ThomdeG 0 Posted June 1, 2014 Posted June 1, 2014 For the second time (first was in April and the problem disappeared spontaneously after a couple of days) and since May 28th, I am unable to use Google and its attendant services like gmail or youtube. The problem started with the firewall blocking GoogleUpdate as shown by the example from the Filtered websites log of Eset: 30-5-2014 13:11:28 Geblokkeerd door interne zwarte lijst C:\Program Files (x86)\Google\Update\GoogleUpdate.exe NT AUTHORITY\SYSTEM Attempts to start Google invariably result in a time-out or - when typing directly the address - in blocking communications. From the same log, this example: 30-5-2014 16:47:50 Geblokkeerd door interne zwarte lijst C:\Program Files (x86)\Mozilla Firefox\firefox.exe Thomas-HP\Thomas 30-5-2014 16:45:53 Geblokkeerd door interne zwarte lijst C:\Program Files (x86)\Mozilla Firefox\firefox.exe Thomas-HP\Thomas 30-5-2014 16:45:52 Geblokkeerd door interne zwarte lijst C:\Program Files (x86)\Mozilla Firefox\firefox.exe Thomas-HP\Thomas I have checked the filters of the firewall in Eset but they appear to be empty, so I do not know what the mentioned 'internal blacklist' means in this context.Maybe related, or maybe not, the Personal Firewall refuses outgoing communication for svchost.exe: 1-6-2014 9:11:03 Communicatie geweigerd door regel fe80::fcad:4095:e75b:ed35.:53313 ff02::c.:1900 UDP Uitgaande SSDP-aanvragen (UPNP) voor svchost.exe blokkeren C:\Windows\System32\svchost.exe NT AUTHORITY\LOCAL SERVICE Has anybody idea what is going on and what could be done about it?Thanks!Note: I am using Windows7, Mozilla Firefox and Thunderbird. ThomdeG
Arakasi 549 Posted June 1, 2014 Posted June 1, 2014 [Communicatie geweigerd door regel] You need to go into Advanced and delete this rule. You have inadvertently created a rule, possibly by clicking Deny on one of the requests for communication. If you cannot find it, you will need to follow this KB article explaining the reset process: hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN941
Administrators Marcos 5,441 Posted June 1, 2014 Administrators Posted June 1, 2014 I assume your router was hacked. Please reset it to factory settings and configure remote administration properly so that it's not possible to connect to it from outside and change settings. For more information, refer to this KB article.
ThomdeG 0 Posted June 2, 2014 Author Posted June 2, 2014 [Communicatie geweigerd door regel] You need to go into Advanced and delete this rule. You have inadvertently created a rule, possibly by clicking Deny on one of the requests for communication. If you cannot find it, you will need to follow this KB article explaining the reset process: hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN941 Hm. I am almost sure I did not create a rule. However, I have set now everything to standard. Problem now is getting the PC in safe mode. F8 does not seem to do anything during startup...
ThomdeG 0 Posted June 2, 2014 Author Posted June 2, 2014 I assume your router was hacked. Please reset it to factory settings and configure remote administration properly so that it's not possible to connect to it from outside and change settings. For more information, refer to this KB article. That had indeed crossed my mind. I am puzzled though as the threads mentioned in the KB have not been found on my PC by Eset. As far as I know it is clean. A couple of questions derived from the KB: My router does not have a reset button, how can I go back to default settings? What is remote management? is that management in wireless mode instead of management using a network cable between PC and router? Thanks for your patience.
Arakasi 549 Posted June 2, 2014 Posted June 2, 2014 Hello, Of course you didnt create the rule, but if you clicked deny anywhere on the prompts, it might have been created regardless. All routers usually come with a reset button, if you cannot find it, then you need to connect to it through your browser remotey. Remote management is managing a device remotely, wirelessly or wired. FInd the IP of the router by typing "ipconfig" from a command prompt. The gateway will be your router. Type it into a browser, once connected, enter the credentials for your router to login, and inside the interface you will find a reset to defaults option. If you do not know the username and password for your router, you can try the defaults suggested by the manufacturor of the router. "this is where the reset button comes in handy" Good luck and let us know if you require more guidance.
Arakasi 549 Posted June 2, 2014 Posted June 2, 2014 If F8 is not working to enter safe mode, open msconfig from run, or cmd, and manually reboot the computer into safe mode, from the boot tab "boot options".
ThomdeG 0 Posted June 2, 2014 Author Posted June 2, 2014 Hello, Of course you didnt create the rule, but if you clicked deny anywhere on the prompts, it might have been created regardless. All routers usually come with a reset button, if you cannot find it, then you need to connect to it through your browser remotey. Remote management is managing a device remotely, wirelessly or wired. FInd the IP of the router by typing "ipconfig" from a command prompt. The gateway will be your router. Type it into a browser, once connected, enter the credentials for your router to login, and inside the interface you will find a reset to defaults option. If you do not know the username and password for your router, you can try the defaults suggested by the manufacturor of the router. "this is where the reset button comes in handy" Good luck and let us know if you require more guidance. Oops! Overlooked the Maintenance>SysRetart window on the router :-) Sometimes the mind does not register what the eyes see. About disabling remote management, I certainly overlook something but I do not see anything on the router's windows that refers to that. So I can access the router whether wireless or wired (the later when setting up at the start). What I have done in any case is setting the ACL to a restricted number of IP's, and I have restricted communication to only my LAN by using MAC address filter. I suppose that should do the job.
