Can you elaborate on the mechanism you believe the attackers are using to install the software? My understanding of the vulnerability in the STH is that it allows access from the INTERNAL LAN interface, or from the TelCo ATM interface - NOT over the public IP interface. Besides, any traffic to my public IP will go to my server over the PPPoE link. Assuming an attacker cannot generate packets from inside my LAN (through a bounce attack or something) and doesn't have direct access to my ATM link to the TelCo - I see no way for them to install new firmware (or interact with the configuration in any way) on my modem. Or are you saying that an improperly secured FTP server inside you network is being used to transfer files to the modem? I'm not completely sure how this could work either.... I thought I had myself protected (without patching my Firmware - since I rent my modem from my ISP), but your message raises some new concerns. My firmware is still the KHDSBA.133 that came on the modem, but I wan't to make sure I'm protected against outside (not TelCo) modification... Thanks! On Sun, 5 Aug 2001, Andrea Costantino wrote: > It seems that a particular version is being installed by someone on the > Alcatel after a portscan to detect it. > I've recorded a large portscan against port 21 (the one used to upgrade > the new version) to ALL my public IP, and all IPs of my ISP. > > It seems that the intruder scanned with a SYN/FIN portscan to detect the > Alcatel and after he/she put the new firmware version. > > I don't know what the hell the new version does, but sometimes during the > upgrade the configuration is lost, so many people blame their ISP or the > telco company for service interruptions, but in truth their ADSL is > running flawlessy, while the modem has became unconfigured.
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 17:25:02 PDT