# Was there an attempt made at breaching my modem?



## Aceman.au (Oct 2, 2018)

Ok so odd thing just happened. My internet died. I power cycled the modem as per usual when this happens (I live in Australia, this is a common occurrence). 

But something different from normal happened. Once my internet reconnected a website opened up. http://www.acme.com/software/micro_httpd/

Has my ISP pushed an update (or something like that) or did someone just probe into my modem?

I googled the website and my ISP (Optus) has a thread from 2017 about it found here: https://yescrowd.optus.com.au/t5/Broadband-Telephony/Error-404-micro-httpd/td-p/315988

and I'm left with more questions than answers.


----------



## DRDNA (Oct 2, 2018)

Call your ISP and ask them, because if they didn't then something kind of weird did happen... and we can advise some safety precautions from there. Also good to see you again , it's been a while.

in this thread it seems it may have been an exploit of some sort and was sorted by running Malewarebytes....https://www.bleepingcomputer.com/forums/t/468456/error-404-micro-httpd/


----------



## jsfitz54 (Oct 2, 2018)

@Aceman.au   While you have the ISP on the phone ask them to push any firmware updates to the modem *AND/OR* ask them to update your hardware if it has become old / outdated.


----------



## natr0n (Oct 2, 2018)

Some isp services can do that open webpages like that. It's weird but it happens.


----------



## Bill_Bright (Oct 2, 2018)

I would power cycle your modem (actually, your entire network, including connected devices) again. Note if there is new firmware, you will likely need to do this anyway. 

But to answer your question, it is very likely a breach was attempted! But that in no way suggests it was successful. If your device supports access attempts logging, you might be surprised, or even shocked to see how many access attempts hit your network every day from all over the world. Most will be from legitimate sources like Akamai, Microsoft, Level 3, NTT and others. But I also see them from various places in China, Germany, Russia, Turkey, Montenegro, and elsewhere. But again, just because those entities hit your modem/router, that does not mean your router let them through. 

My question to you would be this; is it still happening or was this a one-time thing? If just once, my suspicion is there was a network outage and you just happened to try to access the Internet before your ISP's network was fully restored. That's a total guess, but that is what it looks like to me from here.


----------



## dorsetknob (Oct 2, 2018)

natr0n said:


> Some isp services can do that open webpages like that. It's weird but it happens.


That's one of the problem with ISP Supplied Equipment
They have their OEM Back door. ( all in the name of (insert bullshit here) Customer Service)
I much prefer supplying my own Modem/Router( no ISP Back door and you get to supply Better quality Devices).


----------



## Bill_Bright (Oct 2, 2018)

Not just that. Many ISP provided "gateway devices" support semi-public wifi hotspots so ISP customers who are driving around or visiting your neighbors can use your connection to access their network!  _In theory_, that semi-public network and your network are totally isolated and one cannot access the other. And _in theory_, those people are not using any of your bandwidth. But we all know "in theory" and the "real world" don't always jive.


----------



## natr0n (Oct 2, 2018)

dorsetknob said:


> That's one of the problem with ISP Supplied Equipment
> They have their OEM Back door. ( all in the name of (insert bullshit here) Customer Service)
> I much prefer supplying my own Modem/Router( no ISP Back door and you get to supply Better quality Devices).



I got my own fancy modem now bill dropped from $120 to $45 a month and no backdoor bs.


----------



## Bill_Bright (Oct 2, 2018)

natr0n said:


> now bill dropped from $120 to $45 a month


  That's a huge drop! 

I've owned my own modem from the beginning of my Internet access 25 years ago when they charged something like $4/month. But even to this day, my ISP charges $10/month rental fees. That still makes it worth buying your own, IMO.


----------



## FordGT90Concept (Oct 2, 2018)

It wouldn't be unreasonable that the gateway uses a micro_httpd webserver to host its administration page.


----------



## DeathtoGnomes (Oct 2, 2018)

dorsetknob said:


> That's one of the problem with ISP Supplied Equipment
> They have their OEM Back door. ( all in the name of (insert bullshit here) Customer Service)
> I much prefer supplying my own Modem/Router( no ISP Back door and you get to supply Better quality Devices).


Pc > Router > ISPs route/modem combo. all Wireless goes thru the ISPs modem to keep it away from the network. The thing I hate about ISPs and own your own modem, they blame you for almost everything and there is no CS, not that there is any real CS.....


----------



## Aceman.au (Oct 3, 2018)

Bill_Bright said:


> I would power cycle your modem (actually, your entire network, including connected devices) again. Note if there is new firmware, you will likely need to do this anyway.
> 
> But to answer your question, it is very likely a breach was attempted! But that in no way suggests it was successful. If your device supports access attempts logging, you might be surprised, or even shocked to see how many access attempts hit your network every day from all over the world. Most will be from legitimate sources like Akamai, Microsoft, Level 3, NTT and others. But I also see them from various places in China, Germany, Russia, Turkey, Montenegro, and elsewhere. But again, just because those entities hit your modem/router, that does not mean your router let them through.
> 
> My question to you would be this; is it still happening or was this a one-time thing? If just once, my suspicion is there was a network outage and you just happened to try to access the Internet before your ISP's network was fully restored. That's a total guess, but that is what it looks like to me from here.



