A couple of weeks ago, we got a warning that we were going over our bandwidth limit of 320Gb, which is excessive for us. When inspecting the Hitron, there were 3 rules added under port forwarding, that were not there before. I originally setup the router and changed the cusadmin default password and told nobody, so I do not know how the port rules were added.
I called Rogers tech support and explained. They were puzzled too. We factory reset the modem and went on.
Two weeks later, in a new billing period, I checked bandwidth usage. During a day when internet useage was very light, we did almost 8Gb of data. When I logged into the Hitron, there were again, 3 port forwarding rules added. 1 Toredo and 2 Skype. We don't use Skype. I have to assume somebody is logging into the Hitron from the WAN (internet) port to make changes, as I have secured the Hitron from my local side. No open WiFi, no unrecognized clients connected, default passwords changed.
I called Rogers, and got escalated to a Tech Expert. They had no answers or explanations. Again we factory reset the Hitron. They also recommended that I leave the Hitron unplugged for 8 hours to get a new WAN IP assigned and see if that helps (I call this security through obsurity), which is not a great solution. I am unable to diasable the login through the WAN port.
My question, is anybody else experiencing this type of behaviour?
It is worriesome as it appears I am being billed for bandwidth that I am not using. The Hitron has no features either to help assist with the detective work, ie. good logs or routing tables. For now I am just watching closely my Hitron and data useage.
Solved! Solved! Go to Solution.
I am not a fan of these Modem/Router Combos. As far as I know, these have two types of users that can login. A regular "customer user" and an "administrator user". Even if you change the "cusadmin" default password someone with the administrator password can make changes; internet companies normally have the same administrator password configured for all their units, it doesn't take long for these administrator default passwords to get around. You may need to change that "administrator password" somehow. But to avoid any further "misterious" logins, I would setup the Hitron CGN3 as a bridge only and use a router with a good secured Wi-FI password. You may have to buy a router though, the quality depends on what type of user you are.
Here is tre link to make the Hitron a bridge only.
There have been some odd usage things come up with some others in the past... but generally its been beleived to be more so from something like MAC cloning or something similar.
This is the first i have specfically heard of someone getting OTHER port forwarding things added to the list though.
I am wondering if having UPNP on on the router.. and some device trying to start something/connect, it adding it? THats the only other possibility i can think of, other than if its being broken into.
Personally, JUST incase there is a comprimiz specifically on that one itself.. i would go and exchange it, if you are able to.
Actually, i never thought of that..
What is it actually forwarding to? Is it all the same IP?
Does the machine show up on the device table (when it eventually comes up) and can you identify what machine it is? That it is one of yours?
Would be an interesting test then... turn that device completely off.. do the reset.. then see if they come back with it off
It was forwarding to a windows PC, and after checking the running processes and running a virus scan we didn't find anything of concern. I deleted the rule pointing to this computer.
Over night another port forward rule was added that used the IP address of my own PC! I don't think there is malicious software running on the local computers.
The port forward rules that were being added always pertained to a single local ip adress of one of the computers on the local network. I assume the attacker looked at the DHCP client list and created a rule accordingly. Why? This essentially opens a hole in the firewall to that computer and allows an outside attacker to issue commands to that computer and get responses to understand how that computer is setup. The first step to hacking. This allows an attacker to learn about your PC and network setup and find vulnerabilities, which could be bad news for me. I have reduced network secuirty on the Windows computers to enable file sharing without user names and passwords.
I am exchanging this Hitron CGN3 today with a different one today. Hopefully the new one has different login protections. But I agree with another commenter, in that I may have to put the Hitron CGN3 in bridge mode and use another router that I can secure. That way they can't simply login to the Hitron CGN3 using the WAN ip address. Roger's may have to disable this feature in the future. It's going to cost them money and it's a big liablity. I used to work for an ISP, and have logged into hundreds of modems over the internet (without users knowlegde) to reprogram them in efforts of support. With many reports about vulnerable routers, and security bugs embedded in router firmware, and this experience, I am more than a little concerned.
Guess what.. i just checked mine.. and there are entries as well.
Now.. interestingly enough.
.121, is a STATIC address, i have set on my LAPTOP.. which is the ONLY one i really run skype on.
.15 is my samsung smart TV.. which looking up Giraffic, is a technology Samsungs uses to help with stoping buffering on its streaming.
Did i put these there??? NO.
But that they are services that are present on those devices at those addresses.
I am GUESSING that UPnP may be working on the router fully now, and allowing devices to automatically add their own entries possibly.
I am going to try and REMOVE the entries.
As well, i have turned of UPnP on the gateway...
(doing this all remote from home)
Will test over tonight to see when those devices are on, if the entries are re-added.
The interesting question is going to be, what if the entries return, with the UPNP function disabled. That leads to two thoughts:
1. the UPNP function is still active despite the disabled function indication within the user interface. Has there been a bug introduced in the last firmware update?
2. is there a security breach in the control interface which is used by Rogers to remotely control and configure the modems? Don't know what Rogers uses, but TR-069, which is used by other ISPs is not considered to be absolutely secure.
Many things like the XBOX, PS3/4, try to use UPnP to do its connection outbound properly..
An issue the NAT on the CGN3 seems to have issues with..
This could be an attempt to FIX those sorts of things, by enabling whatever was blocking them before on the UPnP/NAT side.. but may have allowed this unit to then do these sorts of things..
I will let you guys know if i see anything tonight/overnight.