TPG Community

Get online support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rogue PPP service running on router

Nickyp71
Level 2
Level 2
‎06-05-2022 09:17 PM
I don’t know how many times I need to explain this to your level 1 help desk who are reading a script!! Arghhhhh… I’m trying to change the DNS settings on my VDSL router and there appears to be a rogue script running whenever the device connects to the internet whilst going through authentication on PPP0 whereby the DNS is set to go to a public TPG IP address which resolves to DNS2.tpgi.com.au which IS NOT TPG’s DNS server. The date of the log file from the router also changes (see below where it jumps from the correct date to 2016!!!) which makes me believe that the device has been compromised and has a DNS hijack or MITM attack going on. Could someone please help me??!!

2016-01-01 10:00:30 [5] DHCPD: Recv REQUEST from 00:E0:99:24:70:2B
2016-01-01 10:00:31 [5] DHCPD: Send ACK to 192.168.1.101
2016-01-01 10:01:03 [5] System: Enable IPv4 SPI Firewall
2016-01-01 10:01:03 [5] System: Enable IPv6 SPI Firewall
2016-01-01 10:01:12 [5] System: DSL Link Status is Initializing.
2016-01-01 10:01:17 [5] System: DSL Link Status is EstablishingLink.
2016-01-01 10:01:30 [6] PPP: ppp3 sent [PADI Host-Uniq(0x00001809)]
2016-01-01 10:01:30 [6] PPP: ppp0 sent [PADT Host-Uniq(0x000018f9) Session-Id(0x00003155)]
2016-01-01 10:01:30 [6] PPP: ppp0 sent [Termination Host-Uniq(0x000018f9) Session-Id(0x00003155)]
2016-01-01 10:01:30 [6] PPP: ppp0 sent [PADI Host-Uniq(0x000018f9)]
2016-01-01 10:01:30 [5] System: DSL Link Status is UP.
2016-01-01 10:01:35 [6] PPP: ppp3 sent [PADI Host-Uniq(0x00001809)]
2016-01-01 10:01:35 [6] PPP: ppp0 sent [PADT Host-Uniq(0x000018f9) Session-Id(0x00003155)]
2016-01-01 10:01:35 [6] PPP: ppp0 sent [Termination Host-Uniq(0x000018f9) Session-Id(0x00003155)]
2016-01-01 10:01:35 [6] PPP: ppp0 sent [PADI Host-Uniq(0x000018f9)]
2016-01-01 10:01:40 [6] PPP: ppp3 sent [PADI Host-Uniq(0x00001809)]
2016-01-01 10:01:40 [6] PPP: ppp0 sent [PADT Host-Uniq(0x000018f9) Session-Id(0x00003155)]
2016-01-01 10:01:40 [6] PPP: ppp0 sent [Termination Host-Uniq(0x000018f9) Session-Id(0x00003155)]
2016-01-01 10:01:40 [6] PPP: ppp0 sent [PADI Host-Uniq(0x000018f9)]
2016-01-01 10:01:50 [3] PPP: ppp3 Timeout waiting for PADO packets
2016-01-01 10:01:50 [3] PPP: ppp3
2016-01-01 10:01:50 [6] PPP: ppp3 sent [PADI Host-Uniq(0x00001809)]
2016-01-01 10:01:50 [6] PPP: ppp0 sent [PADT Host-Uniq(0x000018f9) Session-Id(0x00003155)]
2016-01-01 10:01:50 [6] PPP: ppp0 sent [Termination Host-Uniq(0x000018f9) Session-Id(0x00003155)]
2016-01-01 10:01:50 [3] PPP: ppp0 Timeout waiting for PADO packets
2016-01-01 10:01:50 [3] PPP: ppp0
2016-01-01 10:01:50 [6] PPP: ppp0 sent [PADI Host-Uniq(0x000018f9)]
2016-01-01 10:01:50 [6] PPP: ppp0 rcvd [PADO PeerMac(b4-de-31-b5-b0-14)]
2016-01-01 10:01:50 [6] PPP: ppp0 sent [PADR Host-Uniq(0x000018f9)]
2016-01-01 10:01:50 [6] PPP: ppp0 rcvd [PADS SessionID(0x5e62)]
2016-01-01 10:01:50 [6] PPP: ppp0 sent [LCP ConfReq id=0x1 <mru 1480> <magic 0x5759fc38>]
2016-01-01 10:01:50 [6] PPP: ppp0 rcvd [LCP ConfReq id=0x1 <mru 1492> <auth pap> <magic 0x979e9280>]
2016-01-01 10:01:50 [6] PPP: ppp0 sent [LCP ConfAck id=0x1 <mru 1492> <auth pap> <magic 0x979e9280>]
2016-01-01 10:01:50 [6] PPP: ppp0 rcvd [LCP ConfNak id=0x1 <mru 1492>]
2016-01-01 10:01:50 [6] PPP: ppp0 sent [LCP ConfReq id=0x2 <mru 1492> <magic 0x5759fc38>]
2016-01-01 10:01:50 [6] PPP: ppp0 rcvd [LCP ConfAck id=0x2 <mru 1492> <magic 0x5759fc38>]
2016-01-01 10:01:50 [6] PPP: ppp0 sent [LCP EchoReq id=0x0 magic=0x5759fc38]
2016-01-01 10:01:50 [6] PPP: ppp0 sent [PAP AuthReq id=0x1 user="Xxxx@iinet.net.au" password=<hidden>]
2016-01-01 10:01:50 [6] PPP: ppp0 rcvd [LCP EchoRep id=0x0 magic=0x979e9280]
2016-01-01 10:01:53 [6] PPP: ppp0 sent [PAP AuthReq id=0x2 user="Xxxxx@iinet.net.au" password=<hidden>]
2016-01-01 10:01:55 [6] PPP: ppp3 sent [PADI Host-Uniq(0x00001809)]
2016-01-01 10:01:56 [6] PPP: ppp0 sent [PAP AuthReq id=0x3 user="Xxxx@iinet.net.au" password=<hidden>]
2016-01-01 10:01:59 [6] PPP: ppp0 sent [PAP AuthReq id=0x4 user="Xxxx@iinet.net.au" password=<hidden>]
2016-01-01 10:02:00 [6] PPP: ppp3 sent [PADI Host-Uniq(0x00001809)]
2016-01-01 10:02:01 [6] PPP: ppp0 rcvd [PAP AuthAck id=0x4 ""]
2016-01-01 10:02:01 [6] PPP: ppp0 sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
2016-01-01 10:02:01 [6] PPP: ppp0 rcvd [IPCP ConfReq id=0x1 <addr 10.20.25.79>]
2016-01-01 10:02:01 [6] PPP: ppp0 sent [IPCP ConfAck id=0x1 <addr 10.20.25.79>]
2016-01-01 10:02:01 [6] PPP: ppp0 rcvd [IPCP ConfNak id=0x1 <addr 124.170.61.240> <ms-dns1 203.12.160.35> <ms-dns2 203.12.160.36>]
2016-01-01 10:02:01 [6] PPP: ppp0 sent [IPCP ConfReq id=0x2 <addr 124.170.61.240> <ms-dns1 203.12.160.35> <ms-dns2 203.12.160.36>]
2016-01-01 10:02:01 [6] PPP: ppp0 rcvd [IPCP ConfAck id=0x2 <addr 124.170.61.240> <ms-dns1 203.12.160.35> <ms-dns2 203.12.160.36>]
2016-01-01 10:02:02 [3] PPP: ppp3
2016-01-01 10:02:02 [5] Httpd: login noip dns success!
2016-01-01 10:02:02 [5] VoIP: enable SIP stack due to intf(124.170.61.240) is up.
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.98) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.82) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.81) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.34) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.33) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.97) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.98) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.82) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.81) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.34) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.33) for domain(uni-v1.tpg.com.au)
2022-05-06 17:23:41 [6] VoIP: get ip(172.26.0.97) for domain(uni-v1.tpg.com.au)
2022-05-06 17:26:41 [6] VoIP: Register to server address 172.26.0.82:5060
2022-05-06 17:29:41 [6] VoIP: Register to server address 172.26.0.81:5060
2022-05-06 17:32:41 [6] VoIP: Register to server address 172.26.0.34:5060
2022-05-06 17:32:41 [6] VoIP: Register to server address 172.26.0.34:5060
2022-05-06 17:42:08 [5] DHCPD: Recv DISCOVER from 00:E0:99:24:70:2B
2022-05-06 17:42:08 [5] DHCPD: Send OFFER with ip 192.168.1.101
2022-05-06 17:42:09 [5] DHCPD: Recv REQUEST from 00:E0:99:24:70:2B
2022-05-06 17:42:10 [5] DHCPD: Send ACK to 192.168.1.101
2022-05-06 17:48:18 [6] VoIP: can not find any account forthe incoming call
2022-05-06 17:48:18 [6] VoIP: can not find any account forthe incoming call

