP or SSDP. Grr. I thought that stuff was standard in router admin.

Any of these devices look like a likely culprit?

#7 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 03 March 2015 - 02:57 PM

Most routers you have to enable Upnp to have it on.  I would backwards engineer.  Start by hooking your laptop direct to the modem and run your test. Then add the router with laptop connected only.  so on and so forth.

 

It could be any of them.  Being off is just like being disconnected so when off can't be a source of ssdp.



#8 WheresMyOS

WheresMyOS
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 03 March 2015 - 08:39 PM

Thanks, all, for your great advice.

 

I took Wand3r3r's advice about backward engineering, and isolated the DSL modem, property of the ISP. Hah! They've suddenly gotten much nicer about the issue, and are no longer insisting that I direct all questions to the router manufacturer.

 

The modem doesn't have a wireless feature, so it wasn't in my list of suspects. However, the SSDP vulnerability showed on scan when the router was physically disconnected from both the power supply and the modem (thus, no network) and the modem was connected directly by ethernet cable to a single computer with a strong firewall and wi-fi services turned off (tested with two computers separately). 

 

The same vulnerability showed on scan when we connected the modem to a password-protected router with wi-fi but no PnP services running, and all devices powered off / disconnected except a couple of iphones and an ipad.

 

I don't know if that's conclusive, but I've asked the ISP to test the theory by swapping out the (somewhat old) modem for something more current.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users