Kernel Intrusion in ADSL Router

[PriSim]

Hi guys,

I am facing kernel intrusion issue on my dsl router badly.

Basically i am using a shared internet network with my neighbors. Main dsl router is same and we are on dhcp server assigned by router no other network switch or firewall installed. But from past months i am getting this message in my router log and my dsl line goes down automatically, Router reset its services and then this happen again and dsl goes down :(

i already made a search on google and on many other network forums about my issue but no one have a good enough and informative answer. Some one says its due to default user and password of your router and being done by some kind of trojan or malware or any other kind of kernel intruder. I simply change my password but this thing is happening again and again.

Router : Tenda w150d

kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=71.6.167.142 DST=18x.18x.xx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=25777 PROTO=TCP SPT=49717 DPT=55554 WINDOW=33463 RES=0x00 SYN URGP=0 MARK=0x8000000 

Any help will be appreciated :(

[HX1]

Look here at these..

http://superuser.com/questions/330753/what-is-a-kernel-intrusion-on-my-router

Basically someone has tried to connect to your WAN IP ( given by your ISP ) not a network IP.. This can be caused by a number of issues and scenarios.. Some of it can be nefarious.. some does not have to be...

One suggestion was to turn off IGMP in your settings.. This keeps your router from responding to those types of messages/protocols..

You should check your router model number for known vulnerabilities and also check to see if your firmware is up to date. You may also want to reinstall it if necessary ( if possible )

​

The messages should be harmless but you say your router is rebooting or resetting which means it is vulnerable and someone or something is looking for holes... Check your settings and protect your system.. You may also be having issues if you are on old copper wire and all of your neighbors and your usage is quite high.. ( capable usually of about 4.5 Mb max.. ) even if they sold you higher.. Look at your term and bandwidth approximations of "UP TO"..

Another weird thing is when you have a Roku on your system loading ads.. using 2-3Mb per.. it causes the same problem... I am not for sure of this cause.. or if it is from infected servers.. botnet or otherwise..

Block the Roku and see what happens if it is on the network.. The reason I say this is because of the fact that a Roku was being used on my network which caused the same thing.. Everytime a channel was loaded and a movie was selected almost immediately my router would reboot.. AND Network usage from that device would go through the roof no matter what selection I chose.. I thankfully.. had it on a second guest network.. with no intercommunication between devices on that network or the other networks present with my router model.. Some devices are wide open to attack.. I personally believe that Roku devices and a few others which are similar bring this type of traffic and problem back.. Even if it is some form of hacking looking for backdoors in these types of devices to gain access to networks and systems.

EDITED ..

[PriSim]

Look here at these..

http://superuser.com/questions/330753/what-is-a-kernel-intrusion-on-my-router

Basically someone has tried to connect to your WAN IP ( given by your ISP ) not a network IP.. This can be caused by a number of issues and scenarios.. Some of it can be nefarious.. some does not have to be...

One suggestion was to turn off IGMP in your settings.. This keeps your router from responding to those types of messages/protocols..

You should check your router model number for known vulnerabilities and also check to see if your firmware is up to date. You may also want to reinstall it if necessary ( if possible )

​

The messages should be harmless but you say your router is rebooting or resetting which means it is vulnerable and someone or something is looking for holes... Check your settings and protect your system.. You may also be having issues if you are on old copper wire and all of your neighbors and your usage is quite high.. ( capable usually of about 4.5 Mb max.. ) even if they sold you higher.. Look at your term and bandwidth approximations of "UP TO"..

Another weird thing is when you have a Roku on your system loading ads.. using 2-3Mb per.. it causes the same problem... I am not for sure of this cause.. or if it is from infected servers.. botnet or otherwise..

Block the Roku and see what happens if it is on the network.. The reason I say this is because of the fact that a Roku was being used on my network which caused the same thing.. Everytime a channel was loaded and a movie was selected almost immediately my router would reboot.. AND Network usage from that device would go through the roof no matter what selection I chose.. I thankfully.. had it on a second guest network.. with no intercommunication between devices on that network or the other networks present with my router model.. Some devices are wide open to attack.. I personally believe that Roku devices and a few others which are similar bring this type of traffic and problem back.. Even if it is some form of hacking looking for backdoors in these types of devices to gain access to networks and systems.

EDITED ..

1.I already did that as i told before that before posting this question did a lot of searching and tried many cures :(

2.Yes my ROM or firmware is updated & already check the variability list.

3. I am on copper wire from pole to my location but from central exchange or DSLAM i am on optical fiber. and i am surfing the internet at my full promising speed 4mbps with DS:4606 and US:1086 with SNR of 32:22

4.In my networking there is nobody that trying to use system like ROKU (as they are all noobs, who only know about facebook and surfing) and 2nd thing have no good firewall in router :( sadly

This is the log window

So any other good suggestion ? :( as i am stuck and also annoyed

[DKT27]

Forget the logs. I think the router is having connection problem. What's the attenuation.

It might also be that you are getting disconnected due to problems from your ISP. Call them, tell them you are getting frequent disconnections.

If nothing works then I recommend getting a new, better router which has a firewall and can keep up with line problems, intrusions, heavy usage and such.

[PriSim]

Forget the logs. I think the router is having connection problem. What's the attenuation.

It might also be that you are getting disconnected due to problems from your ISP. Call them, tell them you are getting frequent disconnections.

If nothing works then I recommend getting a new, better router which has a firewall and can keep up with line problems, intrusions, heavy usage and such.

