Hourly Netgear router access attempts

Rainmaker · 28 Mar 2008 at 21:59

Hi guys,

For some reason my Netgear DG834GT has always listed a login attempt (authentication failed) in the router logs on the hour, every hour, since I bought it six months ago.

Code:

Wed, 2008-03-26 11:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 12:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 13:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 14:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 15:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 16:00:02 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 17:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 18:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 19:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 20:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 21:00:02 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 22:00:01 - unexpected reply: 535 Error: authentication failed
Wed, 2008-03-26 23:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 00:00:02 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 01:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 02:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 03:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 04:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 05:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 06:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 07:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 08:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 09:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 10:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 11:00:01 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 12:00:02 - unexpected reply: 535 Error: authentication failed
Thu, 2008-03-27 13:00:01 - unexpected reply: 535 Error: authentication failed

You get the idea. It's now running DGTeam fw (was UberGT), but the error remains. Remote administration (web gui) is disabled, remote telnet is also disabled. The local admin password for the router is 63 randomly generated mixed case alpha-numeric characters long and therefore extremely unlikely to be cracked!

Any ideas on what's happening here, and why it's always (with very rare exception) happening at one second past every hour? TIA.

TrX · 28 Mar 2008 at 22:25

You sure that's an error for the webgui and not something else? remote ssh enabled?

//TrX

Rainmaker · 28 Mar 2008 at 22:31

Remote telnet and remote web gui access are both disabled - there is no remote ssh option for this router/fw

I dunno what else it could be, except someone/thing trying to log into the router. Google wasn't much help either. At least authentication failed means nobody got in at least LOL

I ended up closing my SSH port down completely in the Netgear firewall page (I'd previously been logging into my machine remotely using Putty for admin), as I got sick of the hundreds of access attempts to my machine over SSH from China, Russia and the USA LOL

tolien · 28 Mar 2008 at 22:34

Random script somewhere connecting to anything it can find.

Rainmaker · 28 Mar 2008 at 22:37

tolien said:
Random script somewhere connecting to anything it can find.

Yeah I thought as much

Just weird how it happens at one second past the hour, every hour, and has done so for months. Give it up already

I'd understand if my IP resolved to the Bank of England or something, but... LOL

leezer3 · 28 Mar 2008 at 23:52

Haven't turned on DynDNS or something have you?

Thats not someone trying to get in, your routers trying to get out

- Looks to me like thats a HTTP server error from something your router is trying to connect to.

-Leezer-

Rainmaker · 29 Mar 2008 at 00:15

leezer3 said:
Haven't turned on DynDNS or something have you?

Thats not someone trying to get in, your routers trying to get out - Looks to me like thats a HTTP server error from something your router is trying to connect to.

-Leezer-

Nope, no DynDNS (I have a static IP). The only thing enabled on the router is NTP via netgear.com - but that shouldn't phone home every hour (or be denied at the other end) surely? Hm.. Got me thinking now

Rainmaker · 29 Mar 2008 at 00:18

Ah ha!!

Email notification was set to "on"... HOURLY(!)... Doh. The password in the SMTP authentication was wrong (old)... Probably explains it

Thing is though it's only supposed to email me if it detects a DoS or port scan. Maybe it's a single report the poor router has been trying to send for months. Faithful little thing, what? LOL

I've changed the email password to the correct new one - we'll see what happens.