[Dshield] Follow Up- Interesting log entries on Netgear FR114P

John Dalton dubuque1 at mchsi.com
Mon Mar 17 19:45:10 GMT 2003


What suprises me is the Entry during these scans, previous one was from
China I believe.
SHows as
Sun, 2003-03-16 08:51:45 - Administrator login fail, Access deny -
IP:209.208.0.15

I had changed the admin password to a difficult one, however the Web
administration GUI should be disabled, so I wonder how I am getting the
failed messages. And if these probers have found a way around to get into
the router, and people have set them up as default with the default
password, then it would appear possible to take control of the router from
remote locations, without the interface even being enabled.
I have sent information to Netgear asking if this is a known vulnerability
:)

John Dalton


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of Johannes Ullrich
Sent: Monday, March 17, 2003 9:00 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Follow Up- Interesting log entries on Netgear
FR114P



yes. typical scan for njabl. They operate an anti-spam blocklist and
scan machines for open procies in order to add such sites to their list.


> I received another attempt today on my Netgear Router, though from a
> familiar site (been discussed on here before), if the I.P is not spoofed,
> rt.njabl.org.
> Although I can't see why they would have scanned these ports.
>
> Sun, 2003-03-16 08:51:36 - TCP packet - Source:209.208.0.15,29736,WAN -
> Destination:*.219.102.11,1180,LAN [Drop] - [Inbound Default rule match]

--
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org




More information about the list mailing list