Jump to content

Recommended Posts

Posted

For the second time (first was in April and the problem disappeared spontaneously after a couple of days) and since May 28th, I am unable to use Google and its attendant services like gmail or youtube. The problem started with the firewall blocking GoogleUpdate as shown by the example from the Filtered websites log of Eset:
 

30-5-2014 13:11:28      Geblokkeerd door interne zwarte lijst    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe    NT AUTHORITY\SYSTEM

 


Attempts to start Google invariably result in a time-out or - when typing directly the address - in blocking communications. From the same log, this example:
 

30-5-2014 16:47:50      Geblokkeerd door interne zwarte lijst    C:\Program Files (x86)\Mozilla Firefox\firefox.exe    Thomas-HP\Thomas
30-5-2014 16:45:53      Geblokkeerd door interne zwarte lijst    C:\Program Files (x86)\Mozilla Firefox\firefox.exe    Thomas-HP\Thomas
30-5-2014 16:45:52      Geblokkeerd door interne zwarte lijst    C:\Program Files (x86)\Mozilla Firefox\firefox.exe    Thomas-HP\Thomas

 

I have checked the filters of the firewall in Eset but they appear to be empty, so I do not know what the mentioned 'internal blacklist' means in this context.

Maybe related, or maybe not, the Personal Firewall refuses outgoing communication for svchost.exe:
 

1-6-2014 9:11:03    Communicatie geweigerd door regel    fe80::fcad:4095:e75b:ed35.:53313    ff02::c.:1900    UDP    Uitgaande SSDP-aanvragen (UPNP) voor svchost.exe blokkeren    C:\Windows\System32\svchost.exe    NT AUTHORITY\LOCAL SERVICE

 


Has anybody idea what is going on and what could be done about it?

Thanks!

Note: I am using Windows7, Mozilla Firefox and Thunderbird.

 

ThomdeG

Posted

[Communicatie geweigerd door regel]

 

You need to go into Advanced and delete this rule. :)

You have inadvertently created a rule, possibly by clicking Deny on one of the requests for communication.

 

If you cannot find it, you will need to follow this KB article explaining the reset process:

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN941

  • Administrators
Posted

I assume your router was hacked. Please reset it to factory settings and configure remote administration properly so that it's not possible to connect to it from outside and change settings. For more information, refer to this KB article.

Posted

[Communicatie geweigerd door regel]

 

You need to go into Advanced and delete this rule. :)

You have inadvertently created a rule, possibly by clicking Deny on one of the requests for communication.

 

If you cannot find it, you will need to follow this KB article explaining the reset process:

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN941

Hm. I am almost sure I did not create a rule. However, I have set now everything to standard. Problem now is getting the PC in safe mode. F8 does not seem to do anything during startup...

Posted

I assume your router was hacked. Please reset it to factory settings and configure remote administration properly so that it's not possible to connect to it from outside and change settings. For more information, refer to this KB article.

That had indeed crossed my mind. I am puzzled though as the threads mentioned in the KB have not been found on my PC by Eset. As far as I know it is clean. A couple of questions derived from the KB:

My router does not have a reset button, how can I go back to default settings?

What is remote management? is that management in wireless mode instead of management using a network cable between PC and router?

 

Thanks for your patience.

Posted

Hello,

 

Of course you didnt create the rule, but if you clicked deny anywhere on the prompts, it might have been created regardless.

 

All routers usually come with a reset button, if you cannot find it, then you need to connect to it through your browser remotey.

Remote management is managing a device remotely, wirelessly  or wired.

FInd the IP of the router by typing "ipconfig" from a command prompt.

The gateway will be your router.

Type it into a browser, once connected, enter the credentials for your router to login, and inside the interface you will find a reset to defaults option.

If you do not know the username and password for your router, you can try the defaults suggested by the manufacturor of the router.

"this is where the reset button comes in handy"

 

Good luck and let us know if you require more guidance.

Posted

If F8 is not working to enter safe mode, open msconfig from run, or cmd, and manually reboot the computer into safe mode, from the boot tab "boot options".

Posted

Hello,

 

Of course you didnt create the rule, but if you clicked deny anywhere on the prompts, it might have been created regardless.

 

All routers usually come with a reset button, if you cannot find it, then you need to connect to it through your browser remotey.

Remote management is managing a device remotely, wirelessly  or wired.

FInd the IP of the router by typing "ipconfig" from a command prompt.

The gateway will be your router.

Type it into a browser, once connected, enter the credentials for your router to login, and inside the interface you will find a reset to defaults option.

If you do not know the username and password for your router, you can try the defaults suggested by the manufacturor of the router.

"this is where the reset button comes in handy"

 

Good luck and let us know if you require more guidance.

Oops! Overlooked the Maintenance>SysRetart window on the router :-) Sometimes the mind does not register what the eyes see.

 

About disabling remote management, I certainly overlook something but I do not see anything on the router's windows that refers to that. So I can access the router whether wireless or wired (the later when setting up at the start). What I have done in any case is setting the ACL to a restricted number of IP's, and I have restricted communication to only my LAN by using MAC address filter. I suppose that should do the job.

