Warning About Vodafones hg658c Router (malware)

routerhacked

If you are using Vodafones hg658c router stop now. I don't know if this exploit is recent.

All my data stolen
My router being used as a proxy for illegal activity
My email accounts were all logged into and google would not detect suspicious activity because the hacker was using my router ip so gmail thinks everything is normal. I noticed because my recent activity said I was using windows. I never use windows.
Wifes updated ipad redirecting to spam sites.
Google captcha prompt for suspicious network activity (my router was used as a proxy to scrape google for data). It does not matter how secure your os is I used hardened linux mint. The malware is at the router level.

These infected routers are part of a botnet and are rented out to the highest bidder usually on irc channels, blackhat forums.

Whats worse is you cannot change your router because vodafone require you to use it. Vodafone won't do anything about it and I expect it to fall on deaf ears. But it may help some people and get picked up by the media. In a worse case scenario you could be done for childporn because your router was used as a proxy to browse it.
eweek.com/c/a/Security/Huawei-Routers-Are-Easily-Hacked-Say-Security-Pros-550968

routerhacked

Sorry can't edit posts yet
Found on stackexchange

I'm wondering what could a hacker do if he had access to my router?

An attacker (the hacker) could do anything if Telnet or SSH access is available (probable). If the router's shell environment allows writes, then the attacker could run echo "binary contents of executable">executable;./executable which could be used to execute any executable. The attacker could do anything that the modem does using software (intercept, modify content received or sent).

Even without Telnet or SSH access, the attacker could use the web admin utilities to change DNS entries and redirect any website to a malicious one.

In any case, communications over HTTPS (including passwords) will not be compromised as the data is encrypted before reaching the router.

My router does not show my external IP.

All routers must have an IP as they send IP packets which have an IP address and destination.

Cuddlesworth

routerhacked wrote: »

My email accounts were all logged into and google would not detect suspicious activity because the hacker was using my router ip so gmail thinks everything is normal.

Your report of Huawei modems being insecure doesn't imply in any way that vodafones current device is externally accessible.

You log into Google with HTTPS, it's not that easy to just gather your details by taking over a router. You also use google without 2 factor Auth, when you claim you use hardened Linux? If your email was hacked I would start looking elsewhere unless you have actual proof of this.

davo2001

OP saying alot of ifs and buts but no actual proof.

amikoalien2

Cuddlesworth wrote: »

Your report of Huawei modems being insecure doesn't imply in any way that vodafones current device is externally accessible.

Afraid your wrong there
Vodafone have a back door route into your router hg 658C
Look under advanced / ACL /
You will see a https entry for vodafone assuming that in intruder can fake an ip address they could get in
I have tried to remove this back door entry without sucess it will not let you delete it

Just as a side note vodafone started udating the firmware in the hg 658c a few days ago

routerhacked

Cuddlesworth wrote: »

Your report of Huawei modems being insecure doesn't imply in any way that vodafones current device is externally accessible.

You log into Google with HTTPS, it's not that easy to just gather your details by taking over a router. You also use google without 2 factor Auth, when you claim you use hardened Linux? If your email was hacked I would start looking elsewhere unless you have actual proof of this.

The Huawei hg658c has a ton of problems lots of bugs and open ports and
hg658c.wordpress.com/

Changing the default password on the router is pointless when:
1) There are undocumented accounts on the router.
2) You don’t have the password needed to log into the account to change the password!

What you think routers cannot be hacked? securityledger.com/2014/03/sohowned-300k-home-routers-hacked/
Routers are not even hard to hack. There are some 0days out there known only to a few people and they make millions of these exploits.

long_b

The ipad redirection - anything like this?

http://touch.boards.ie/thread/2057531915/1/#post97995942

routerhacked

long_b wrote: »

The ipad redirection - anything like this?

boards.ie/thread/2057531915/1/#post97995942

Yes only when I connected via my router not 4g. The last post says there ip was vodafone. The exact same site offering a free iphone. I don't think its a third party ad network being exploited because it only happens when I connect with my router.
The are using the new domain extention .tech to spoof apples domain sneaky bastards http: // store . apple . com-free . tech
Another intresting post from that thread

Worth pointing out I clicked ok on one of those ads once in an attempt to dismiss it, within the hour someone had tried to access my Facebook from Taiwan!

