Hello community.
After the announcement of the security hole in our devices we immediately updated the majority of our clients routers.
Unfortunately some devices were not updated as they are managed by the customers themselves.
So last night i decided to do a global check for any compromised devices. i've found 7 devices and informed the customers to
take actions.
I created some rules in forward chain to spot the traffic designated to port 4145 TCP .. which was the SOCKS modified port.. to find the hacked devices..
and i also created rules to find out the SRC IPs the traffic was originated from.
Next thing to do was to create a drop rule to stop traffic FROM "attackers" TO "hacked" devices.
Here comes the funny part.
Google Ips (8.8.8.8, 8.8.4.4) appeared in my list therefore any inbound traffic was dropped causing some problems to DNS resolve requests etc.
Port 4145 TCP is used for a vvr-control service or something.
My questions to the community are these.
1) My best guess is that traffic from google ips have had to be forged to bypass firewalls.
What is your opinion on this?
2) Even though the devices were patched .. and any visible modifications were undone .. I still track traffic on port 4145 (40b packets, Ack.Rst) and it got me thinking..
Could it be that the "hack" created further modifications that are invisible to user and the only way to be sure is to use NetInstall and start over? This traffic has to somehow
be triggered and it seems i cant find a legit reason. I also used packet sniffer to analyze traffic on wireshark but didnt find anything major there.
What do you think about that?
This post is more of exchanging opinions rather than solving a problem.
Did anyone else had a similar situation and what actions you have taken?