ThomdeG 0 Posted June 2, 2014 Author Posted June 2, 2014 If F8 is not working to enter safe mode, open msconfig from run, or cmd, and manually reboot the computer into safe mode, from the boot tab "boot options". Right! Some things to do then. It all seems so very basic but the truth is that one does never use all those commodities with today's machines, and their use/explanation have been lost or at least omitted with new PC's. Somehow this reminds me of the DOS machines of the past (yes, I am that old indeed).
Administrators Marcos 5,441 Posted June 2, 2014 Administrators Posted June 2, 2014 I take it that resetting your router solved the problem. Could you confirm?
SweX 871 Posted June 2, 2014 Posted June 2, 2014 (edited) If you used a login password for the router, then it's a good idea to not use the same pass and also make the new pass a bit stronger than the old one. Edited June 2, 2014 by SweX
Administrators Marcos 5,441 Posted June 2, 2014 Administrators Posted June 2, 2014 If you used a login password for the router, then it's a good idea to not use the same pass and also make the new pass a bit stronger than the old one. That's a good practice but it won't help in case of vulnerable routers where the password can be retrieved relatively easily (e.g. using a special script). Hence it's much more important to disable remote administration from WAN.
SweX 871 Posted June 2, 2014 Posted June 2, 2014 (edited) If you used a login password for the router, then it's a good idea to not use the same pass and also make the new pass a bit stronger than the old one. That's a good practice but it won't help in case of vulnerable routers where the password can be retrieved relatively easily (e.g. using a special script). Hence it's much more important to disable remote administration from WAN. Sure, it was more ment as a additional suggestion that he could do as well as disabling the remote admin of course, since some users don't set a new password in their router that they get from the ISP or if they buy a new one but leave the defaults wich is not good or recommended. Wich is why I said "If you used a login password for the router" I don't know if he used the defaults or if he had actually set up his own password. Personally I would also check to see if some newer firmware is available and update if possible. Edited June 2, 2014 by SweX
Arakasi 549 Posted June 2, 2014 Posted June 2, 2014 Actually, using the default firmware for any router is a weakened security. Using Kali Linux and the embedded tools you can obtain any wep, wpa, or wpa2 password easy. I can concur the best defense is no remote admin.
SweX 871 Posted June 2, 2014 Posted June 2, 2014 Actually, using the default firmware for any router is a weakened security. Using Kali Linux and the embedded tools you can obtain any wep, wpa, or wpa2 password easy. I can concur the best defense is no remote admin. My point is that it's quite scary that the defaults in some routers is = no password at all. So if he did a router reset then that's possibly what he's having now. Wich is why I said what I did about the password. Very true indeed, but I use the vendor firmware myself even if I know it's not the absolute most secure. But then I don't have a router from D-link, Belkin or any of the other ones that have been in the "Vuln News" lately.
ThomdeG 0 Posted June 3, 2014 Author Posted June 3, 2014 (edited) I take it that resetting your router solved the problem. Could you confirm? I am not there yet as I take my steps one at a time and presently my time is rather limited. I shall confirm of course as soon as I have taken the step and checked. Needless to say that I strongly appreciate the help from this forum, for which my thanks. Still, from the discussion above, nobody has explained to me yet what 'deny remote maintenance' means and how it can be achieved. Some clarification would be highly appreciated indeed. My modem/router is an Eminent EM4565 if that is of help. Concerning paswwords, I use a very complex and strong one at all times. Edited June 3, 2014 by ThomdeG
Most Valued Members planet 232 Posted June 3, 2014 Most Valued Members Posted June 3, 2014 (edited) Still, from the discussion above, nobody has explained to me yet what 'deny remote maintenance' means and how it can be achieved. Some clarification would be highly appreciated indeed. My modem/router is an Eminent EM4565 if that is of help. Arakasi below provides a much better explanation than I once had here. Having a look around I found a firmware change log for a similar Eminent device with this on it: "Option to disable portal service (remote access). Go to Preferences > Portal Server." Because this is for a different Eminent device and don't have access to one to check myself, it could be wrong or in a different place within the routers configuration section. Edited June 3, 2014 by planet
Arakasi 549 Posted June 3, 2014 Posted June 3, 2014 Hello Here is a link to a picture. Not sure how long it will last, pulled from google images. hxxp://community.linksys.com/t5/image/serverpage/image-id/3652iF173DFCB909EC8E3/image-size/original?v=mpbl-1&px=-1 Disabling remote management simply ensures the router cannot be connected to by http, tcp, or any other network layer based method. When disabled the only way to adjust settings is by hard wire directly to it. Or by using a com port with serial cable and telnet/ssh, they look like an inverted vga port. Not all routers switches allow the latter method.
Solution ThomdeG 0 Posted June 19, 2014 Author Solution Posted June 19, 2014 Hello Here is a link to a picture. Not sure how long it will last, pulled from google images. hxxp://community.linksys.com/t5/image/serverpage/image-id/3652iF173DFCB909EC8E3/image-size/original?v=mpbl-1&px=-1 Disabling remote management simply ensures the router cannot be connected to by http, tcp, or any other network layer based method. When disabled the only way to adjust settings is by hard wire directly to it. Or by using a com port with serial cable and telnet/ssh, they look like an inverted vga port. Not all routers switches allow the latter method. Thanks for the info. My modem/router does not have this feature, at least not as clearly defined as in your example, so I guess I have to cross my fingers. The initial problem has apprently been solved by resetting the router. However, I got Murphy's Law in return and have a number of other troubles to solve additionally. Thanks for the help to all!
Recommended Posts