Router Issues

[Lavarock7]

It's 2am and I wake up to hear the phone say "call from 100". A Sip scanner! I thought I had things configured to block these!

I go to the living room and logon to look at things. That is when I notice the problem. Overnight my router had been completely reset to default. I see in the log numerous scan attempts and IP addresses from the US and Netherlands attempting to do things.

I disconnected from the internet, changed passwords and still found issues. My remote management has always been OFF. I had passwords on all wifi and nobody near me could have broken in that way as I am rural, etc. I think it was UPNP on that allowed them to reset me.

I will be watching closely but I found it useful that the Obi and the sip caller was the way that I found my router had been hacked :-) Seems this happened a day or two AFTER I returned from a week away. I would not have been able to fix this while I was 1/4 way around the world.

[Taoman]

It would be helpful to know the make and model of your router.

[Lavarock7]

Netgear WNDR3400

Hardware Version    WNDR3400
Firmware Version    V1.0.0.52_20.0.60
GUI Language Version    V1.0.0.50_2.1.17.1

[Taoman]

Netgear WNDR3400

Hardware Version    WNDR3400
Firmware Version    V1.0.0.52_20.0.60
GUI Language Version    V1.0.0.50_2.1.17.1

Yikes! That's the same router I use (except mine says WNDR3400v3) but I'm on Firmware Version V1.0.1.4_1.0.52

Now you really have me interested. So you think someone "reset" your router to factory default? Is that right? And you suspect it was due to UPNP?

Any additional info you could provide or that turns up would be appreciated.

Edit1: Under Advanced Setup>WAN>NAT filtering........ is yours set to Open or Secured?

I remember when I had PhonePower and was having problems the PP tech had me set this to Open. I did this just to appease him as I knew there was no way I was going to leave it that way. I eventually got it working on my own by using a different port number and was able to leave NAT filtering Secured.

Edit2: I checked my logs and all I have are UPNP entries. But they are all from my network printer. The more I think about this the more confused I am about how you think UPNP could be involved? Wouldn't UPNP be strictly on your internal network? How would UPNP work thru the WAN port? Did you see some suspicious UPNP entries in your log? If so, what was the source address?

[SteveInWA]

This (configuration reset to factory default) happened to me a couple of years ago on a Linksys router.  I just assumed it was a firmware bug or flaky flash memory.  It never happened again.  Perhaps it's a black-helicopter, "state sponsored" cyber attack...who knows.

[BigJim_McD]

About 16 months ago I bought a new TRENDnet TEW-818DRU  Wireless AC1900 Dual Band Gigabit Router.

The TEW-818DRU reset itself to "Factory Defaults" at least 5 or 6 times during the first 3 days.  I returned it to Amazon and purchased a replacement, a Netgear R7000 Nighthawk AC1900 Dual Band WiFi Gigabit Router. I haven't had any "Reset" issues with the R7000.

[Lavarock7]

This was the article I saw that said disable Upnp. There are others but I was in "fix it" mode at the time. I thought I read that external wan traffic could do damage if Upnp was enabled. Anyway, even with wifi off and most everything disconnected, I was seeing IP addresses scan my system. Somebody disabled the router ovrnight. It was obvious because many of the wifi devices stopped also. That happened when they reset the router and the password disappeared on wifi. Soon thereafter I got the "call from 100" call to my phone.

[dircom]

I am sure you did not use the default router password, but curious if you considered your old password "secure"

[RFC3261]

Anyway, even with wifi off and most everything disconnected, I was seeing IP addresses scan my system.

"Someone" is always scanning (whether for good or nefarious purposes, someone is always scanning).  And devices that are "vulnerable" are going to get exploited reasonable quickly (while the numbers are wrong for a whole set of reasons, a few years ago there was an estimate of around 5 minutes before a vulnerable system placed on the unprotected Internet was exploited).

It should be noted that just as OBi's can occasionally lose their configuration due to hardware issues, so can consumer targeted devices such as routers, which often fall back to "default" mode (if a reboot happens, and the configuration appears bad, the system reverts to defaults), and either some internal hardware glitch or perhaps a power glitch at the wrong time can make your life very exciting.  What is often worse is that these "reset to default" operations often destroy any logs that might have helped determine the original fault.