I have unautorised acces to my router/modem. i need help fast please !

[GLeader]

Hi,

I live in morocco my ISP is "Maroc Telecom" (incase its important). and i have a fiber to home connection (100 Mb/s down 50 Mb/s up).
I have a Huawei HG8245H. (from my ISP).

Yesterday i had some internet problems (slowdowns and desconnects). so i went to my router config and changed some stuff (no problems here).

then i went to user logs, and then ohhh boy. there was a spam of connection attempts (like one every 3 min or so, until router block them for too much password errors. then they come back later). some even got the good password (WTF!)
FYI : the only password i can change is the root (i did change it some time ago). but there is an other one its like an ISP password or something (probably used in case you call them for a problem). but this one i can't change (at least i can't find where to change it). and its the same for all ISP clients that have this router (the login is "telecomadmin" very hard indeed lol)

plus my IP changes every time i restart my router. so i have no idea how this is possible (they must have somthing sending back the new ip)?

i tried to desable all web / telnet acces from WAN or WIFI (only local network should have acces). but in logs it says the acces was via CLI (command line interface ?).

moreover and this is what worrying me the most. is that the one who got acces seem to have changed my DNS or somthing (so i guss i can be rederected to a fake paypal or somthing like that) (but in my PC i changed DNS to google / openDNS so i guss im ok but not any one that uses the router DNS ?)

so is there something i can do to stop this (any way to get even higher previlige to see maybe more settings to block this, because basic settings seem to have no effect) ?
i rather not have to change my router or contact my ISP (they are bad, and im sure 100% the help service poeple will not understand the problem (I speak knowingly))

PS: attached are the log files. (all connections from this ip "192.168.100.114" are mine (PC local IP).

thanks for your time.

 

[jboydgolfer]

if possible disable Web management, or Web access. that way the only way to manage the router is from the LAN/WAN

 

[GLeader]

if possible disable Web management, or Web access. that way the only way to manage the router is from the LAN/WAN

WAN Service
Enable the WAN-Side PC to Access the ONT Through FTP:
Enable the WAN-Side PC to Access the ONT Through HTTP:
Enable the WAN-Side PC to Access the ONT Through Telnet:
Enable the WAN-Side PC to Access the ONT Through SSH

are all desabled, plus in the logs it says acces using CLI

 

[RJARRRPCGP]

Is that a router-and-ONT-all-in-one?! If true, I dislike that setup. (not directed at you)

 

[jboydgolfer]

are all desabled, plus in the logs it says acces using CLI

look through all options & tabs & see if there is another setting for web or remote management.

 

[GLeader]

Is that a router-and-ONT-all-in-one?! If true, I dislike that setup. (not directed at you)

YES all in one

like this one

sorry for the shitty picture.

yeah i know its bad but they dont give you a choice when you get a subscription. so im stuck with this.

 

[RJARRRPCGP]

YES all in one

like this one

sorry for the shitty picture.

yeah i know its bad but they dont give you a choice when you get a subscription. so im stuck with this.

Well, I like it when I can unplug the separate router for troubleshooting.

 

[sepheronx]

very curious about this myself.

I am not really strong in the network field so I will stay limited.

But can you adjust your DNS? Change it to google's or something. As well, also mentioned about web remote access, see if you can disable any kind of telnet or remote accessing within the router itself. You can also try to hide your WiFi signal as well, at least with most routers. I am not sure with yours. If it does have the option, try that.

 

[jboydgolfer]

maybe what youre seeking can be found Here

Huawei EchoLife HG8245H Support Guide, Manuals & PDF – Huawei

 

[GLeader]

look through all options & tabs & see if there is another setting for web or remote management.

i only found this two, but they seem desabled

Hmm... Huawai, Xi Jinping knocking on your door.

exactly what i was thinking. maybe it some integrated spy system from the factory :tin foil hat:

 

[OneMoar]

change the password for telecomadmin
or login via telnet your self and turn telnet off
set aclservicesrule TELNETWanEnable 0

How to disable the single ONT WAN side Telnet without using U2000? - Huawei Enterprise Support Community

Hello, everyone!This post explains how to disable the single ONT WAN side Telnet without using U2000. Please have a look below for more details.BACKGR ...

forum.huawei.com

 

[GLeader]

change the password for telecomadmin

how ? i can't find anywhere to change it

can't change it its stuck in root (but im connected using telecomadmin)

 

[TheLostSwede]

Maybe read up on TR-069, it's what your service provider uses to access your router when they have to, which this seems to be a case of.
Could also be that they have a "backdoor" as many telco's do, which is bad, as those passwords tend to leak and they're usually the same for all of the same model of router.
Was a big drama about it in Sweden a few years ago, so the service providers were forced to swap out a lot of older gear.

 

[GLeader]

Maybe read up on TR-069, it's what your service provider uses to access your router when they have to, which this seems to be a case of.
Could also be that they have a "backdoor" as many telco's do, which is bad, as those passwords tend to leak and they're usually the same for all of the same model of router.
Was a big drama about it in Sweden a few years ago, so the service providers were forced to swap out a lot of older gear.

thanks i will look into this

Maybe read up on TR-069, it's what your service provider uses to access your router when they have to, which this seems to be a case of.
Could also be that they have a "backdoor" as many telco's do, which is bad, as those passwords tend to leak and they're usually the same for all of the same model of router.
Was a big drama about it in Sweden a few years ago, so the service providers were forced to swap out a lot of older gear.

desabled it, will see if it changes anything

 

[R-T-B]

Hmm... Huawai, Xi Jinping knocking on your door.