Faker74

amikoalien2 wrote: »

A

Just as a side note vodafone started udating the firmware in the hg 658c a few days ago

Sorry, just so I understand this section of the post.

Is the suggestion that updating will fixed the alleged issue? Or that the update has caused the issue?

amikoalien2

Faker74 wrote: »

Sorry, just so I understand this section of the post.

Is the suggestion that updating will fixed the alleged issue? Or that the update has caused the issue?

The update I think introduced some routing in prep for ip tv was the impression I got
without knowing what changes were made to the firmware
Vodafone certainly did not inform me that they were pushing out an update that would disable my sip trunk ( fact )
Then we are all just guessing what effect this update will have
see this post
http://www.boards.ie/vbulletin/showthread.php?t=2057532271

crawler

Why not tell Vodafone about this? http://www.boards.ie/ttforum/1270

Cuddlesworth

amikoalien2 wrote: »

You will see a https entry for vodafone assuming that in intruder can fake an ip address they could get in

Would have to pretty much be on your local subnet, as well as knowing the accounts needed to access on that particular model.

projectgtr

Having the same issue contacted Vodafone on their page, If anyone has any input fire it in there http://www.boards.ie/ttfthread/2057539101

Cuddlesworth

projectgtr wrote: »

Having the same issue contacted Vodafone on their page, If anyone has any input fire it in there http://www.boards.ie/ttfthread/2057539101

Its pretty difficult for a home router to hijack http sites and inject ads into them. Is it HTTP sites or HTTPS sites? I wonder is it possible that Vodafone themselves have http code injection on their network and that's been compromised. American ISP's have done it.

You could test by picking up a replacement router, if the issues persists it's on the network. Or check the different in the http between the 2 networks.

keithclancy

Hmmm ... Smells like something to me ..

In any case why would you access a service if there was an error saying the PKI Chain had a problem ?

And why all of a sudden did you come onto boards of all places ?

estruct

Hummm ... Reading this post so far and found that really really interesting...
What put me in doubts was the trials I made in setting up my web server..
I was clearly impossible to access that server from outsided. Obviously setup fort forwarding to my local ip adress etc etc... before.
Even with firewall off the port forwarding does not work at all...

So after googling and found this forum and after being read this wonderful and scary blog hg658c.wordpress.com/
I've been changing passwords for the 3 accounts, disabled WPS.

So futher digging I've found very very weirds things on the status page of the router and if anyone would comment or explain what this ... I would be curious to understand those logs...
1/ Log on the router
2/ Go here on the status page
3/ Status > Device Information > Activated Nat Sessions > Detail

Detail is a link to a log file... (see below)
I wonder what are those NAT sessions I've absolutely no idea what they are... I never set up any of those so far I know...
could it be any of the hacks discussed above ?
Doing some DNS lookup gives very weirds results...
Any comment / feedback ?
If you have this router at home make the test please!


VERSIONS:

Product type HG658c
Device ID F83DFF-xxxxxxxxxxxxxxx
Hardware version HG658BZV VER.A
Software version V100R001C172B227
Batch number BC172P0.227.A2pv6F038m.xxxx
MAC Address 64:A6:51:XX:XX:XX
System up time 0 days 1 hours 13 minutes 49 seconds
Activated Nat Sessions Detail

NAT SESSION LOG:

Proto Type Inside Local Inside Global Outside Local Outside Global Expires(Secs)

