Pretty sure my modem is compromised

I don't really know what the correct name for this thing is, they call it a network termination device. It sits between my router and the wireless transceiver on the roof, it provides power to the transceiver and has four ethernet ports which are for different services (so not a switch but probably each is a different VLAN, I'm not really sure how it works or what the other services would be).

It isn't (as far as I can tell) a router, it only appears to have the one, public, IP which I can see when monitoring my WAN interface. But I really don't know, I haven't been able to find any meaningful documentation for it.

I don't believe it is running NAT, I have a public IP on my WAN interface that I get from the ISP and the address of the box is not my gateway, I really don't know how it works though, there's no authentication on the router but the box would have some kind of ID that is used to connect the service to my account. There is no web login, or internal IP address, and no brand, it's just a NBN network termination device.

But if it was running NAT it still shouldn't be able to see anything on my LAN and my LAN doesn't have a route to it, not a direct one anyway without going to the ISP gateway and back again.

Telstra branded?

I think I know now what's going on here.

Essentially It's the ISP equipment that's fucked

Just pick out the closest one you can find:

https://www.google.comsearch?q=network+termination+device+australia&safe=off&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjp5Irin5_UAhXEJMAKHSZoA5oQ_AUIBigB&biw=1920&bih=954#safe=off&tbm=isch&q=wireless+network+termination+device+telstra

Yeah, that's the one

1 Like

this thread has been a roller coaster.

3 Likes

:stuck_out_tongue:

Yeah It's getting interesting

1 Like

Cool I think I can find something on that and figure out wtf is up with that from some of my Au guys

PS: It looks to be outdated as shit inside, pretty vulnerable infrastructure if you ask me

2 Likes

Awesome, thanks a lot for your help.

Well that's okay, it's not like everyone with an NBN connection has one or anything

oh wait.

Related thread. Ham Radio & RF guys seem to hate the Wireless NTD's for pissing noise & interference all over the spectrum.

But it did reveal a model number as a clue

https://vintage-radio.com.au/default.asp?f=1&th=937

Well I haven't noticed any issues with my Wi-Fi, but it doesn't surprise me.

Ok I've been speaking to the Guys from NBN.

NTP services are currently being upgraded to newer 4.2.8p1 and the monlist exploit has been disabled.

You are however still able to request time from the external IP.

ntpdc -n -c version $IP

If you run this command against your current modems IP address you should see the following with the new version and build date:

ntpdc [email protected] Mon Apr 24 18:57:18 UTC 2017 (1)

They updated it just now?

Yes the issue should be resolved now if your NTU has already updated.

Well that's cool, it looks like it is updated. However I'm still seeing the same NTP traffic

Ok I just did another scan and it seems your box has not yet updated.

Still running on 4.2.6p2

sudo nmap -sU -pU:123 -Pn --script=ntp-info 58.108.86.181

Starting Nmap 7.40 ( https://nmap.org )
Nmap scan report for n58-108-86-181.per1.wa.optusnet.com.au (58.108.86.181)
Host is up (0.54s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-info: 
|   receive time stamp: 2017-06-02T15:00:04
|   version: ntpd [email protected] Sun Oct 17 13:24:55 UTC 2010 (1)
|   processor: armv5tejl
|   system: Linux/2.6.28.10-ami
|   leap: 0
|   stratum: 2
|   precision: -18
|   rootdelay: 355.162
|   rootdisp: 149.036
|   refid: 132.163.4.103
|   reftime: 0xdcdbeee0.8ceebeb7
|   clock: 0xdcdbfbe7.6fd987ca
|   peer: 0
|   tc: 10
|   mintc: 3
|   offset: 6.767
|   frequency: 15.881
|   sys_jitter: 71.784
|   clk_jitter: 12.915
|_  clk_wander: 0.616\x0D
Service Info: OS: Linux/2.6.28.10-ami

sudo nmap -sU -pU:123 -Pn --script=ntp-monlist 58.108.86.181

Starting Nmap 7.40 ( https://nmap.org )
Nmap scan report for n58-108-86-181.per1.wa.optusnet.com.au (58.108.86.181)
Host is up (0.55s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-monlist: 
|   Alternative Target Interfaces:
|       10.1.1.2        
|   Private Servers (1)
|       10.1.1.3        
|   Public Servers (2)
|       103.38.120.36   132.163.4.103   
|   Public Clients (1)
|_      XX.XXX.XXX.XXX

All public clients except for my tunnel exit point though have evidently been disconnected by you resetting the device.

You should be able to run the same scans to see what's going on with the ntp service from your side

I would at this point say, give your ISP a call and tell them to upgrade your NTU software or entire device to fix the monlist exploit.

It should be brought up to standard like the other devices in your IP block

https://www.shodan.io/search?query=net%3A58.104.0.0%2F13+port%3A123

Running ntpdc gives me version 4.2.8 but nmap says 4.2.6. But yeah, I'll call my ISP tomorrow and hopefully get this sorted out. Thanks again, you've been awesome

In other News...

LOL

1 Like

Well my ISP was completely useless, so I guess I'm just stuck with it.

Thread - is - epic

I am absolutely furious at the moment. I can understand that some call centre stooge from India is not going to be able to help me, but they could at least help me get in contact with someone who can rather than tell me that the problem is I'm not using the ISP modem (they mean router).

It's annoying that my modem is spewing NTP traffic out and slowing my internet down, sure, but what really makes me angry is that there is a box between me and my ISP that gives remote access to essentially the government, AND that it's vulnerable to known exploits meaning that anyone could take control of it potentially.

And even if the government does something about it god knows how much taxpayer money it's going to cost to fix.

Anyway, on Monday I will try my ISP again and hopefully I can talk to someone who actually works at Optus and therefore might give a shit, but failing that I'm probably going to take this up with the Ombudsman.

In the mean time I'm thinking if I can get in between the network termination device and the antenna I could put a firewall in. But A) The antenna is powered by PoE, I have some injectors but I'm not sure what will happen if I try it and it's not using the PoE standards. and B) If they figure out that I have done that they will probably fine me or something.

1 Like

Great.... LOL I hope its not the MyRepublic VDSL2 modem with the 2 VOIP connections thats being compromised.