Re: Massive attack to Alcatel Speed Touch Home & Pro

[Casper Dik <Casper.Dik () Sun COM>]

> Many of my collegues, customer and friends (and obviously me too) have a
> new release of their modem's firmware apparently without notice.
> Nobody asked for and no ISP support did it at all!
> I've asked my ISP customer hotline, and they were completely worried about
> it!

If my reading of the ADSL modem vulenrability information is correct, such
an hack either requires a bounce of of one of the systems behind
the ADSL modem or a direct connection to the ATM infrastructure behind it.

Unless it is configured to have an actual IP presence.  Does it have
an IP presence?

Would your ISP even be able to upgrade the firmware over the ATM side?

The situation in the Netherlands is such that the majority of ADSL
connectivity is delivered through several ISPs using a single (local
loop monopolist KPN) telco provider.

Only the latter would be able to upgrade the modem firmware using the
ATM side; it is unclear they would even tell the ISPs or whether it
would reach down to the level of the helpdesk.

> It seems that a particular version is being installed by someone on the
> Alcatel after a portscan to detect it.
> I've recorded a large portscan against port 21 (the one used to upgrade
> the new version) to ALL my public IP, and all IPs of my ISP.

That's weird; the modem itself isn't visible using IP (or is it in your case?).

> It seems that the intruder scanned with a SYN/FIN portscan to detect the
> Alcatel and after he/she put the new firmware version.

If the SCAN is to detect the Alcatel, how did you see it?  If the Alcatel
has IP presence, it would not put the packet on your net.

But a port 21 scan is worisome.

> My modem was upgraded apparently during the period between the 0:00 and
> the 4:00 CET of the 3rd of August without loosing any configuration, so
> I would't notice anything without a direct check using "software version"
> on console or telnet access.

I'd ask the telco some hard questions.

Casper