DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Draytek 2925 hacked

  • davsands
  • Topic Author
  • Offline
  • New Member
  • New Member
More
17 May 2018 11:33 #91567 by davsands
Replied by davsands on topic Re: Draytek 2925 hacked

silverstreak_2006 wrote: As Admin says, I use a 2925, and have no issues at all in that manner.



Someone else has posted their problem:
https://forum.draytek.co.uk/viewtopic.php?f=13&t=22298&p=91564#p91564

BookIT wrote: Perhaps DrayTek could add configuration change to Notification Object?


It would be good if they could do this - we're now running SysLogs which may help if the attack happens again.

Please Log in or Create an account to join the conversation.

More
17 May 2018 12:21 #91568 by andy100
Replied by andy100 on topic Re: Draytek 2925 hacked
Hi

Yes, I've seen 7 routers affected with this issue (3220, 2925 and 5 x 2860). Draytek support were informed a few days ago but have yet to admit any issue. Config files etc have all been submitted. All differing firmwares too. It seems to be affecting the latest hardware so far - we manage around 150 devices of differing age and older models not being attacked.

The very first router that was attacked, password was reset, but the this was re-attacked two days later, so it's not down to weak passwords. Syslog show no admin login what so ever, then the configuration of DHCP/DNS changed (no user being logged in)!

The only way to stop this happening for now is to either disable remote management or set ACL's for remote management.

Hope that helps

Please Log in or Create an account to join the conversation.

  • davsands
  • Topic Author
  • Offline
  • New Member
  • New Member
More
17 May 2018 13:39 #91572 by davsands
Replied by davsands on topic Re: Draytek 2925 hacked
Andy, can you confirm that some routers were running the latest firmware when they were hacked?

Please Log in or Create an account to join the conversation.

More
17 May 2018 14:05 #91574 by andy100
Replied by andy100 on topic Re: Draytek 2925 hacked
It was a mix bag, however, none of the 7 were on the latest/greatest. A couple were on close to latest.

Please Log in or Create an account to join the conversation.

  • davsands
  • Topic Author
  • Offline
  • New Member
  • New Member
More
17 May 2018 14:25 #91575 by davsands
Replied by davsands on topic Re: Draytek 2925 hacked

andy100 wrote: It was a mix bag, however, none of the 7 were on the latest/greatest. A couple were on close to latest.



Cheer for the info Andy! :wink:

Please Log in or Create an account to join the conversation.

More
18 May 2018 10:34 #91579 by sheltons
Replied by sheltons on topic Re: Draytek 2925 hacked

andy100 wrote: Hi

Yes, I've seen 7 routers affected with this issue (3220, 2925 and 5 x 2860). Draytek support were informed a few days ago but have yet to admit any issue. Config files etc have all been submitted. All differing firmwares too. It seems to be affecting the latest hardware so far - we manage around 150 devices of differing age and older models not being attacked.

The very first router that was attacked, password was reset, but the this was re-attacked two days later, so it's not down to weak passwords. Syslog show no admin login what so ever, then the configuration of DHCP/DNS changed (no user being logged in)!

The only way to stop this happening for now is to either disable remote management or set ACL's for remote management.

Hope that helps



We had this happen this morning to one of our 2860 that was on an older firmware and " Allow management from the Internet" was disabled.
This is very concerning.

John

Please Log in or Create an account to join the conversation.

Moderators: Chris