---

tcp dynamic 192.168.1.4:42188 213.186.33.20:993 213.186.33.20:993 109.76.40.72:42188 110
tcp dynamic 192.168.1.4:53742 212.27.48.2:143 212.27.48.2:143 109.76.40.72:53742 49
tcp dynamic 192.168.1.4:42165 213.186.33.20:993 213.186.33.20:993 109.76.40.72:42165 103
udp dynamic 192.168.1.4:123 54.72.7.175:123 54.72.7.175:123 109.76.40.72:123 149
tcp dynamic 192.168.1.4:45587 104.20.1.160:80 104.20.1.160:80 109.76.40.72:45587 114
tcp dynamic 192.168.1.4:58857 212.27.48.2:993 212.27.48.2:993 109.76.40.72:58857 6
tcp dynamic 192.168.1.4:53877 212.27.48.2:143 212.27.48.2:143 109.76.40.72:53877 39
tcp dynamic 192.168.1.4:42176 213.186.33.20:993 213.186.33.20:993 109.76.40.72:42176 93
tcp dynamic 192.168.1.4:54231 212.27.48.2:143 212.27.48.2:143 109.76.40.72:54231 0
tcp dynamic 192.168.1.4:54242 212.27.48.2:143 212.27.48.2:143 109.76.40.72:54242 90
tcp dynamic 192.168.1.4:53914 199.30.80.32:80 199.30.80.32:80 109.76.40.72:53914 110
tcp dynamic 192.168.1.4:43287 74.125.24.16:993 74.125.24.16:993 109.76.40.72:43287 105
tcp dynamic 192.168.1.4:53650 212.27.48.2:143 212.27.48.2:143 109.76.40.72:53650 19
tcp dynamic 192.168.1.4:58862 212.27.48.2:993 212.27.48.2:993 109.76.40.72:58862 60
tcp dynamic 192.168.1.4:42127 213.186.33.20:993 213.186.33.20:993 109.76.40.72:42127 110
udp dynamic 192.168.1.4:123 52.17.30.119:123 52.17.30.119:123 109.76.40.72:123 121
tcp dynamic 192.168.1.4:53781 212.27.48.2:143 212.27.48.2:143 109.76.40.72:53781 13
udp static 109.76.40.72:36697 89.19.64.164:53 89.19.64.164:53 109.76.40.72:36697 282
udp dynamic 192.168.1.4:123 91.189.89.199:123 91.189.89.199:123 109.76.40.72:123 267
tcp dynamic 192.168.1.4:58409 212.27.48.2:993 212.27.48.2:993 109.76.40.72:58409 8
tcp dynamic 192.168.1.4:41971 213.186.33.20:993 213.186.33.20:993 109.76.40.72:41971 93
tcp dynamic 192.168.1.4:54236 212.27.48.2:143 212.27.48.2:143 109.76.40.72:54236 52
tcp dynamic 192.168.1.4:54243 212.27.48.2:143 212.27.48.2:143 109.76.40.72:54243 90
udp dynamic 192.168.1.4:123 89.101.218.6:123 89.101.218.6:123 109.76.40.72:123 274
tcp dynamic 192.168.1.4:42175 213.186.33.20:993 213.186.33.20:993 109.76.40.72:42175 93
tcp dynamic 192.168.1.4:55945 212.227.15.188:993 212.227.15.188:993 109.76.40.72:55945 26
tcp dynamic 192.168.1.4:53713 212.27.48.3:110 212.27.48.3:110 109.76.40.72:53713 106
tcp dynamic 192.168.1.4:54233 212.27.48.2:143 212.27.48.2:143 109.76.40.72:54233 8
tcp dynamic 192.168.1.4:53656 212.27.48.2:143 212.27.48.2:143 109.76.40.72:53656 100
udp dynamic 192.168.1.4:123 54.229.222.210:123 54.229.222.210:123 109.76.40.72:123 133
tcp dynamic 192.168.1.4:39173 74.125.24.154:443 74.125.24.154:443 109.76.40.72:39173 103
tcp dynamic 192.168.1.4:58859 212.27.48.2:993 212.27.48.2:993 109.76.40.72:58859 11
tcp dynamic 192.168.1.4:53653 212.27.48.2:143 212.27.48.2:143 109.76.40.72:53653 30
tcp dynamic 192.168.1.4:54230 212.27.48.2:143 212.27.48.2:143 109.76.40.72:54230 0
tcp dynamic 192.168.1.4:58808 212.27.48.2:993 212.27.48.2:993 109.76.40.72:58808 39
tcp dynamic 192.168.1.4:57082 108.160.172.238:443 108.160.172.238:443 109.76.40.72:57082 78
tcp dynamic 192.168.1.4:42345 213.233.153.244:80 213.233.153.244:80 109.76.40.72:42345 113
tcp dynamic 192.168.1.4:41970 104.20.1.160:443 104.20.1.160:443 109.76.40.72:41970 103
tcp dynamic 192.168.1.4:58889 212.1.215.32:993 212.1.215.32:993 109.76.40.72:58889 101
tcp dynamic 192.168.1.4:42025 213.186.33.20:993 213.186.33.20:993 109.76.40.72:42025 102
tcp dynamic 192.168.1.4:54240 212.27.48.2:143 212.27.48.2:143 109.76.40.72:54240 77
tcp dynamic 192.168.1.4:58863 212.27.48.2:993 212.27.48.2:993 109.76.40.72:58863 75
tcp dynamic 192.168.1.4:42174 213.186.33.20:993 213.186.33.20:993 109.76.40.72:42174 92



