Back to Help and Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

New THG 3000 - Connection Issues / Trying to inject command code into my PC

Br04dB4ndAl
4: Newbie

‎02-05-2021 10:06 AM

Hi,

Since setting up my new THG 3000 I'm experiencing connection issues in the form of non repsonsive web pages.

The Router shows no actual connection drops but the latency can be high - 127ms in one speedtest and often speedtests can't be run becasue they sit there and wait for a repsonse before finally running normally and showing no issue.

I would blame my pc but I've experienced the same issues with my smart tv - pages that become non responsive for seconds as if the connection is lost / packets being dropped lost. I have had a failed upload test at Speedtest.net.


01 May 2021.jpg


Additionally, the Error logs show 410 CRC errors on the upload vs 3670 minutes of connection which is around a 10% error rate. 10% sounds high.

There are also some interesting items getting logged in my router errors which are recurrent:

Failed to send DHCPV6 message to ff02::1:2 (Permission denied)

 

02.05.2021 08:55:57 firewall Warning [218371.290173] DROP wan in: IN=pppoe-wan OUT= MAC= src=45.146.164.243 DST=90.242.80.237 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=58762 PROTO=TCP SPT=49378 DPT=6868 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000


02.05.2021 08:55:55 lan Notice Sending a RA on lan
02.05.2021 08:55:55 lan Info Using a RA lifetime of 0 seconds on lan


02.05.2021 08:55:00 firewall Warning [218314.247487] DROP wan in: IN=pppoe-wan OUT= MAC= src=54.76.134.85 DST=90.242.80.237 LEN=802 TOS=0x00 PREC=0x00 TTL=229 ID=9471 DF PROTO=TCP SPT=443 DPT=51807 WINDOW=8320 RES=0x00 ACK URGP=0 MARK=0x8000000

 

As you can see, the Router seems to be dropping the WAN signal. 

It's also trying to inject code into my PC (the DHCPv6 ffo2 Error) - question have Vodafone investigated this as Chinese Routers?

I know it's trying to inject command code because when I go to my Security Software firewall logs I see this:

02.05.21 - Fire Wall Log.jpg


The source IP's are stated as 192.168.1.1 (the default router IP) and  also 192.168.5.1 in some entries.

I can see no reason why the router would be trying to send commands to my pc over WAN. All 12 recorded Exploit Attempts are the same.

BTW my Router Passoword is secure and not a default one.

0 Thanks
9 REPLIES 9

clint_flick
12: Established
12: Established

‎02-05-2021 10:12 AM

Hi

Your pictures have yet to appear.

 

I would suggest a different DNS value, like 8.8.8.8 or 1.1.1.1

rather than the default 192.168.1.1 of VF.

0 Thanks

Br04dB4ndAl
4: Newbie
In response to clint_flick

‎02-05-2021 10:21 AM

Thanks for the reply.

The LAN IP of 192.168.1.1 is pretty standard and should make no difference. It's different to the WAN IP address of the router seen on the internet and evn if the router was discovered on the internet, it still has to be hacked, which is why I have a secure password.

I also think you are a little bit confused. The DNS address is the Dynamic Network Server - this is the server on the internet that interprets web addresses ie turns eg www.bbc.co.uk into 151.101.128.81 and has nothing to do with your router address.

Incidentally, I'm not using Vodafone's DNS servers.


0 Thanks

clint_flick
12: Established
12: Established
In response to Br04dB4ndAl

‎02-05-2021 10:31 AM

Ahhhhhhhhh

 

Network PolyGlot.pngDNS servers.pngVF DNS.png

 

 

0 Thanks

Anonymous
Not applicable

‎02-05-2021 01:26 PM

So:

 

Failed to send DHCPV6 message to ff02::1:2 (Permission denied)

Probably just means there is a device on your network that refused a DHCPv6 sent as a multicast message - it's no big deal, VF don't yet do IPv6 over their network, but if you've a local device that doesn't want to know, then it could be worthwhile checking the IPv6 settings of your connected devices.

 

The firewall isn't dropping the WAN, but packets from an unidentified source.  If you have anything that should be accessing your network remotely, then you may need to open/forward some ports.  Should that not be the case (and you are not double NATing) then the firewall is doing it's job!

 

lan Info Using a RA lifetime of 0 seconds on lan

RA (Router Advertisement) is just IPv6 info that is broadcast by the router it's just information, no response is expected, and by setting the lifetime to "0" the info can be updated every few minutes without conflict - nothing to worry about here!  *This could even be the cause of the failed DHCPv6 message earlier.