Unlikely they'd be so blunt.

Op, have you checked if there is newer firmware for this router? Is it ISP provided? If so, contact ISP asap.

 

[OneMoar]

the ip address the access is coming from is a static ip owned by digital ocean there is also a unconfigured apache server running on p80

 

[TheUn4seen]

Well, you seem to have some botnets calling your horrible, horrible ONT with a list of default login/passwords left unchanged by many horrible, horrible ISPs. Change ACS password to something ridiculous, disable telnet for WAN if you can. Use this horrible thing as a bridge and get a proper router - in the web interface go to "LAN" -> LAN port work mode, check the LAN1. Then connect with telnet and type port vlan eth 1 transparent this will make the ONT work as a transparent bridge on LAN1 port to which you should connect a proper router and forget this rubbish ONT exists.
At the very least for now, in the LAN -> "DHCP server configuration" manually type a reasonably trustworthy DNS like 1.1.1.1

 

[P4-630]

I'm absolutely no expert in this but I've used to allow devices access by their specific MAC addresses but I think that works only for the devices connected by wifi.

 

[GLeader]

Maybe read up on TR-069, it's what your service provider uses to access your router when they have to, which this seems to be a case of.
Could also be that they have a "backdoor" as many telco's do, which is bad, as those passwords tend to leak and they're usually the same for all of the same model of router.
Was a big drama about it in Sweden a few years ago, so the service providers were forced to swap out a lot of older gear.

so, desabling TR-069 didn't totaly stoped the probleme (i think it just stoped my ISP (or who ever was doing it) from changing my DNS)

so then i found that my firewall was on desabled, i changed it to normal (high stoped all trafic even web pages stoped working). so now 1 day later no attack yet. so i guss its working.

thanks you all for the help, you probably saved me.

Unlikely they'd be so blunt.

Op, have you checked if there is newer firmware for this router? Is it ISP provided? If so, contact ISP asap.

yep i think it was the firewall.

Well, you seem to have some botnets calling your horrible, horrible ONT with a list of default login/passwords left unchanged by many horrible, horrible ISPs. Change ACS password to something ridiculous, disable telnet for WAN if you can. Use this horrible thing as a bridge and get a proper router - in the web interface go to "LAN" -> LAN port work mode, check the LAN1. Then connect with telnet and type port vlan eth 1 transparent this will make the ONT work as a transparent bridge on LAN1 port to which you should connect a proper router and forget this rubbish ONT exists.
At the very least for now, in the LAN -> "DHCP server configuration" manually type a reasonably trustworthy DNS like 1.1.1.1

yes i did change the ACS on the TR-069 to a random hard pass.

yes i will try to get a new proper router at some point.

and for the DNS i have it changed on my pc and thi shit router to 1.1.1.1

Unlikely they'd be so blunt.

Op, have you checked if there is newer firmware for this router? Is it ISP provided? If so, contact ISP asap.

the huawei website is broken no firmware found, but there was some links in the forums i did download one but for need the problem seem to be fixed so i will avoid any new problems caused by non official links

 

[R-T-B]

huawei website is broken no firmware found, but there was some links in the forums i did download one but for need the problem seem to be fixed so i will avoid any new problems caused by non official links

Sounds best. Keep an eye on it and best of luck.

 

[ASghostKI]

I'm having the same issue, we're from the same country and we have the same ISP.

Any updates on the situation and the steps you did beside the ones you mentioned ?


In my case the DNS was redirecting to this page: http://heartoftech.club/author/hamza/page/6/+

and those where that DNS addresses that I found

and this is the user access log:

He's using servers from AWS I think

 

[GLeader]

ASghostKI​

so here is what i did and it works fine (for me at least)

1-in "LAN" then "DHCP" change DNS to google or open DNS "1.1.1.1" . like in picture

2- in "security" then "firewall" put it to "user-defined"

3- in "security" then "ONT acces" desable all "WAN" and "WLAN" acces (i desabled also telnet from LAN just to be sure. because i only use HTTP from LAN)

4- in "system tool" then "TR-069" i changed the logins and passwords with random stuff then i desabled it.

This is all i think , i hope it helps you. GL.

 

[ASghostKI]

Thank you for the recap. I hope it prevent this from happening again.

I also got the IPs from the logs also the DNS servers IPs I found out that there are from AWS, so I filled an AWS abuse Report, maybe amazon can shut this down.

 

[Hachi_Roku256563]

idk if its possible but when i had a similar thing to this
when this happend i made the router only talk to mac addresses i set

 

[AsRock]

Unlikely they'd be so blunt.

Op, have you checked if there is newer firmware for this router? Is it ISP provided? If so, contact ISP asap.

Yeah should of been the 1st thing to do.

Maybe consider a separate modem\router that support your ISP.