Possible Cisco Router Hack?



We have a Cisco EPC3928AD EuroDocsis 3.0 2-PORT Voice Gateway from our ISP. The router is connected to a firewall (an Ubuntu-box running iptables and Wireshark). Our LAN (10.0.0.1/24) is beyond the firewall. No other equipment is connected to the router. The router's WIFI has been disabled.

A few days ago we noticed problems when fetching mail or browsing. The connection started to get slower and sometimes we do not have a connection at all. This behavior seem to occur at random and during irregular time periods (1-30 minutes approx.). All equipment on the LAN is affected. Certain services like Skype are not affected.

The ISP did a checkup of the router and the connection to the rest of the WAN. They found no problems, neither with the modem itself nor the signal strength or the cable. They also set up monitoring of the WAN segment that the modem is on and that ran for several days without finding any problems.

Our LAN has no DHCP. We also had the DHCP in the modem was switched off. The NIC on the firewall facing the WAN was set to 192.168.0.201. Although our LAN has static addresses and DNS configurations on each NIC are set to the ISP's recommended DNSs, they told us that activating the DHCP in the router "sometimes helps"...

We proceeded to activate the DHCP with starting address 192.168.0.201 and with a range of 1. We also reserved 192.168.0.201 for the MAC of the NIC facing the modem. What happened next puzzled us: in the router's "Preassigned DHCP IP Addresses"-list an unknown MAC, 00:11:e6:de:ad:07 (00:11:e6 belongs to Scientific Atlanta, part of Cisco), was occupying 192.168.0.201. Moreover, in the router's "Connected Devices Summary", the same MAC was showing up, but this time with an IP (10.0.0.74) on the LAN!

We restarted the router, but to no avail. The same unknown MAC showed up again, this time with a LAN address (10.0.0.2) already in use by a workstation on the LAN. Blocking the MAC in IP-tables made the MAC disappear from the "Connected Devices Summary", but is still in the "Preassigned DHCP IP Addresses"-list. We have set the IP-range to 2, so it now occupies 192.168.0.202 instead of 192.168.0.201.

Restarting the router or disconnecting it from the firewall does not help. The unknown MAC keeps on reappearing. The intermittent problems with the connection persist. What is going on? Is this a hack of some kind? Any input will be much appreciated.


Related to : Possible Cisco Router Hack?
[ubuntu] Cisco Valet Plus Router Compatibility
Network & Servers
I have NOT bought this router. But before I make a decison, is it LINUX compatible? It requires a special USB device. Implies "issues".
PC Magazine review: Cisco Valet Plus
CNET Review: Cisco Valet Plus The CNET Review has a video.
[ubuntu] Cisco Cable Modem and Cisco Router Issue
Network & Servers
I have one computer connected to port one router that I can not see in my home network with other computers connect to other router. I assume its an IP address and Gateway issue. How do I setup so I can see it with other computers. How do I configure so I can see computer hooked to both routers?
[Linux Mint] dlink router stats/hack?
Network & Servers
first off sorry if this is in the wrong section - haven't been on this forum in a while.
I'm getting a little worried after looking at my sky dlink router log stats in the security section. Usually i will get hack attempts in the following format:
kernel: Intrusion from a random ip to my external ip address.
sometimes i will get :
kernel: Firewall Log if i have been downloading torrents or accessed my pc through ssh.
but recently i have seen kernel: Firewall from a random ip to one of my internal ip's . In one day i had 4 attempts from an ip in china to port 80 on my PS3's ip which is 192.168.0.3 (baring in mind i h
[ubuntu] Connect to share createc by router (Cisco X3000 DSL router)
Network & Servers
Hi There,
I have been trying to connect my linux machines to the share created by my router (Cisco X3000 DSL router). It is a 1TB USB drive connected by USB - if that is important to know.
I set up the share in router setup and I can see it on the network if I use:
Code:
smbtree -N
which gives me:
Code:
WORKGROUP
        CISCO02437                    DSL
IPTV Multicast and Cisco RV180 Router
Network & Servers

I have a fibre line at home including IPTV, i have to use my own router to be able to use VPN etc. this functionality is not supported in the ISP supplied router.

The internet connection is perfect using my own router, however the tv box is not working properly. I can see the channels in the overview and use NetFlix from the box, but i am unable to watch any television channels, my ISP say its because the box is not recieving any multicast IGMP traffic from the router.

I have enabled IGMP Proxy in the router, and according to the manual that should be enough. "NOTE By default the device will forward multicast packets which are originating from its immediate WAN network."

