Welcome to the
Telkom Community

Get involved. Problem solved.
Showing results for 
Search instead for 
Do you mean 
Reply
Established Member
Posts: 13

Re: Aztec

If anyone is familiar enough with linux to assist then you might be interested to know that you can get into the router using telnet with the same username and password that you use for the web interface.

 

This gives you the ability to "look under the hood".

 

My procedure has been

1) Do a factory reset

2) Then using the web interfgace download the "romfile.cfg".

3) Familiarise myself with all of the contents of all script files that I can find using telnet and standard linux commands.

 

Wait for the router to hang and then compare what has changed ...

 

Restoring the romfile.cfg after the hang gets it working again. But so does simply clicking the "Apply" button in the "Quick setup" menu on the web interface, so I am not sure that th romfile actually corrects anything.

 

I notice that a /tmp/etc directory is also created after the hang/hack so it looks like the whole of the /etc directory is replaced. Again, not sure that this is significant but I'll look for a script which does this.

 

New Member
Posts: 1

Re: Aztec

Hi from Sunday I haven't been able to reset my router, tried calling the support Centre but they seem to be to busy to answer, currently been trying from Sunday with no joy in getting to speak to a consultant
Member
Posts: 1

Re: Aztec

Hi, Seems the ADSL status gets disabled "somehow" Smiley Sad ???

Here's a quick workaround - not a fix but at least you don't have to reset and reconfigure all the time.

If the internet light is off, you can just check if the ADSL status is set to "deactivated" and then reactivate it here:

on the console go to Advanced mode -> Network -> Internet -> Set the status back to "Activated" and save.

The Internet light then goes red and then green, and you have internet access again, until the next time ...

Established Member
Posts: 13

Re: Aztec


@Hanesh01 wrote:
Hi from Sunday I haven't been able to reset my router, tried calling the support Centre but they seem to be to busy to answer, currently been trying from Sunday with no joy in getting to speak to a consultant

If you are trying to factory reset your router then just use a pen and press the little button in the hole at the back of the router for about 30s.

Or select the option within the web inyterface.

 

But if all you want to do is get the internet connected again then you can just press the "Apply" button in the "Quick Setup" menu in the web interface. But the problem will reoccur within a couple of hours and you will have to do the same thing again.

 

Established Member
Posts: 13

Re: Aztec


@Krypt0 wrote:

Hi, Seems the ADSL status gets disabled "somehow" Smiley Sad ???

Here's a quick workaround - not a fix but at least you don't have to reset and reconfigure all the time.

If the internet light is off, you can just check if the ADSL status is set to "deactivated" and then reactivate it here:

on the console go to Advanced mode -> Network -> Internet -> Set the status back to "Activated" and save.

The Internet light then goes red and then green, and you have internet access again, until the next time ...


PVC0 is removed/deleted. Under the default configuration this is the mechanism which authernticates and establishes the "circuit" between your router with the Telkom server.

 

Your remedy appears to reestablish the circuit. So does clicking "Apply" under the "Quick Settings" menu.

Member
Posts: 4

Re: Aztec

Hi All any suggestions on a router that has 0 or minimal problems? My suggestion is to buy a new router as Telkom sees "NO PROBLEM" from there side. Also do i pay the full amount of my contract as the internet is off from 6th August? 

New Member
Posts: 2

Re: Aztec

 
New Member
Posts: 2

Re: Aztec

Hi Gary

I like your analysis and I hope Telkom gives you a job Smiley Happy The real issue with the Aztech modems is that any Joe Schmoe can reconfigure them over TR069 (TR064). The ntpclient parameter is simply a side-effect of a failed attempt to shut down the device, and what brings it offline is alternative backup TR064 payloads for disabling WAN interfaces. The modems are dangerous to the customer since anyone could also reprogram them to perform MITM attacks on the device's traffic.

Any network admin with a modicum of sense would immediately filter inbound traffic to ports 7547, 80 and 443 on the Telkom network since there are many very poorly secured devices on their netblocks. Besides the Aztechs I see a lot of default password Asus, Dlink and Huawei devices (which I haven't gotten to yet, but I'll clean these up when I next have some time to map the Telkom-specific APIs).

I'm very sorry for the inconvenience caused, but I don't know of any other way to force incompentent/non-caring ISPs to start taking their customer security seriously. I also agree that it's shocking that Telkom hasn't fixed this issue yet since it should be trivial for them to set ACLs on their core routers but if you know what to look for you can see the same story with a lot of big ISPs around the world over the past few weeks.

Stay safe \m/

Member
Posts: 7

Re: Aztec


@GarySmith wrote:


PVC0 is removed/deleted. Under the default configuration this is the mechanism which authernticates and establishes the "circuit" between your router with the Telkom server.

 

Your remedy appears to reestablish the circuit. So does clicking "Apply" under the "Quick Settings" menu.


My connection has been up since last night. MAYBE it's been sorted. 

 

BUT, if it persists, maybe a solution would be to preempt the attack and disable PVC0 yourself and enable PVC1?  Any network experts out there? could that work?

 

Highlighted
Established Member
Posts: 13

Re: Aztec


@BadSpock wrote:

Hi Gary

I like your analysis and I hope Telkom gives you a job Smiley Happy The real issue with the Aztech modems is that any Joe Schmoe can reconfigure them over TR069 (TR064). The ntpclient parameter is simply a side-effect of a failed attempt to shut down the device, and what brings it offline is alternative backup TR064 payloads for disabling WAN interfaces. The modems are dangerous to the customer since anyone could also reprogram them to perform MITM attacks on the device's traffic.

Any network admin with a modicum of sense would immediately filter inbound traffic to ports 7547, 80 and 443 on the Telkom network since there are many very poorly secured devices on their netblocks. Besides the Aztechs I see a lot of default password Asus, Dlink and Huawei devices (which I haven't gotten to yet, but I'll clean these up when I next have some time to map the Telkom-specific APIs).

I'm very sorry for the inconvenience caused, but I don't know of any other way to force incompentent/non-caring ISPs to start taking their customer security seriously. I also agree that it's shocking that Telkom hasn't fixed this issue yet since it should be trivial for them to set ACLs on their core routers but if you know what to look for you can see the same story with a lot of big ISPs around the world over the past few weeks.

Stay safe \m/


HI Badspock,

 

I had diabled TR069 many months ago after someone had changed my DNS values and the result was all/most browser requests being redirected to dodgy sites. Having said that I noticed that the TR69 process was still running after I had disabled it after a fresh factory reset yesterday. I had to kill it manually.

 

You say that any Joe Schmoe could use the TR069 facility but they would surely have to have access to the username and password for each router? That in turn would mean that they need an insider at the Telecom? I had assumed after the previous incident that the username and password had been leaked/hacked at Telkom. But assuming that TR069 was disabled how was my router hacked?

 

I noticed that PVC0 had been removed - which as you say was the cause for no connectivity. But why would anyone use a dd command to shutdown?? And it doesn't appear to be inserted into the script file correctly anyway.

 

By the way, before seeing your post and also in an attept to get Telkom to look at this properly, I posted a question on the News24 site asking why the media hasn't picked up on the fact that Telkom users are so easilly hacked. Let's see.

About This Post