Do the following log entries suggest a hack using TR-069 please?
Guru Member
Hi all,
I have a Zyxel DSL device and have started seeing some odd entries in the log files.
Do the following entries suggest I am being hacked using TR-069 please?
13 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgFe98SeqnumToName: translated, InternetGatewayDevice.WANDevice.3.WANConnectionDevice.1.WANPPPConnection.1
14 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgFe98SeqnumToName
15 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgObjMappingGet
16 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgFe181To98ObjMappingNameGet
17 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_get_wanInfo(): ipv4Obj->IPAddress=51.x.y.z
18 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_get_wanInfo(): boundInterface = IP.Interface.4
19 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_get_wanInfo():
20 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): State cleared
21 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): Event 5 at State 2
22 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): recvCmd event=5, cause=0, tr=0
23 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): State change to 2
24 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_parse(): http no content
25 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_http_request_set_cookieset(): httpCookieCount 1
26 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): get & set cookie, n=1
27 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_http_response_get_cookieset(): cookie data: tr69="xxxx"; Path=/
28 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_http_response_get_cookieset(): httpRes has SETCOOKIE
29 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): RPC Method=0
30 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): Event 2 at State 1
31 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): recvCmd event=2, cause=0, tr=0
32 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): State change to 1
33 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_get_method(): Response RPC Method: 12
34 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_get_method(): methodName=cwmp:InformResponse
35 Jul 30 19:45:05 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): NoPrvSpRsp, set old session cookie
36 Jul 30 19:45:05 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): RPC Method=2
37 Jul 30 19:45:05 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): Event 1 at State 0
38 Jul 30 19:45:05 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): New a session object
39 Jul 30 19:45:05 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): recvCmd event=1, cause=8, tr=0
ShieldsUp says that TCP port 7547 is STEALTH from the Internet so does this suggest an internal (e.g. WiFi) attack?
I have now changed my WiFi password.
I have removed my public IP address and the cookie from the above logs.
Kind regards,
Tony
Accepted Solution
-
Hi
I checked the logs and it looks like your ISP get info of your device, but there's no sign of a hack.
0
Freshman Member
All Replies
-
Hi
I checked the logs and it looks like your ISP get info of your device, but there's no sign of a hack.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight
