PDA

View Full Version : Security Threat with DSL-505G Routers



symiggy
30-06-2005, 10:07 PM
Has anyone seen the article in this months NZ PC World regarding a possible security threat associated with the popular DSL-504G Routers commonly provided as part of the JetStream package provided by various ISPs in NZ.
The article particularly warns customers of IHUG's Bliink products. According to the author of the article, a number of the Routers have been sold with the factory settings in place which would allow savvy hackers to potentially divert traffic, lock users out of their Routers and even send or receive email from users' accounts.
Since I am not particularly adept with the settings I was wondering if anyone could offer any help as to what is to be done in order to rectify this situation.
Thanks for your advice.

bmason
30-06-2005, 11:17 PM
This has been discussed previously here (http://pressf1.pcworld.co.nz/showthread.php?t=58625).

To turn off remote access:
- Open the router web page at http://10.1.1.1
- Click Tools
- Under admin, change "HTTP Remote Access" to disabled.
- Hit apply.
- Hit save and reboot.

symiggy
01-07-2005, 11:17 AM
bmason:

Thanks for your reply.

When I followed the procedure you outlined the "HTTP Remote Access" was already set on "disabled"

However I noted that there was an "80" in the box to the right of "HTTP Remote Access Port(80,61000-62000)"
Having read the thread that you pointed me towards, I was wondering if I should change the 80 in that box to something else.

Also when I logged into the router, I used "admin" as the login name which worked. Should I change this and if so how?
Thanks.

symiggy
01-07-2005, 12:51 PM
Also in the previous thread on this topic, a question posted by Mantis was never actually answered.
the question posted was:

"so if you change the default password AND

disable HTTP Remote Access does this fix the vulnerability???

OR do you have to change the port for remote access even though it is disabled?"

I would be most appreciative if someone with the knowledge could answer that question specifically.
Thanks for your expertise.

bmason
01-07-2005, 03:16 PM
When I followed the procedure you outlined the "HTTP Remote Access" was already set on "disabled"It is already disabled for newer versions of the firmware. You can verify by visiting a site like http://scan.sygate.com/.

However I noted that there was an "80" in the box to the right of "HTTP Remote Access Port(80,61000-62000)"
Having read the thread that you pointed me towards, I was wondering if I should change the 80 in that box to something else.You can if you want, it only really helps you have remote access turned ON. I haven't bothered. If you do the URL to access your router will change to http://10.1.1.1:61000/ (replacing 61000 with the port of your choice).

Also when I logged into the router, I used "admin" as the login name which worked. Should I change this and if so how?
Thanks.You can't change the admin username but you can and should change the password which you probably already have if you followed the setup wizard.

bmason
01-07-2005, 03:38 PM
"so if you change the default password AND

disable HTTP Remote Access does this fix the vulnerability???

OR do you have to change the port for remote access even though it is disabled?"
Turning off remote access (and verifying it is off) is all that need to be done to fix the problem.

Changing the password and port are less important when remote admin is turned off because only the computers on your LAN can actually access the admin pages.

If remote access was turned on then the quality of your password is all that prevents any external "attacker" from accessing your router. You can bet the first password they would try is "admin". When remote access is off the password is only preventing people with access to your computer (flatmates/siblings/etc) from accessing the admin page.
Using a non-standard port, eg 61457, would reduce the chances of an external attacker finding your admin page.

symiggy
01-07-2005, 05:42 PM
Turning off remote access (and verifying it is off) is all that need to be done to fix the problem.

Changing the password and port are less important when remote admin is turned off because only the computers on your LAN can actually access the admin pages.

If remote access was turned on then the quality of your password is all that prevents any external "attacker" from accessing your router. You can bet the first password they would try is "admin". When remote access is off the password is only preventing people with access to your computer (flatmates/siblings/etc) from accessing the admin page.
Using a non-standard port, eg 61457, would reduce the chances of an external attacker finding your admin page.

bmason:

Sorry to be so basic in my query but I'm not quite sure how interpret the results of the scan done by the SOS site that you pointed to in order to verify that the remote access is in fact off.

The SOS site was able to determine my IP address correctly even though I am connecting through a router and was also able to determine the Operating system and browser.
The scan was not able to determine the computer name or detect any running services.
Does all this verify that remote access is in fact off?
Thanks for your (hopefully) continuing patience with this basic question.

bmason
02-07-2005, 03:15 PM
What you are looking for is the status of the port 80 which will show up in the quick scan option. If it is open then remote admin is still turned on.

symiggy
02-07-2005, 03:44 PM
What you are looking for is the status of the port 80 which will show up in the quick scan option. If it is open then remote admin is still turned on.

Again I'm really sorry to be so ignorant but I just can't see any Quick Scan option.
Could you please tell me how to access this option

bmason
09-07-2005, 12:42 PM
Again I'm really sorry to be so ignorant but I just can't see any Quick Scan option.
Could you please tell me how to access this optionOn the left there is a menu with an image link called "Quick Scan". Click it, then hit "Scan now".

symiggy
09-07-2005, 03:04 PM
bmason:

Thanks for your help.
I'm happy to be sure that the port is stealthed.