pejacoby
join:2009-02-03
Saint Paul, MN
| Who is pqwest1.qwest.motive.com? Logging onto my router!
Checking my syslog server today, I found that pqwest1.qwest.motive.com has logged into my router! I changed my admin password when I first set up the Motorola 3374, but they appear to have another password that works....
Last reboot was June 10th:
Jan 1 00:01:06 192.168.1.1 Netopia-3000/146308569984 1904 Received NTP Date and Time: Jun 10 16:24:24 2009
Then I see this from yesterday:
Jun 17 16:27:01 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.167 dstIP: xx.xxx.xx.xxx srcPort:35204 dstPort: 7547 administrative access attempted
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39030 dstPort: 7547 administrative access denied - invalid password
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39030 dstPort: 7547 administrative access attempted
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39029 dstPort: 7547 administrative access denied - invalid password
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39029 dstPort: 7547 administrative access attempted
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39031 dstPort: 7547 administrative access denied - invalid password
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39031 dstPort: 7547 administrative access attempted
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39036 dstPort: 7547 administrative access denied - invalid password
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39036 dstPort: 7547 administrative access attempted
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39037 dstPort: 7547 administrative access denied - invalid password
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39037 dstPort: 7547 administrative access attempted
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39038 dstPort: 7547 administrative access denied - invalid password
Jun 17 16:27:14 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.165 dstIP: xx.xxx.xx.xxx srcPort:39038 dstPort: 7547 administrative access attempted
Jun 17 21:54:55 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.169 dstIP: xx.xxx.xx.xxx srcPort:57902 dstPort: 7547 administrative access denied - invalid password
Jun 17 21:54:55 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.169 dstIP: xx.xxx.xx.xxx srcPort:57902 dstPort: 7547 administrative access attempted
Jun 17 21:54:57 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.169 dstIP: xx.xxx.xx.xxx srcPort:57941 dstPort: 7547 administrative access denied - invalid password
Jun 17 21:54:57 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.169 dstIP: xx.xxx.xx.xxx srcPort:57941 dstPort: 7547 administrative access attempted
Jun 17 21:54:57 192.168.1.1 Netopia-3000/146308569984 2009 protocol: TCP srcIP: 64.186.178.169 dstIP: xx.xxx.xx.xxx srcPort:57946 dstPort: 7547 administrative access authenticated and allowed
Looking up the source IP, I find someone from "motive.com"
$ nslookup 64.186.178.167
Server: 205.171.3.65
Address: 205.171.3.65#53
Non-authoritative answer:
167.178.186.64.in-addr.arpa name = pqwest1.qwest.motive.com.
Authoritative answers can be found from:
178.186.64.in-addr.arpa nameserver = ns7.motive.com.
178.186.64.in-addr.arpa nameserver = ns4.motive.com.
178.186.64.in-addr.arpa nameserver = ns8.motive.com.
178.186.64.in-addr.arpa nameserver = ns3.motive.com.
ns4.motive.com internet address = 66.193.112.141
Motive.com is a device management company:
"Motive digital life management software is helping wireline, wireless, cable and satellite operators worldwide deliver next generation IP-based services that seamlessly integrate voice, video and data into a single connected experience."
But try to find anything about them on Qwest's site and you'll come up empty.
WTF?!!! |
|
colorbars
join:2003-03-20
USA
| When you changed the admin password did you use something that wasn't subject to a dictionary attack? I"m not familiar with that router, but if it only has space for 18 log entries there could have been hours worth of pounding on it looking for the password and you'd never know. It's possible there's a backdoor, but I don't think Motorola is that stupid.
I'd suggest two things right now. First, change your admin password again. With internal access whoever did that can get to anything. Second, for goodness sake turn off WAN side access to the admin port. If there isn't something in the system configuration then forward that port to a non-existent IP in your network. 192.168.1.254 should work fine unless you have 253 computers on your LAN. |
|
pejacoby
join:2009-02-03
Saint Paul, MN
| First, I log to a syslog server, so I have logs back to January. This is the first time I've seen this type of access.
Second, my admin password is very strong, and something that would take many many tries to dictionary attack. The fact that the login success here occurred after just 9 attempts tells me this is some "other" administrative login, special to Qwest & Motive.com.
Third, the destination port is 7547/TCP, which appears to be something special on the WAN interface. I can telnet to it also, but it closes the connection immediately. This isn't a port that is mapped to any system on my internal network.
