Do the following log entries suggest a hack using TR-069 please?
Guru Member
Hi all,
I have a Zyxel DSL device and have started seeing some odd entries in the log files.
Do the following entries suggest I am being hacked using TR-069 please?
13 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgFe98SeqnumToName: translated, InternetGatewayDevice.WANDevice.3.WANConnectionDevice.1.WANPPPConnection.1
14 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgFe98SeqnumToName
15 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgObjMappingGet
16 Jul 30 19:45:06 kern info tr69 ZTR69: zcfgFe181To98ObjMappingNameGet
17 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_get_wanInfo(): ipv4Obj->IPAddress=51.x.y.z
18 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_get_wanInfo(): boundInterface = IP.Interface.4
19 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_get_wanInfo():
20 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): State cleared
21 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): Event 5 at State 2
22 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): recvCmd event=5, cause=0, tr=0
23 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): State change to 2
24 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_parse(): http no content
25 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_http_request_set_cookieset(): httpCookieCount 1
26 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): get & set cookie, n=1
27 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_http_response_get_cookieset(): cookie data: tr69="xxxx"; Path=/
28 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_http_response_get_cookieset(): httpRes has SETCOOKIE
29 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): RPC Method=0
30 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): Event 2 at State 1
31 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): recvCmd event=2, cause=0, tr=0
32 Jul 30 19:45:06 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): State change to 1
33 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_get_method(): Response RPC Method: 12
34 Jul 30 19:45:06 kern info tr69 ZTR69: [DB ] cwmp_rpc_get_method(): methodName=cwmp:InformResponse
35 Jul 30 19:45:05 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): NoPrvSpRsp, set old session cookie
36 Jul 30 19:45:05 kern info tr69 ZTR69: [DB ] cwmp_rpc_build(): RPC Method=2
37 Jul 30 19:45:05 kern info tr69 ZTR69: [STATUS] cwmp_sess_proc(): Event 1 at State 0
38 Jul 30 19:45:05 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): New a session object
39 Jul 30 19:45:05 kern info tr69 ZTR69: [STATUS] cwmp_event_proc(): recvCmd event=1, cause=8, tr=0
ShieldsUp says that TCP port 7547 is STEALTH from the Internet so does this suggest an internal (e.g. WiFi) attack?
I have now changed my WiFi password.
I have removed my public IP address and the cookie from the above logs.
Kind regards,
Tony
Accepted Solution
-
Hi
I checked the logs and it looks like your ISP get info of your device, but there's no sign of a hack.
0
Freshman MemberAll Replies
-
Hi
I checked the logs and it looks like your ISP get info of your device, but there's no sign of a hack.
0
Categories
- All Categories
- 396 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 86 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 915 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 912 Nebula FAQ
- 419 Security FAQ
- 237 Switch FAQ
- 207 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
