Community Forum

Arris TG1682G config overwrite

Xfinity Forum Archive
About the archive project

Xfinity Forum Archive...

This is an archived section of the community.

Content in this area has been identified as outdated or irrelevant.

This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.

Post your questions in the Xfinity Community

New Poster

Arris TG1682G config overwrite

I've come to the conclusion that my router* is getting hacked by some clever folks and it's not good.

Details below.

It started a couple of weeks ago when I noticed disconnects.

I check out the router 10.0.0.1 and find admin/password doesn't work, someone else's SSID and other people's devices showing on the welcome screen

Odd since my SSID still runs decent enough that I might not have noticed otherwise.

So I reset the router, comes up clean, immediately change password to something strong and never used before and continue to customize my settings, hit save and all good.

Until 24 hours later - disconnect issues again so i check 10.0.0.1 and there is the same thing - someone else's SSID and other people's devices showing on the welcome screen.

Mind you this is the same someone else's SSID, not something random or new so I'm thinking must be a config mistake somewhere.  

I follow the same steps to reconfig only adding a few more security measures, I start locking things down in the config.

Within an hour, the "bad" config is back.

So I call comcast, open a ticket, they're not sure whats happening but ask me to reset my account password and exhange the device.

Done.  Go through the setup process again, making sure to save and download 

Within an hour, the "bad" config is back on the new device.

Full reset - Disconnect the router from the internet (unplug the coax) full reconfig and save.  All good.  Hour goes by still all good. 

Plug the coax back in and immediately (2-3 mins) the bad config is back.  

Disconnect the coax, reboot the router and it comes up clean with my good config, no configuration change is needed.

This tells me that the router(s) are correctly saving the config changes and something else via the Internet is overwriting the config on purpose.

I login to my Comcast account just to make sure that Comcast isn't doing a config push automatically but the few settings on there are correct.

Plug it back in to the Internet (Coax) and again within 2-3 mins the bad config is back.

Now I go on full lockdown mode - full reset on the router, disable every setting I can including as much IPv6 as possible**, IPv6 custom firewall, high security for IPv4 firewall, 192.168.0.1 default gateway, everything available through the Arris interface.  I'm feeling good.  Firewall logs show IPv6 attempts are getting blocked by the firewall and 10 minutes goes by and I'm still up and running.

Since I've just beaten the hackers, I'm feeling good and go to the grocery store except when I get back - bad config has returned.

I've read some stories about the Arris PoTD and other issues but I just want a config that will survive.

*Arris TG1682G running 2.4p2s1fresh off the Comcast shelf after my previousArris TG1682G modem/router had the same issue.

**DNS now picks up comcast IPv4 resolvers by default instead of v6

 

New Poster

Re: Arris TG1682G config overwrite

More data:

 

System Software Version

eMTA & DOCSIS Software Version:10.1.11.SIP.PC20.CT
Software Image Name:TG1682_2.8p15s1_PROD_sey
Advanced Services:TG1682G
Packet Cable:2.0
 
FW.IPv6 INPUT drop , 74 Attempts, 2018/1/27 05:23:28 Firewall Blocked  
FW.IPv6 FORWARD drop , 144 Attempts, 2018/1/27 05:23:12 Firewall Blocked  
FW.WANATTACK DROP , 3 Attempts, 2018/1/27 05:20:01 Firewall Blocked

 

Within 3 minutes I get an error and see the router has been reset to the bad config.

 

Authorized Vendor

Re: Arris TG1682G config overwrite

I would check and see if MoCA is disabled on your modem and if you have a MoCA "POE" Filter on your line and if not I would add one..  Make sure MoCA is disabled..

-------------------------------------
Network Engineer, IP Engineer, Docsis..; the views expressed on this post are mine and do not necessarily reflect the views of my employer..

Gamer.. Living the dream one catastrophe at a time Smiley Happy ..
Authorized Vendor

Re: Arris TG1682G config overwrite


@ wrote:
 
FW.IPv6 INPUT drop , 74 Attempts, 2018/1/27 05:23:28 Firewall Blocked  
FW.IPv6 FORWARD drop , 144 Attempts, 2018/1/27 05:23:12 Firewall Blocked  
FW.WANATTACK DROP , 3 Attempts, 2018/1/27 05:20:01 Firewall Blocked

Becareful on what you block for IPv6 you could be blocking your own traffic..  Like if you block all ICMPv6, IPv6 will be in a broken state and not work right..

-------------------------------------
Network Engineer, IP Engineer, Docsis..; the views expressed on this post are mine and do not necessarily reflect the views of my employer..

Gamer.. Living the dream one catastrophe at a time Smiley Happy ..