From a look at the motive.com site, it appears this might(?) be a router firmware version check or update attempt of some sort. I'm still searching the Motorola docs, and plan to send in a support case to Qwest. |
|
speed_phreak
Premium
join:2006-03-31
Culver, OR
 ·Packet8
 ·Qwest.net
| reply to pejacoby
This thread gives me a kind of ucky feeling inside...
Just one more reason to get a modem that can be put in transparent bridging mode (not sure if yours can), they can't talk to it if it doesn't have an IP address. Then you can have a real router with a real firewall. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| I am pretty sure that AT&T can't talk to my SpeedStream 4100. But I am not worried about it. I have a router behind that modem. The worst that they could do is muck around with the modem settings. My LAN is still secure from their mucking, no matter what they might be able to do with the modem.
And, no, I am not worried about how they might impose some kind of port blocking, throttling or just killing the connection. They don't need modem access for any of that; all of that can be done at the DSLAM, or aggregation router.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
demoniacs
join:2007-07-17 | reply to pejacoby
i believe motorola and 2wires modems' firmware upgrade is either done manually and most of the time automatically.
--
Study hard. Play harder. Girls hardest! |
|
ewth8tr
Premium
join:2005-04-03
Salt Lake City, UT
| reply to pejacoby
It's nothing that wasn't happening before, Qwest is just upgrading their ACS (TR-69) server and that's just the new server. Before, you would have been seeing these same things coming from »https://cwmp.cms.acs.qwest.com instead. If you telnet in, and do a show config command, you will see set dslf-cpewan acs-url "http://pqwesthdm.qwest.motive.com/cwmpWeb/CPEMgt" if you have been migrated to the new ACS and something like set dslf-cpewan acs-url "https://cwmp.cms.acs.qwest.com" if you are still on the old ACS. |
|
pejacoby
join:2009-02-03
Saint Paul, MN
| ewth8tr, thanks for the explanation. I found the configuration items you noted:
And sure enough, a configuration dump I made in February shows the old server:
Interesting that the username and password are stored CLEAR TEXT in the config file. Accessing the referenced URL with the supplied credentials results in a page showing:
The IP of the configured server (64.186.176.128) doesn't match any of the IPs that accessed my router, so there are evidently a number of systems in play here for inbound updates and outbound checks.
Thanks for the pointer...off to do some more Googling to see what else is happening ;-) |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
2 edits | reply to pejacoby
dumb modem >> dedicated router/fw = win
I've had my ancient yet extremely capable USR 9002 and a IPcop box..a pII w/ 96 ram btw....and a $5 switch...for years now and I sleep well.
Get out of consumer networking, and suddenly life is better.
syslog??? why?
Perhaps ya need fail2ban... »fail2ban.sourceforge.net/
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages |
|
questionable
join:2005-10-18
Phoenix, AZ
·Qwest.net
| Maybe some people do not want to have to go that route.
Maybe some people do not have a spare PC sitting around doing nothing
Maybe the Dumb modem is better for you then a dedicated router/fw because you are more knowledgeable in computing then the average computer user.
Thats great if you can and have the ability to do what you suggest. But maybe just maybe the solution of a dedicated Router if for the average joe that doesn't have the knowledge or the inclination to actually do what you are suggesting. Is the best for them.
So instead of the this is better then that or that is better then this how about we all just start saying "it doesn't fit my needs and I prefer to go a different route" (pun intended) |
|
no_one
@qwest.net
| reply to pejacoby
"Checking my syslog server today, I found that pqwest1.qwest.motive.com has logged into my router! I changed my admin password when I first set up the Motorola 3374, but they appear to have another password that works...."
First off that is a Qwest modem/router so not your router. Want your router put your router after it. Then if you have your router set up correctly no fear.
Yes changing the default passwords on a modem still helps etc.
You want your own router buy it from a company you trust and set it up. |
|
no_one
@qwest.net
| reply to pejacoby
I like having my own router with wireless behind the modem. I set and forget the modem. Thus I do not have to play with it then accidentally mess up my connection. I play or should say adjust my router for new or different setups sometimes. I fail I still have an internet connection if I need it just move a cable. |
|
racermd
@wirelessronin.com
| reply to no_one
said by no_one :
First off that is a Qwest modem/router so not your router.
On the contrary, it very well may be 'his' modem/router despite Qwest supplying it. Qwest has (and still does) offer a purchase option on the equipment they supply.
I, for one, find this behavior disturbing as I, too, own my Qwest-supplied DSL modem/router and would definitely not intentionally allow any sort of back-door access for ANY reason.
However, as others have noted, one can easily put another 'true' router between the home network and the Qwest DSL equipment, even if all that means is a cheap Linksys device. |
|
