Submission Summary: 0 pending, 3 declined, 0 accepted (3 total, 0.00% accepted)
Link to Original Source
Qwest was still saying that the family is running a bot net. When asked for, Qwest did provided a log of the suspicious activity. There are only three IP addresses in the logs. They all resolve to the same domain in the same German city. It appears that the domain is registered with T-Mobile. What is interesting is when we were checking the modem settings, we found two IP addresses that were unaccounted for (the family was using the modem as a wireless router). I used nmap to probe the suspect addresses. One address was 192.168.0.101 (unusual because it was far larger than the other address on the network), and the other was 220.127.116.11. 18.104.22.168 was listening on port 53 which (in my limited research) appears to be associated with a the ADM Worm. 192.168.0.101 had four ports open: 2869 (UPnP?), 3389 (MS Terminal Service), 4224 (xtell messaging service), and 8292. Port 8292 seemed to be querying several different protocols: SMB, LDAP, DNS, and X11. There was more in nmap's dump for the port, but those were the protocols I could identify off hand. Those two addresses were present and resolvable when only my Ubuntu netbook (which is clean and had never been connected to their network before) was physically connected to the modem and the WiFi radio was off.
While I was running the port scans, my friend was talking with Qwest Tech Support. During the course of the conversation, it was mention by Tech Support that they had received numerous complaints about connection issues related to botnets similar to our problem (this from what I overheard and what my friend told me.) I should also mention that we tried three different modems, all different models, and the same two address came up. On one of the modems, we actually had more than the two abnormal addresses, but I didn't run any scans on those. Our final solution was to use the modem in transparent bridge mode, with an IPCop box connecting directly to Qwest's servers.
I have three questions: Is it possible that Qwest's modems have been compromised and are being used to propagate botnets? Were we through enough in our investigation, or did we miss a step which could have led us in another direction? If the modem is compromised, will operating it in transparent bridge mode render the vulnerability moot?