suspicious login attempt on ZyXEL router

[Chris2000]

I hope this thread is at the right place.
Since 3 days, I don't have any more connection between my laptop and my router. Router is still connecting well with other devices.
On that specific HP laptop, only the wifi and bluetooth card is still runing but with "limited access". I had to reinstall the drivers as they all disapeared from one day to the other. Still have no way to connect, even wired to the router.
Trying to establish the connection again I've looked at my router log and found these numerous attempts about child connection and login from nonexistant user. May this have a link with the fact that I've lost my connection?
I've done complete scans with antivirus and anti malware with no results.
I'm running an HP laptop with Win 7 x64.
Any help would be appreciated, thanks !

attached is my router log

 

[Nullity]

There are a bunch of attempts but at least 2 successful logins, which seem to be malicious.

I am unfamiliar with IPv6, but the IPv4 address "192.152.*.*" is a public IP...

You seem to have been infiltrated. Hopefully someone else will reply. I would reset the router and choose a more secure password and disable external SSH access.

 

[coxhaus]

If you think your router has been compromised I would flash over the router with the latest firmware even if it is the same version of firmware. First thing with a new router firmware is change the default password with another trusted machine. If you don't want to use IPv6 on a Windows machine go into adapter setting and uncheck IPv6 to turn it off.

 

[ColinTaylor]

I'd agree with the comments above. There were 4 successful connections over SSH. They logged on using the default "user" account.

Assuming your router is a P-660HNU-F1 then after doing a factory reset go to Maintenance > User Account and change the "admin" and "user" passwords. Also, go to Maintenance > Remote MGMT and un-tick (disable) all of the WAN services.

 

[evh909]

to me from the log it looks like they scanned some of your ports, found an open one, then logged in to an account called user and tried to escalate to root and failed. I appears that zyxel has a default account that has a "user" password, so I would think that may be associated with the user account (looks like they were trying blank as well, so must be a script kiddie type thing as looking for default user/pass combos). As others have suggested, you may wish to turn off external telnet/ssh access so that admin is only avail to your lan (not wan), and perhaps upnp as the manual I looked at seemed to mention something about a checkbox for allowing remote configuration via that protocol.

personally, if you changed the default admin password they probably didnt do anything but would reset the firmware and limit outside access. Out of curiosity, what is the exact modem model and what else is connected to your network? I am assuming this is a ppoe access correct?

 

[Chris2000]

Thanks a lot for your answers !
You are right, there is a "user" access with default password, but only gives access to read-only information about the network. The admin access has another pw which I had changed when I installed the router. The router is a ZyXEL P-660HNU-T1. The other objects connected are some ipads, iphone, Android phone, Buffalo NAS and a TV.

Following your recommendations, I have removed the remote management with SSH . All other remote management possibilities (WWW, telnet, FTP, DNS, ICMP) are LAN only. SNMP was already disabled and the only one with WAN settings was ICMP which i've changed now to LAN.
Do you think it is a problem knowing that this router has been given to me from my ISP. Maybe I should buy a new router of my own, so that my ISP would not be able to "spy" on me...
This router is configured as ENET ENCAP (not ppoe).
Also, I'm using openDNS, do you think this would cause a problem ?

Thanks again for your time.

 

[ColinTaylor]

I think you're pretty safe now that you've disabled remote management and changed the password. Well, as safe as any home router is.

There's no reason to believe your ISP is spying on (NSA requests not withstanding). You were just subject to the normal port scanning that we all are. It's just unfortunate that you hadn't changed the default password. The script kiddies will have a list of all the common user names and passwords.

Using OpenDNS is not a problem.

 

[sfx2000]

I was a bit surprised when reviewing the log and see a successful "user" account...

I think the take away here is that IoT is a new threat surface, and existing devices can enable things - getting Web access means a server is behind it, and obtaining shell access from there might be an easy task...

With IPv4, one has to purposely give access to the internal LAN - for example, an OpenVPN Client config can do this, but generally, if one is NAT'ed, one is pretty safe... as one keep's public resources to a bare/null...

OP was at risk because his WAN interface exposed services it probably should not have...

With IPv6, the rules change a bit...

 

[Chris2000]

Thanks to all for your great contribution! I will close the thread.