Welcome to the
Telkom Community

Get involved. Problem solved.
Showing results for 
Search instead for 
Do you mean 
Reply
Established Member
Posts: 13

Re: Aztec


@BadSpock wrote:

Hi Gary

I like your analysis and I hope Telkom gives you a job Smiley Happy The real issue with the Aztech modems is that any Joe Schmoe can reconfigure them over TR069 (TR064). The ntpclient parameter is simply a side-effect of a failed attempt to shut down the device, and what brings it offline is alternative backup TR064 payloads for disabling WAN interfaces. The modems are dangerous to the customer since anyone could also reprogram them to perform MITM attacks on the device's traffic.

Any network admin with a modicum of sense would immediately filter inbound traffic to ports 7547, 80 and 443 on the Telkom network since there are many very poorly secured devices on their netblocks. Besides the Aztechs I see a lot of default password Asus, Dlink and Huawei devices (which I haven't gotten to yet, but I'll clean these up when I next have some time to map the Telkom-specific APIs).

I'm very sorry for the inconvenience caused, but I don't know of any other way to force incompentent/non-caring ISPs to start taking their customer security seriously. I also agree that it's shocking that Telkom hasn't fixed this issue yet since it should be trivial for them to set ACLs on their core routers but if you know what to look for you can see the same story with a lot of big ISPs around the world over the past few weeks.

Stay safe \m/


Many years ago when trying to set up a server (before the advent of the cloud) on my home network I also discovered that most modems on the telkom network had default usernames and passwords and were open to telnet on the WAN side. I had just assumed that Telkom had "grown up" a bit since then - seems not.

Established Member
Posts: 6

Re: Aztec

Why is this discussion marked as "solved " if no proper permanent solution has been found? Telkom is aware of the problem and their tech support consultants have been given instructions on how to handle this problem but it doesnt work!!!! I have spent 2 hrs on the phone with a very helpfull and friendly consultant who is trying to figure out his own way of solving this as the email circulated to them is rubbish.

New Member
Posts: 2

Re: Aztec

GarySmith wrote:

 

You say that any Joe Schmoe could use the TR069 facility but they would surely have to have access to the username and password for each router? That in turn would mean that they need an insider at the Telecom? I had assumed after the previous incident that the username and password had been leaked/hacked at Telkom. But assuming that TR069 was disabled how was my router hacked?

 

I noticed that PVC0 had been removed - which as you say was the cause for no connectivity. But why would anyone use a dd command to shutdown?? And it doesn't appear to be inserted into the script file correctly anyway.

 

By the way, before seeing your post and also in an attept to get Telkom to look at this properly, I posted a question on the News24 site asking why the media hasn't picked up on the fact that Telkom users are so easilly hacked. Let's see.


 

Hi again Gary

Any unauthenticated user can reconfigure the Aztech device through port 7547 (TR069) without knowing the login. It's a bad vulnerability and it's obviously important that Aztech fixes it, but it would be even more important for the ISP to simply filter the control ports since there will always be new exploits for these kinds of devices..

The dd command as I said was just a failed attempt to break the device. Most devices in the world that were vulnerable to the NTP command injection are long gone by now.

I hope that helps and thanks for trying to bring some attention to this issue!

New Member
Posts: 2

Re: Aztec

[ Edited ]

(Sorry for the double posts)

Established Member
Posts: 13

Re: Aztec


@bitelec1 wrote:

Why is this discussion marked as "solved " if no proper permanent solution has been found? Telkom is aware of the problem and their tech support consultants have been given instructions on how to handle this problem but it doesnt work!!!! I have spent 2 hrs on the phone with a very helpfull and friendly consultant who is trying to figure out his own way of solving this as the email circulated to them is rubbish.


I agree, it shouldn't be marked as solved.
But if you want to solve it yourself at least temporarily then do the following:

1) Factory reset the device.

2) Disable TR-069 under the "Management" settings on the web interface.

3) Change your admin password

4) Reboot the router

5) Log into the router using telnet.

6) type "top" + "enter". This will list all the running procceses. You should see a process called "tr" or "tr-069" - I can't remember the exact name. But note whatever it is.
7) type "q" to exit top.

8) type "killall -9 tr" (change tr to the correct name if required). This will shut down the TR-069 process and thus prevent anyone accessing your modem through the known vulnerability.

9) I also killed the "Trivial File Tranfer Protocol Daemon" just to be sure. I don't need to be transfering any files to or from the router.

 

DON'T reboot the router or you will have to shutdown the  tr process again.

 

You should also be able to block port 7547 through the interface which would be a permanent solution. I'll check it this weekend when I get the time.

But ultimately Telkom need to issue a new version of firmware and deal with the vulnerabilities on their side.

Senior Member
Posts: 36

Re: Aztec

Many thanks for Gary, other IT guys'/members comments with super analysis here, I have been learning from you with a big surprise that “Number of viewed” is increasing day by day. To be honest I have had to feel shy whenever I see “Accepted Solution” pasted to my old post.

Needless to note, my comments were just for temporary remedy on reality, I have never regarded my suggestion as a final solution. I have been just a “Beginner in this Forum” since I joined in April 2017. This forum is really useful for me to know “a problem is happening only to me or widely” at least whether I get a solution/answer or not.

My Big Thanks to You again seeing your guys as “Great Contributors with Professional Analysis” !

Senior Member
Posts: 36

Re: Aztec

Hi, this Sunday 27.Aug seems to end peacefully with the 5-10% faster speed for a week. 

My "X" Day will be next Sunday "3.September" if X keeps "2 weeks interval"  after 6 & 20.Augsut.2017.

Thanks for necessary improvements? made, hopefully "Aztech Issue" won't happen again.

Highlighted
Member
Posts: 3

Re: Aztec

This is my second request around this topic as I am just not getting any joy from Telkom. I have reset my Aztech router - doing everything that everyone suggested, but still no joy.

 

I get the following message on the 10.0.0.2 site after the router is reset to factory settings.

 

Your ADSL line has not synchronized.

This could be because you have not connected the telephone line or microfilter correctly, because you do not have ADSL services enabled on your line or even because ADSL synchronization is taking longer than expected. Revisit the details on the QSG to confirm that you have connected the router correctly and retry. 

If the line is still not synchronizing, either wait a little while to confirm that it is not simply just taking longer than expected, or contact your ISP to confirm that ADSL services have been enabled on your line.

 

Aztech router is connected to a fibre line via a Huawei modem - does somebody know where the problem lies other than with the Aztech router.

Also, I bought another router in the hope that it will solve my problems - a TP-Link router. It however only has LAN Ports and not a WAN port like the Aztech - I suspect I bought the wrong thing?

About This Post