One time thing so far. I'm going to try recommended fixes in the Malwarebytes thread that was linked above.



DRDNA said:


> Call your ISP and ask them, because if they didn't then something kind of weird did happen... and we can advise some safety precautions from there. Also good to see you again , it's been a while.
> 
> in this thread it seems it may have been an exploit of some sort and was sorted by running Malewarebytes....https://www.bleepingcomputer.com/forums/t/468456/error-404-micro-httpd/



Yep, back again! Haven't had many issues recently so I kind of forgot about TPU.

Blue screened after running aswMBR.exe as recommended in the thread. Crash error DRIVER_IRQL_NOT_LESS_OR_EQUAL (Crash source was the exe according to the blue screen).

Running MWB scan now. Will see what else I can do from that thread.

ESST online scanner cannot get updates. Going to power cycle modem to see if it happens again.

Ok. Modem cycled. Did not happen again. Contacting ISP for questioning.

My ISP seems to think it's a default link of a program that has opened when I've reset my modem. They said the link contained no malicious software.


----------



## jsfitz54 (Oct 3, 2018)

@Aceman.au :  Please *remove* EDIT all your info after the video; MAC, IPv4, IPv6 addresses for SECURITY!

You are giving away your private address on a public forum.

Just post the errors

Update Steam and Firefox?


----------



## Aceman.au (Oct 3, 2018)

Whelp. RIP my anonymity. All info removed.


----------



## Aquinus (Oct 3, 2018)

Wireshark isn't going to capture anything happening between the local node and the modem itself and the modem does recieve updates from the ISP for various reasons. Sometimes it's software changes and other times it's telling the modem things like which frequencies and modes to operate in. For example, in the modem's log you see something like this, you likely got some kind of update from the ISP.


> Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out


That kind of log does indicate that modem will restart.


----------



## Aceman.au (Oct 3, 2018)

jsfitz54 said:


> @Aceman.au :  Please *remove* EDIT all your info after the video; MAC, IPv4, IPv6 addresses for SECURITY!
> 
> As it is you are giving away your private address on a public forum.
> 
> ...



Firefox needed an update. Steam is fine.

So uhhh. What can people do with my MAC address?



Aquinus said:


> Wireshark isn't going to capture anything happening between the local node and the modem itself and the modem does recieve updates from the ISP for various reasons. Sometimes it's software changes and other times it's telling the modem things like which frequencies and modes to operate in. For example, in the modem's log you see something like this, you likely got some kind of update from the ISP.
> 
> That kind of log does indicate that modem will restart.


It does randomly lose internet connection. Maybe this has something to do with it. But then again, Australian internet is garbage.


----------



## Aquinus (Oct 3, 2018)

Aceman.au said:


> So uhhh. What can people do with my MAC address?


People can spoof their MAC to use yours. The MAC address is a physical device id (sort of), kind of like a serial number. It's an address that (ideally,) uniquely belongs to your network adapter.


Aceman.au said:


> It does randomly lose internet connection. Maybe this has something to do with it. But then again, Australian internet is garbage.


Mine sometimes does too but, I think that's because my upstream power level is borderline too high.


----------



## Aceman.au (Oct 3, 2018)

I think I might just wrap the thread up. Seems like the website is harmless and I have premium MWB monitoring my PC. So hopefully if shit hits the fan it will take care of it. If all else fails I'll format and reinstall.


----------



## Bill_Bright (Oct 3, 2018)

Aceman.au said:


> One time thing so far.


If you were redirected to a malicious website, I might be a little bit concerned. But since that site does not appear to be malicious, and it was a one-time thing, I would not worry about it.



Aquinus said:


> People can spoof their MAC to use yours.


This is true. And many home routers let you change the MAC address seen by the modem. But MAC addresses were never meant for security purposes. They are just to prevent conflicts and collisions on the network to ensure data packets are routed to the correct computer. As long as you don't have the same MAC address on 2 or more devices on your local network, no problems. And typically, the most that would happen is the second device would fail to connect.

That said, limiting access to the Internet using MAC filtering can help prevent unauthorized access as you are telling your router to only let those devices with those MAC addresses through. Yes, a bad guy can spoof that address, but how are they going to get it? They would either be really really good guessers, or have physical access to your home.


----------



## jsfitz54 (Oct 3, 2018)

Bill_Bright said:


> Yes, a bad guy can spoof that address, but how are they going to get it? They would either be really really good guessers, or have physical access to your home.



Early this morning the OP posted all this info by accident.  Hence my Post #13.
I also used the report button to get a mod to take it down in case the OP was not online for a long period, as he is half a world away.
Hence OP's post #14.


----------



## Bill_Bright (Oct 3, 2018)

jsfitz54 said:


> Early this morning the OP posted all this info by accident. Hence my Post #13.


I understand. I was just on my soapbox speaking to the crowd.


----------