0 Likes
Reply
3 REPLIES 3
david64
Master
Master
‎06-05-2022 10:48 PM

Hi @Nickyp71 . Regarding date/time, when router restarts, it knows nothing about the outside. The date/tiime at the start is the date/time that the firmware file was created. Router sets that value in its real time clock. 

The PPP process takes some time to make the connection to TPG server. The router logs on with your username, receives its WAN ip address and DNS1 and DNS2 addresses. You must have a time server specified since it now shows the actual date/time.

 

Look at 

https://community.tpg.com.au/t5/Broadband-Internet/Manually-Setting-DNS-Server-Windows-Mac-OSX-and-M...

Go to Point 7. It shows TPG's DNS addresses. The name doesn't matter, just the address.

What do you think they should be?

 

To change DNS addresses in router, go to Advanced, Network, LAN Settings. Make the changes and Save. They are remembered across reboots but not factory reset.

 

 

0 Likes
Reply
Nickyp71
Level 2
Level 2
‎07-05-2022 11:45 AM
Thanks for your reply David however, I should have provided the entire log- the ppp process is occurring after it has already completed the same process seconds earlier- the date and time stamp are already correct before it runs this ppp handshake-I’ll post another copy of a new log shortly
0 Likes
Reply
Anonymous
Not applicable
‎08-05-2022 12:21 PM

Hi Nickyp71.

We will raise this to our Engineering Team for investigation. Could you send us your account details (Username/Customer ID together with the address on file) also the make and model of the modem/router including the firmware version.
 

Regards,


 

0 Likes
Reply