router changed 192.168.1.1 to 192.168.1.254 ( TOT Fibre ZTE )

[alphason]

A couple of weeks ago I needed to change the port forward settings to an updated ip address as I do every now and again, but my usual 192.168.1.1 would not work so I found the router now at 192.168.1.254, its a ZTE F620 with TOT Fibre, with a TP Link as the wifi router, configured with the help I got from here... 

Its not really a problem just interested why it suddenly changed by itself, did TOT do it?

 

Also today I had to update the port forwarding again and by chance noticed something strange in the ZTE.

Under administration-TR-069-Basic I noticed that the user name is weird, not sure of its safe to write it here but basically its an expletive!

What is that user name for?  it looks to me something set by TOT, above this setting are things like Wan Connection, ACS URL.

 

Thanks

[naboo]

Sounds like one of your neighbours hacked your router.

[alphason]

19 minutes ago, naboo said:

Sounds like one of your neighbours hacked your router.

Not sure but will change the router logins anyway. The ZTE does not have wifi, its just for the fibre connection, wifi is via the connected TP link. Router login passwords are unchanged on both, the TP-Link is unchanged on 192.168.1.250 it just the ZTE.

 

I don't know what that username / password is for exactly that has changed, I only noticed it by chance, I am guessing its the password to login to the fibre network, so if someone changed that wouldn't I not be able to get the fibre? I don't know.

 

In the ZTEs help for that username/password setting it says... Username/Password: ACS authenticates username and password.

Edited June 13, 2018 by alphason

[alphason]

Just ran Avast anti virus and it has recommended to reset the devices DNS settings.

 

Currently on the ZTE in Network-LAN-DHCP Server I have...

DNS Server1 IP Address 89.207.131.8

DBS Server2 IP Address 8.8.8.8

 

So now I checked the box that says Assign ISP DNS and those other settings have now grayed out. Will run Avast again after the currently running Malwarebytes scan has finished.

Edited June 13, 2018 by alphason

[alphason]

Ran Malwarebytes, ccleaner, flushed dns on pc, reset routers, set new passwords, changed to assign ISP DNS but Avast still says there is a problem, not sure if its really something I need to be concerned about or not?

 

Been looking to try to understand what that username in Administration>TR-069>Basic is but cant find any thing useful or that I understand, I thought about just removing that username (which is the expletive) but the password in the next field is not visible so could be a problem if I need to reenter it. Here is an example screenshot of the menu I am talking about  http://screenshots.portforward.com/routers/ZTE/F620/TR_069_Basic.htm

 

 

[alphason]

Tried calling TOT to ask them the correct settings for Administration>TR-069>Basic but did not get very far, was given an email so will see if they respond to that.

[johng]

9 minutes ago, alphason said:

Tried calling TOT to ask them the correct settings for Administration>TR-069>

As I understand it  the Tr-069  is not needed unless you want to remotely administer things like set-top boxes from the internet side, I would turn it off  just one more thing a "hacker" could try and use to gain access.

 

Have you checked the "hosts" file on your devices ?

[alphason]

41 minutes ago, johng said:

As I understand it  the Tr-069  is not needed unless you want to remotely administer things like set-top boxes from the internet side, I would turn it off  just one more thing a "hacker" could try and use to gain access.

 

Have you checked the "hosts" file on your devices ? 

Thanks. Can't see a setting to just turn it off/on, they only thing I could do is delete the entries in this menu but there are 2 passwords that are not visible so might be a problem if I needed to put them back?

 

Not familiar with hosts files, but followed some instructions to read c:\Windows\System32\Drivers\etc\hosts. with notepad on pc. I don't think there is anything set up in there, when I read the file it starts with "this is a sample hosts file..." and looks like it only contains the notes if the line starts with # (?)

Other than this pc there are some other devices 3 android devices and a smart tv connected at times, would they need to be checked also?

[johng]

Anything with # proceeding it is not read so if there is nothing else other than # bla bla bla then thats normal...but still search your PC for "hosts" files with hidden files option enabled.. it could be "hidding somewhere"

 

it will be harder to search on the other devices you mention..they possibly could be comprised so try..but I think the PC is more likely.

As for Tr-069 you don't use it...its not needed for your internet to function...you can disable it which ever way works.

 

 

 

[alphason]

Thanks again,

 

I searched for "hosts" displaying hidden files and it found

C:\Windows\WinSxS\amd64_microsoft-windows-w..ucture-other-minwin_31bf3856ad364e35_10.0.17134.1_none_1ac029cdce3c581c
Opened it with notepad and looks exactly the same as the other file.

 

Will try just deleting the tr-069 entries, thanks.

[alphason]

Sorry, just one more question,

 

Should I delete/blank out every entry in that whole menu page or just the part with the strange username/password? Thanks.

 

http://screenshots.portforward.com/routers/ZTE/F620/TR_069_Basic.htm

[johng]

I would try blanking any field with URL ,username and password
You maybe not able to set a blank user/pass so make something up thats difficult to guess write it down somewhere.

[alphason]

6 hours ago, johng said:

I would try blanking any field with URL ,username and password
You maybe not able to set a blank user/pass so make something up thats difficult to guess write it down somewhere.

As you thought it would not let me blank out any fields at all in that menu, would be a lot easier if you could just simply turn it off.

So I kept all the settings the same but changed to my own made up my own username/password and connection request username/password. (I did backup the user configuration file just in case before making any changes).

 

Thanks for your help.

[fab99]

Hi, I have the same router from TOT and I have been having some problems lately, my computers open tabs randomly when I browse the web, no matter what computer I use or what browser I use...

 

I just saw today that my router IP was also changed to 192.168.1.254 instead of 192.168.1.1 and that a not very polite username was set up in Tr-069 (i wouldnt be able to write the username here...) I changed the user and changed a DNS address that was suspicious, but I am still having problems...

 

I guess my router was hacked and the only way would be to make a factory reset, but I am not sure I would be able to make it work after that with the TOT configuration and I can't take the risk to loose internet for more than a few hours...

 

I don't want to contact TOT because I know how helpful they usually are.

 

Any news on this matter, do you also have problem with websites opening randomly?

Did you do a factory reset ?

[johng]

Go to your local ToT office with your internet bill (as it has your customer number) explain the problem,that you need to factory reset you modem/router. Ask them to tell you your
PPPoE username and password.
There should be no problem with supplying you with those details.

[fab99]

Thanks for your answer.

I'll do that as I think resetting my router to factory settings is the safest thing to do.

I'll have to check if I can update its firmware, maybe they corrected the vulnerability...

[NanLaew]

If your ISP has loaded proprietary firmware on a branded router; and most of them do, updating to the latest manufacturers firmware may render some of the ISP's bespoke settings invalid or worst-case, brick the router.

 

Doing a factory reset is safest as that simply resets to factory default (same firmware) but best to take a note of the setup and configuration settings and also have the ISP's default username/password OR the username/password combo that is was initially set up with at hand.

[Eun Mcknight]

Maybe it's a virus, but I'm glad you found your new IP Address. I experienced that too, I'm not sure how it happened, I was about to call any techie but now it's working.