Unknown or Unauthorized Access

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Post Reply
rfdude
Posts: 41
Joined: Sat May 08, 2010 2:16 pm

Unknown or Unauthorized Access

Post by rfdude »

I've noticed from both my Gargoyle routers running v1.8 that the log captures public attempts to login to the router. The IP addresses vary, but when I tried one out (not the IP's listed below), I got someone's QNAP NAS... and they had factory default passwords! Below is an example of what I'm seeing on a router that has only 32 Mb of memory and no TOR. Its an Asus WL500G Premium v2. I also observed this issue with a Buffalo WZR-HP-G300NH2 which did have TOR. On both I did download some plugins and themes.

What is this?.... :?:

Fri Aug 28 22:17:46 2015 authpriv.info dropbear[8087]: Child connection from 43.229.53.16:59685
Fri Aug 28 22:17:52 2015 authpriv.info dropbear[8087]: Exit before auth: Disconnect received

Fri Aug 28 22:36:54 2015 authpriv.info dropbear[8092]: Child connection from 201.76.116.157:58515
Fri Aug 28 22:37:02 2015 authpriv.warn dropbear[8092]: Bad password attempt for 'root' from 201.76.116.157:58515
Fri Aug 28 22:37:02 2015 authpriv.info dropbear[8092]: Exit before auth (user 'root', 1 fails): Exited normally
rfdude
------------------
1.09.2 Buffalo WZR-HP-G300NH2 -> 8 OpenMesh AP's
1.10.0 Archer C7 -> Multiple Cisco 1702i Autonomous Mode

ispyisail
Moderator
Posts: 4884
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Unknown or Unauthorized Access

Post by ispyisail »

Is the source coming from the WAN or LAN?

rfdude
Posts: 41
Joined: Sat May 08, 2010 2:16 pm

Re: Unknown or Unauthorized Access

Post by rfdude »

All LAN are private IP 192.168...

Buffalo router is on a DSL service.
ASUS router is on an HSPA cellular data service at a remote location.

So the unidentified IP's are coming from external (WAN) sources.
rfdude
------------------
1.09.2 Buffalo WZR-HP-G300NH2 -> 8 OpenMesh AP's
1.10.0 Archer C7 -> Multiple Cisco 1702i Autonomous Mode

rfdude
Posts: 41
Joined: Sat May 08, 2010 2:16 pm

Re: Unknown or Unauthorized Access

Post by rfdude »

Just found a previous forum post that might be related... from 2009.... OpenWRT/DDWRT-based botnet attack from infected routers or equipment. Interesting that a few others have posted log results (for other reasons) into this forum which contain the dropbear interaction below...

Per the DroneBL botnet web site, I've changed the SSH port to non-standard and am seeing the unauthorized attempts cease.
rfdude
------------------
1.09.2 Buffalo WZR-HP-G300NH2 -> 8 OpenMesh AP's
1.10.0 Archer C7 -> Multiple Cisco 1702i Autonomous Mode

ispyisail
Moderator
Posts: 4884
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Unknown or Unauthorized Access

Post by ispyisail »

Per the DroneBL botnet web site, I've changed the SSH port to non-standard and am seeing the unauthorized attempts cease.


well there is your problem

don't open port 22 for SSH, they will still scan for open ports of any number

Use OpenVPN for SSH

This is not a gargoyle problem more a user configuration problem

Post Reply