Posted

If F8 is not working to enter safe mode, open msconfig from run, or cmd, and manually reboot the computer into safe mode, from the boot tab "boot options".

Right! Some things to do then.

 

It all seems so very basic but the truth is that one does never use all those commodities with today's machines, and their use/explanation have been lost or at least omitted with new PC's. Somehow this reminds me of the DOS machines of the past (yes, I am that old indeed).

  • Administrators
Posted

I take it that resetting your router solved the problem. Could you confirm?

Posted (edited)

If you used a login password for the router, then it's a good idea to not use the same pass and also make the new pass a bit stronger than the old one.

Edited by SweX
  • Administrators
Posted

If you used a login password for the router, then it's a good idea to not use the same pass and also make the new pass a bit stronger than the old one.

 

That's a good practice but it won't help in case of vulnerable routers where the password can be retrieved relatively easily (e.g. using a special script). Hence it's much more important to disable remote administration from WAN.

Posted (edited)

 

If you used a login password for the router, then it's a good idea to not use the same pass and also make the new pass a bit stronger than the old one.

 

That's a good practice but it won't help in case of vulnerable routers where the password can be retrieved relatively easily (e.g. using a special script). Hence it's much more important to disable remote administration from WAN.

 

Sure, it was more ment as a additional suggestion that he could do as well as disabling the remote admin of course, since some users don't set a new password in their router that they get from the ISP or if they buy a new one but leave the defaults wich is not good or recommended. Wich is why I said  "If you used a login password for the router" I don't know if he used the defaults or if he had actually set up his own password. 

 

Personally I would also check to see if some newer firmware is available and update if possible.

Edited by SweX
Posted

Actually, using the default firmware for any router is a weakened security.

Using Kali Linux and the embedded tools you can obtain any wep, wpa, or wpa2 password easy.

 

I can concur the best defense is no remote admin. :)

Posted

Actually, using the default firmware for any router is a weakened security.

Using Kali Linux and the embedded tools you can obtain any wep, wpa, or wpa2 password easy.

 

I can concur the best defense is no remote admin. :)

My point is that it's quite scary that the defaults in some routers is = no password at all. So if he did a router reset then that's possibly what he's having now. Wich is why I said what I did about the password.

 

Very true indeed, but I use the vendor firmware myself even if I know it's not the absolute most secure. But then I don't have a router from D-link, Belkin or any of the other ones that have been in the "Vuln News" lately. ;)

Posted (edited)

I take it that resetting your router solved the problem. Could you confirm?

I am not there yet as I take my steps one at a time and presently my time is rather limited. I shall confirm of course as soon as I have taken the step and checked. Needless to say that I strongly appreciate the help from this forum, for which my thanks.

 

Still, from the discussion above, nobody has explained to me yet what 'deny remote maintenance' means and how it can be achieved. Some clarification would be highly appreciated indeed. My modem/router is an Eminent EM4565 if that is of help.

 

Concerning paswwords, I use a very complex and strong one at all times.

Edited by ThomdeG
  • Most Valued Members
Posted (edited)

Still, from the discussion above, nobody has explained to me yet what 'deny remote maintenance' means and how it can be achieved. Some clarification would be highly appreciated indeed. My modem/router is an Eminent EM4565 if that is of help.

 

Arakasi below provides a much better explanation than I once had here.  :P

 

Having a look around I found a firmware change log for a similar Eminent device with this on it:

 

"Option to disable portal service (remote access). Go to Preferences > Portal Server."

 

Because this is for a different Eminent device and don't have access to one to check myself, it could be wrong or in a different place within the routers configuration section.

Edited by planet
Posted

Hello

Here is a link to a picture.

Not sure how long it will last, pulled from google images.

hxxp://community.linksys.com/t5/image/serverpage/image-id/3652iF173DFCB909EC8E3/image-size/original?v=mpbl-1&px=-1

 

Disabling remote management simply ensures the router cannot be connected to by http, tcp, or any other network layer based method.

When disabled the only way to adjust settings is by hard wire directly to it. Or by using a com port with serial cable and telnet/ssh, they look like an inverted vga port.

Not all routers switches allow the latter method.

  • 3 weeks later...
  • Solution
Posted

Hello

Here is a link to a picture.

Not sure how long it will last, pulled from google images.

hxxp://community.linksys.com/t5/image/serverpage/image-id/3652iF173DFCB909EC8E3/image-size/original?v=mpbl-1&px=-1

 

Disabling remote management simply ensures the router cannot be connected to by http, tcp, or any other network layer based method.

When disabled the only way to adjust settings is by hard wire directly to it. Or by using a com port with serial cable and telnet/ssh, they look like an inverted vga port.

Not all routers switches allow the latter method.

Thanks for the info. My modem/router does not have this feature, at least not as clearly defined as in your example, so I guess I have to cross my fingers.

 

The initial problem has apprently been solved by resetting the router. However, I got Murphy's Law in return and have a number of other troubles to solve additionally.

 

Thanks for the help to all!

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...