Do the following log entries suggest a hack using TR-069 please?

tonygibbs16
tonygibbs16 Posts: 836  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited July 2023 in Home Router

Hi all,

I have a Zyxel DSL device and have started seeing some odd entries in the log files.

Do the following entries suggest I am being hacked using TR-069 please?

13 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgFe98SeqnumToName: translated, InternetGatewayDevice.WANDevice.3.WANConnectionDevice.1.WANPPPConnection.1
14 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgFe98SeqnumToName
15 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgObjMappingGet
16 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgFe181To98ObjMappingNameGet
17 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_get_wanInfo(): ipv4Obj->IPAddress=51.x.y.z
18 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_get_wanInfo(): boundInterface = IP.Interface.4
19 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_get_wanInfo():
20 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): State cleared
21 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): Event 5 at State 2
22 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): recvCmd event=5, cause=0, tr=0
23 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): State change to 2
24 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_parse(): http no content
25 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_http_request_set_cookieset(): httpCookieCount 1
26 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): get & set cookie, n=1
27 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_http_response_get_cookieset(): cookie data: tr69="xxxx"; Path=/
28 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_http_response_get_cookieset(): httpRes has SETCOOKIE
29 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): RPC Method=0
30 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): Event 2 at State 1
31 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): recvCmd event=2, cause=0, tr=0
32 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): State change to 1
33 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_get_method(): Response RPC Method: 12
34 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_get_method(): methodName=cwmp:InformResponse
35 Jul 30 19:45:05 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): NoPrvSpRsp, set old session cookie
36 Jul 30 19:45:05 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): RPC Method=2
37 Jul 30 19:45:05 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): Event 1 at State 0
38 Jul 30 19:45:05 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): New a session object
39 Jul 30 19:45:05 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): recvCmd event=1, cause=8, tr=0

ShieldsUp says that TCP port 7547 is STEALTH from the Internet so does this suggest an internal (e.g. WiFi) attack?

I have now changed my WiFi password.

I have removed my public IP address and the cookie from the above logs.

Kind regards,

Tony

Accepted Solution

  • HouliCrab
    HouliCrab Posts: 38  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi

    I checked the logs and it looks like your ISP get info of your device, but there's no sign of a hack.

All Replies

  • HouliCrab
    HouliCrab Posts: 38  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi

    I checked the logs and it looks like your ISP get info of your device, but there's no sign of a hack.

Consumer Product Help Center