Community home

15digits · ‎06-03-2023

Hi Guys

I'm using Voda broadband with Vodafone Wi-Fi Hub for the last couple of months. After many years with BT I have finally decided to switch and I'm very happy with my decision. My connection is faster than ever. Vodafone customer service has been brilliant all the way (at least a few levels above BT).

My Voda Hub is acting strange right now. DNS requests are hitting null, some strange services running on my network. My password has been changed in mysterious circumstances... logs from the hub are showing some very strange activities...

Vodafone Wi-Fi Hub Firmware version: 19.4.0551-3261103 after fresh factory reset.

nmap -sS -sV -O -T4 -v --traceroute (run from a local network on local address same result if run on WAN IP) Services:

53/tcp open domain Cloudflare public DNS
80/tcp open http nginx
139/tcp open netbios-ssn?
443/tcp open ssl/http nginx
445/tcp open microsoft-ds?
5000/tcp open upnp?
6699/tcp open ssl/http nginx
8080/tcp open http nginx
9000/tcp open cslistener?/tinyproxy

Are all this ports meant to be opened by default? I cant find any info online regarding this matter. I want to find out if there is anything fishy going on on my network or I'm just being paranoid. Can someone run an nmap scan under similar circumstances on another hub and check if this is normal?

Cynric · ‎07-03-2023

@15digits As a matter of caution start with a factory reset, then do not connect anything more than one device and check what is open.

Are you running a local web server, because that is what nginx is?

I'm not using a VF router, so I can't comment on the open ports, but for my use I have not manually setup any in the router settings.

15digits · ‎09-03-2023

Hi

Thanks for your reply.

Thats how i've done it. Factory reset the router first. Only my PC connected via Ethernet. I have even disable everything i possibly could on that router. Wi-Fi disabled, upnp disabled, samba disabled, DMZ disabled... Still this stuff is running.

This is showing only when i run nmap on the wan IP of the router from the PC. That is on LAN. It is still creepy I would say. This router is running a massive amount of software. Looks similar to OpenWrt. Its capable of about anything. I dont trust my own LAN. Thats my concern. If there is a hook on any of the devices connected on my home network then someone can perform magic.

CrimsonLiar · ‎07-03-2023

@15digits How are you testing this on the WAN interface?

If that's only internal, then there is nothing there that I would be worried about, if that is available externally then, it's very weird!

15digits · ‎09-03-2023

Hi

Yes. Its on LAN. I dont have a way to get out and run a full scan from outside. I did check a few online scanners and they dont show anything opened. On the other hand that is exactly how it would look like if the router has been compromised.

My biggest concern is the proxy. Nothing like this is mentioned in the list of software that should be installed on that router. Nicely configured proxy beyond my control can take me to a wonderland:)

Jayach · ‎09-03-2023

If you really are that worried, get you own router, you will then have complete control.

Edit:

@15digits wrote:
My Voda Hub is acting strange right now. DNS requests are hitting null, some strange services running on my network. My password has been changed in mysterious circumstances... logs from the hub are showing some very strange activities...

What password was changed?