 

The "code injection" issue is the most worrying, but without more info (and what AV you are using) it's hard to say much more.  I'd suspect that you possibly have a compromised device (via a web browser) in your network and that these errors are related to the WAN packets that are being dropped.  I'd probably be using the "guest" feature on the router to try and isolate various devices until you can highlight the culprit!

0 Thanks

Br04dB4ndAl
4: Newbie
In response to Anonymous

‎04-05-2021 08:09 AM

Hi Keith,

 

Thanks for the reply, I'll edit responses in for ease:

 

So:

 

Failed to send DHCPV6 message to ff02::1:2 (Permission denied)

Probably just means there is a device on your network that refused a DHCPv6 sent as a multicast message - it's no big deal, VF don't yet do IPv6 over their network, but if you've a local device that doesn't want to know, then it could be worthwhile checking the IPv6 settings of your connected devices.

There's only the PC, TV and my Phone Connected. I'm not one for connecting devices to the internet, so I steer well clear of connected devices. My pc definately isn't compromised and my phone and TV are secure also.

 

The firewall isn't dropping the WAN, but packets from an unidentified source.  If you have anything that should be accessing your network remotely, then you may need to open/forward some ports.  Should that not be the case (and you are not double NATing) then the firewall is doing it's job!


That's the point. There is nothing that should be accessing my connection remotely. 

Also, as an aside, you NEVER want to forward ports. See my comments on this in the lack of VPN facility in the Router in the other thread. Any device that port fowards is visible in a search using a well known hacking / network security seach engine / browser and visible to the entire internet worldwide along with it's device type and exact physical location (street address) along with IP address and all information needed to make an attack. That makes it accessible to the whole internet and typically gets hacked in some form or another within minutes of being connected.

No device should ever be made accessible via the internet unless it's via a VPN tunnel from the router (that's not the same as a VPN service you subscribe to - the 1st encrypts and keeps data safe to a linked external device, the latter tries to hide your browsing from your ISP).

If you look at the Youtube videos I linked in the other thread, you'll see why Port Fowarding is a bad idea and should never be done.

 


lan Info Using a RA lifetime of 0 seconds on lan

RA (Router Advertisement) is just IPv6 info that is broadcast by the router it's just information, no response is expected, and by setting the lifetime to "0" the info can be updated every few minutes without conflict - nothing to worry about here!  *This could even be the cause of the failed DHCPv6 message earlier.

OK

 

The "code injection" issue is the most worrying, but without more info (and what AV you are using) it's hard to say much more.  I'd suspect that you possibly have a compromised device (via a web browser) in your network and that these errors are related to the WAN packets that are being dropped.  I'd probably be using the "guest" feature on the router to try and isolate various devices until you can highlight the culprit!

The only devices connected to my network are a single pc (not compromised), a phone and a Samsung TV which uses it's own browser and security software.

0 Thanks

gipjon
16: Advanced member
16: Advanced member
In response to Br04dB4ndAl

‎04-05-2021 10:37 AM - edited ‎04-05-2021 10:50 AM

Thought the cctv was connected 

Samsung tv is going to have a few connections looking for software updates 

Probably be a good idea to turn off the ipv6 in the router setting also makes reading the logs easier 

In ref to Chinese router the THG3000 router is a technicolor dga2231or dga4231 

0 Thanks

Br04dB4ndAl
4: Newbie
In response to gipjon

‎04-05-2021 02:27 PM

Ok thanks. I'll turn IPV6 off and see if it helps.

0 Thanks

Jayach
16: Advanced member
16: Advanced member
In response to Br04dB4ndAl

‎04-05-2021 03:19 PM - edited ‎04-05-2021 03:21 PM

@Br04dB4ndAl wrote:

Hi Keith,

The firewall isn't dropping the WAN, but packets from an unidentified source.  If you have anything that should be accessing your network remotely, then you may need to open/forward some ports.  Should that not be the case (and you are not double NATing) then the firewall is doing it's job!


That's the point. There is nothing that should be accessing my connection remotely. 

 

There are unsolicited probes all the time. There are spiders crawling the web continuously.

https://www.cloudflare.com/en-gb/learning/bots/what-is-a-web-crawler/

 

0 Thanks

Anonymous
Not applicable
In response to Jayach

‎04-05-2021 11:26 PM

One thing you can try is to go into the Network settings on the TV and change the device name.  Samsung TVs often use the network name "localhost" which can cause all kinds of problems.  Even changing the name in the settings will not change the name for all protocols, but it can cut down on some issues.

0 Thanks