IP LOOKUP EXAMPLE

213.186.33.20 Reverse IP Lookup
Lookup Connected Domains
Reverse IP Lookup Results — 47 domains hosted on IP address 213.186.33.20
Domain View Whois Record Screenshots
1. a2sa.be

2. adc-paris.com

3. albareda.org.es

AND 44 other domains…
You must Log In, Open a Pro Account or Buy this Report for $49.00 to access all 47 results of your search

estruct

He he ...
I just discover this ... probably this is the main reason why I can't access my router...
the building where I am living is a good candidate.. many flats for rent.
- Is that could explain the router NAT sessions ... I am not sure -

en.wikipedia.org/wiki/Carrier-grade_NAT

ED E

1. The log suggests you've a real WAN address from Vodafone, no CGN.
2. You've posted your public address, just in case that matters to you.
3. Whatever device is on .1.4 is just doing a fair bit. If theres traffic somewhere there shouldnt be then you need to check IT. Router is just a helpful intermediary.

As I've been typing I've been port scanning that IP. If its still you:
21 (FTP)
8081 is open (Probably a HTTP server)
23097 (Could be anything)

No other TCP listeners. Listening device appears to a Windows 7 computer. 23097 is your skype instance. 8081 is a blackice/icecap server (google says this might be vulnerable).

EDIT: Missed that bit, 8081 is the blackice WebGUI for the HG itself.

estruct

Thanks Ed

My public address is changing at every reboot so no matters here...
The FTP of the router is the router one and it is mapped to the USB port anyway it is not forwarded.
My main OS is linux ... windows7 is on the double boot I never use it...
OK so nothing wrong... so far but why could be the root cause for the port forwarding to fail ? A bugged router software ?

ED E

The most common error in my experience is the listener not being active/accessible(firewall local to its box).

The HG may not support hairpin routing so you may need to test your forward from a different connection (Tether your phone).

estruct

OK thanks for that ... I understand. I will try this probably later this week. Thanks anyway very helpful.

estruct

Humm even with tethering no more results...
Any idea ?

traceroute 93.107.xx.xx
traceroute to 93.107.xx.xx (93.107.xx.xx), 30 hops max, 60 byte packets
1 VodafoneMobile.wifi (192.168.0.1) 4.492 ms 5.421 ms 6.517 ms
2 10.163.82.4 (10.163.82.4) 35.359 ms 37.083 ms 44.077 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *