The Digital Surgery (computer questions/problems here)

[Frank Hovis]

I've checked my machines (except the android devices) and they all come up clean for virus/malware but that's not to say it's not there.

It appears that the router only allows for a single (visible) user account of 'admin' and there is no way to change the username to something less obvious. So I will try another password change on the admin account, that seemed to stop it for nearly a week I think but then some of the settings were changed and I know it's no-one in the house as no-one else knows the new password yet and the new DNS IP addresses are suspicious, they appear in a few black list lists.

There is a setting for SPI which says ....
(WARNING: If You enabled SPI, all traffics initiated from WAN would be blocked, including DMZ, Virtual Server, and ACL WAN side.)
To me that sounds like it would block all WAN incoming traffic which might be a way for me to determine if the change is coming from outside or if there is an internal agent at work.
I don't use DMZ or Virtual Server anyway, there should be no risk ?

[hhinner]

Hi Frank, According to the user manuals I've checked on the Billion web site this ACL controls what IP addresses on what interface have access to what management protocols on the router firewall. So if you activate the ACL you will restrict management access to any IP address on your LAN. Of course actual login to management will still require a userid/password. Unless you will ever wish to access router management from the WAN I would suggest you activate this ACL. It will at least close one possibility.

Edit to remove "web based".

[hhinner]

Yes, enable SPI. This is default according to manual.

[Chromeman]

I don't think that would not help. Stateful packet inspection (SPI) helps determine what data are allowed to pass through the firewall into the LAN. It should not have any influence on who can log on to the router. But activating it will increase the general security of your LAN.

I found a manual for the Billion 5200 series router online, and I see there is logging in the router. Go to Status then to System Log and see if you can find any interesting info about changes to your DNS settings, and also possibly about any log ins to the router.

system_log.jpg (68.14 KiB) Viewed 712 times

[Frank Hovis]

I've changed the password again. Powered off, left it for 10 minutes, powered on and checked that the settings are correct, it's on AUTO DNS and the DNS that it's offering are 203.113 TOT addresses.

If it changes again I will start by enabling the ACL and if it continues to be changed I'll enable the SPI.

If it continues after that I might replace the router.

Thanks for the help so far.

[hhinner]

Frank, I see that these routers include SNMP fuctionality. If you haven't changed the default community strings then it would be possible for an external SNMP application to read and change your router settings. If you enable SPI then you will probably disallow all access from the WAN including SNMP. Just to be even safer you could change these strings as well (belt and braces).

Edit: bad sentence corrected

[Frank Hovis]

I have enabled SPI now since you mention it should be enabled by default.

In the log there is only information from the last few minutes. Maybe it clears itself when it's switched off.

The log contains this information

3/25/2014 23:43:21> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:16> Last errorlog repeat 5 Times
3/25/2014 23:44:17> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:20> Last errorlog repeat 2 Times
3/25/2014 23:44:23> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:28> Last errorlog repeat 2 Times
3/25/2014 23:44:28> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:39> Last errorlog repeat 5 Times
3/25/2014 23:44:41> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:50> Last errorlog repeat 6 Times
3/25/2014 23:44:50> netMakeChannDial: err=-3000 rn_p=8056b018

Which looks to me like failures of some sort, perhaps the filter or the router are thinking of retiring themselves.

[Chromeman]

Hi Frank, According to the user manuals I've checked on the Billion web site this ACL controls what IP addresses on what interface have access to what management protocols on the router firewall. So if you activate the ACL you will restrict management access to any IP address on your LAN. Of course actual login to management will still require a userid/password. Unless you will ever wish to access router management from the WAN I would suggest you activate this ACL. It will at least close one possibility.

Edit to remove "web based".

I just got to that part my self in the manual and I was wrong earlier about what this allows access to.

Activate ACL and change the settings to:

Secure IP Address: 192.168.1.100 - 192.168.1.199 (This is the range of addresses your router gives out to computers on your LAN)
Application: ALL
Interface: LAN


That will allow anyone who has an IP address provided by your routers DHCP server to access the router to configure it.
The address range 192.168.1.0 - 192.168.1.255 is not routable on the Internet, so this should keep many hackers away.

[Frank Hovis]

SNMP is set to Get Community=public Set Community=public.

I assume a minimum would be to change Set = private ?

[Chromeman]

I have enabled SPI now since you mention it should be enabled by default.

In the log there is only information from the last few minutes. Maybe it clears itself when it's switched off.

The log contains this information

3/25/2014 23:43:21> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:16> Last errorlog repeat 5 Times
3/25/2014 23:44:17> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:20> Last errorlog repeat 2 Times
3/25/2014 23:44:23> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:28> Last errorlog repeat 2 Times
3/25/2014 23:44:28> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:39> Last errorlog repeat 5 Times
3/25/2014 23:44:41> netMakeChannDial: err=-3000 rn_p=8056b018
3/25/2014 23:44:50> Last errorlog repeat 6 Times
3/25/2014 23:44:50> netMakeChannDial: err=-3000 rn_p=8056b018

Which looks to me like failures of some sort, perhaps the filter or the router are thinking of retiring themselves.

Yes, these are dropouts from the connection with your ISP. Unless you are having big connection troubles (when your router settings are as you have set them), I would not worry. Modern network protocols are made to handle loss of data packets up to a point.

Unrelated to these error messages, you could try to find out if there is available firmware updates for your router. If available, that can increase the effort needed to break into the router. First check out with your ISP in case this router is a modified version made especially for them. If not, then check out the producer website. The exact model version is most likely printed on the backside or underside of the router.

[hhinner]

SNMP is set to Get Community=public Set Community=public.

I assume a minimum would be to change Set = private ?

No, "private" is the usual default for Set. Change them both to some unintelligible garbage. If you ever graduate to using SNMP (don't know why you would though) you can change them to something sensible.

[Frank Hovis]

SNMP changed to unintelligible garbage.

I'll see how it goes with all that lot changed.

Thanks again chaps.

[Dannie Boy]

Two things strike me about this thread,

1. We have another example of people willingly offering helpful advice.

2. Thank goodness for geeks!!

When it comes to computers, my knowledge is very limited so I bow to your wisdom.

[Frank Hovis]

I could have probably managed to work my way through the router check list and gotten all these settings correct by myself but there's always a worry that you'll completely stuff the router and then no internet access at all !

It's much safer to have a couple of people provide guidance, advice and pointers and to confirm that what you are thinking is correct than to do it all alone and miss that one simple mistake and unlike on a normal networking forum where you don't know anyone at least the people on here are familiar posters; even if I don't know them in person I think it's possible to judge whose online advice you can take from having read their previous contributions to various threads (and of course, whose not to as well !)

So far so good on the router front but I think it'll be a week or so before I'm confident that we've resolved the issue.

[Lung Per]

I was looking at a few songs today and all I got was a black screen.

The songs i question were Lou Reed, George Harrison, the Beatles.
The entries are there, but nothing comes on the player - black screen.

There are other songs I can play, including my own.

Is this an initiative by the record industry, something special for Thailand, or is it just me?