As i told before

i am surfing the internet at my full promising speed 4mbps with DS:4606 and US:1086 with SNR of 32:22

I called my ISP service center many times their service man and dsl installer comes to my home but the situation is same my home is very near to exchange so they said there is no technical fault from my ISP side.

and i tried Draytek VIGOR 2800G with hardware firewall to disable ROKU last day as HX1 said but in vain :( My tenda router has a firewall but i can't configure its policies as they are pr configured but now i am using draytek vigor 2800g with configurable firewall.But the situation is same :(

[HX1]

My suggestion would be to go in and change the password so nobody can currently connect.. Then reboot the router and let it sit there for a few minutes.. Then with only your system connected, go aboutyour tasks.. Tell your neighbors that there has been a problem and it will be down for awhile.. See if the problem continues..

Even if you do not have a Roku on your network it can be a computer which is going to the sites or locations which is bringin the traffic back..

Would be worth the experiment... I was using a Nighthawk X6 with very robust features for administration and control.. ( access Control and Device Identification, as well as site blocker and total of six configurable channels.. Firewall,.. there is quite a bit more in there too ) Even with the last update for the firmware it still did it... Once I figured out which channels were eing loaded and when they were going to the shows on it,, I removed them from their Roku.. and the problem has cmpletely subsided.

[PriSim]

My suggestion would be to go in and change the password so nobody can currently connect.. Then reboot the router and let it sit there for a few minutes.. Then with only your system connected, go aboutyour tasks.. Tell your neighbors that there has been a problem and it will be down for awhile.. See if the problem continues..

Even if you do not have a Roku on your network it can be a computer which is going to the sites or locations which is bringin the traffic back..

Would be worth the experiment... I was using a Nighthawk X6 with very robust features for administration and control.. ( access Control and Device Identification, as well as site blocker and total of six configurable channels.. Firewall,.. there is quite a bit more in there too ) Even with the last update for the firmware it still did it... Once I figured out which channels were eing loaded and when they were going to the shows on it,, I removed them from their Roku.. and the problem has cmpletely subsided.

Next idea was in mind is the same you wrote here i am gonna try this at weekend and will be post any update regarding the issue.

[emerglines]

Bruteforce attack from census9.shodan.io it's a bot server made to expose vulnerable routers, disable external router access or web access (Wan IP access).

And for more problem solving disable UPnP, and manually forward ports needed.

[HX1]

Like...

[LAN access from remote] from 80.247.26.118:45150 to 172.16.0.2:31649, Saturday, Oct 03,2015 14:29:19
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Saturday, Oct 03,2015 14:29:19
[LAN access from remote] from 173.170.202.87:54875 to 172.16.0.2:31649, Saturday, Oct 03,2015 14:29:18​

Would blocking the above stop it.. census9.shodan.io ...

[emerglines]

Like...

[LAN access from remote] from 80.247.26.118:45150 to 172.16.0.2:31649, Saturday, Oct 03,2015 14:29:19

[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Saturday, Oct 03,2015 14:29:19

[LAN access from remote] from 173.170.202.87:54875 to 172.16.0.2:31649, Saturday, Oct 03,2015 14:29:18​

Would blocking the above stop it.. census9.shodan.io ...

It should do the job, but a server that bruteforce your router that can cause a DOS attack, which is better to shutdown the router web managment access, I mean when you use your external IP that was automatically issued by you ISP or a static external IP configured in your route which is also issued by your ISP, you can access the router externaly from internet, you should shut it down and prevent external access, so you should access it using the web UI or web management control only on a local IP, like 192.168.1.1 or 192.168.2.1 it depends on the router, so router does not include disabling this option, tenda is one of them, so he should close UPnP to prevent SOPA protocol to communicate with the router and access a port without administrative permission.

Too complex to understand, just make the firewall block all incomming connection except the port you need, usually DNS, HTTP, HTTPS and SSH.

DNS should be only using UDP port, http and https are filtered using firewall rules, and for the SSH should be only accessiable internally even if it's the hardest protocol to breach.

UPnP should be filtred to only be used by internel IPs 192.168.xxx.xxx to forward ports.

Maybe TR-069 is enabled it should be closed to.

[Dodel]

Like...

[LAN access from remote] from 80.247.26.118:45150 to 172.16.0.2:31649, Saturday, Oct 03,2015 14:29:19

[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Saturday, Oct 03,2015 14:29:19

[LAN access from remote] from 173.170.202.87:54875 to 172.16.0.2:31649, Saturday, Oct 03,2015 14:29:18​

Would blocking the above stop it.. census9.shodan.io ...

but that's what's it doing ?, when dropping an ICMP it's 'not' responding to ping requests.

[HX1]

Right well this is the only thing logged.. AND I might add it is only when a ROKU ( Version 1 ) is connected to the network and is trying to load something.. Not for sure what the hell is going on.. it stopped for awhile but yesterday and the day before everything it loaded and every time it was turned on I get this message and my router reboots.. kills the network for whatever reason... When the ROKU is off I never have the problem.. at all... Personally I would like to take the ROKU and burn it..

and blocking shodan did not stop any of it..

Prism's problem may be a little different...

[emerglines]

Do you have an old box (old computer that has 512 ram and enough HDD space) download ubuntu server and dmz it to be your front firewall anything goes in or out through it.

Then make it your main externel IP handler, so your router too, will be behind it that will kill shodan bruteforcing your network.

Or call your ISP to block shodan that's the best solution you may take.

[Tweety.Abd]

Forget the logs. I think the router is having connection problem. What's the attenuation.

It might also be that you are getting disconnected due to problems from your ISP. Call them, tell them you are getting frequent disconnections.

If nothing works then I recommend getting a new, better router which has a firewall and can keep up with line problems, intrusions, heavy usage and such.

You're correct about ignoring the logs. I faced a smiliar problem a while ago with frequent disconnections and 'intrusions'. Replacing the router solved the problem.