Cisco RV180 Manual

Configuring Internet Group Management Protocol (IGMP)

Internet Group Management Protocol (IGMP) is an exchange protocol for
routers. 
Hosts that want to receive multicast messages need to inform their
neighboring 
routers of their status. 

In some networks, each node in a network becomes a member of a
multicast group 
and receives multicast packets. In these situations, hosts exchange
information 
with their local routers using IGMP. Routers use IGMP periodically to
check if 
the known group members are active. 

IGMP provides a method called dynamic membership by which a host can
join or leave 
a multicast group at any time. 

The Allowed Networks table lists all the allowed networks configured
for the device 
and allows several operations on the allowed networks:

    • Network Address—The network address from which the multicast
packets originate.
    • Mask Length— Mask Length for the network address.

In this table you can perform the following actions:

    • Check Box—Select all the allowed networks in the table.
    • Delete—Deletes the selected allowed network or allowed
networks.
    • Add—Opens the Allowed Network Configuration page to add a
new network.
    • Edit—Opens the Allowed Network Configuration page to edit
the selected network.

NOTE By default the device will forward multicast packets which are
originating from its 
immediate WAN network.

Adding Allowed Networks

To configure IGMP:

STEP 1 
    Choose Firewall > Advanced Settings > IGMP Configuration.

STEP 2
    Check the Enable box to allow IGMP communication between the
router and other 
    nodes in the network.

STEP 3 
    Choose the Upstream Interface (WAN or LAN). Select the interface
(LAN or WAN) on which 
    the IGMP proxy acts as a normal multicast client.

STEP 4
    Click Save.

I have added this network address to the "Allowed Networks table": 87.104.38.1 with a netmask length of 25 (The address 87.104.38.1 uses subnetmask 255.255.255.128) But it had no effect.

How can i troubleshoot this problem? what tools do i have available?

I think i should somehow verify that no IGMP traffic is reaching the TV box, and i dont know how to do that.

Any help is very much appriciated.


Possible Cisco Router Hack?
Network & Servers

We have a Cisco EPC3928AD EuroDocsis 3.0 2-PORT Voice Gateway from our ISP. The router is connected to a firewall (an Ubuntu-box running iptables and Wireshark). Our LAN (10.0.0.1/24) is beyond the firewall. No other equipment is connected to the router. The router's WIFI has been disabled.

A few days ago we noticed problems when fetching mail or browsing. The connection started to get slower and sometimes we do not have a connection at all. This behavior seem to occur at random and during irregular time periods (1-30 minutes approx.). All equipment on the LAN is affected. Certain services like Skype are not affected.

The ISP did a checkup of the router and the connection to the rest of the WAN. They found no problems, neither with the modem itself nor the signal strength or the cable. They also set up monitoring of the WAN segment that the modem is on and that ran for several days without finding any problems.

Our LAN has no DHCP. We also had the DHCP in the modem was switched off. The NIC on the firewall facing the WAN was set to 192.168.0.201. Although our LAN has static addresses and DNS configurations on each NIC are set to the ISP's recommended DNSs, they told us that activating the DHCP in the router "sometimes helps"...

We proceeded to activate the DHCP with starting address 192.168.0.201 and with a range of 1. We also reserved 192.168.0.201 for the MAC of the NIC facing the modem. What happened next puzzled us: in the router's "Preassigned DHCP IP Addresses"-list an unknown MAC, 00:11:e6:de:ad:07 (00:11:e6 belongs to Scientific Atlanta, part of Cisco), was occupying 192.168.0.201. Moreover, in the router's "Connected Devices Summary", the same MAC was showing up, but this time with an IP (10.0.0.74) on the LAN!

We restarted the router, but to no avail. The same unknown MAC showed up again, this time with a LAN address (10.0.0.2) already in use by a workstation on the LAN. Blocking the MAC in IP-tables made the MAC disappear from the "Connected Devices Summary", but is still in the "Preassigned DHCP IP Addresses"-list. We have set the IP-range to 2, so it now occupies 192.168.0.202 instead of 192.168.0.201.

Restarting the router or disconnecting it from the firewall does not help. The unknown MAC keeps on reappearing. The intermittent problems with the connection persist. What is going on? Is this a hack of some kind? Any input will be much appreciated.



Privacy Policy - Copyrights Notice - Feedback - Report Violation - RSS 2017 © bighow.org All Rights Reserved .