Good morning,
I have been looking into the Security Logs from my Zyxel VMG8324-B10A router provided by Online.nl and for some reason I see the following in multiple days and multiple times a day (same situation with my previous router which has been replaced days ago):
"User supervisor login from 194.134.170.2 succesful"
The following are facts:
-This is an SSH succesful connection attemp to my router from outside my network.
-This IP is from my ISP provider https://www.findip-address.com/194.134.170.2.
-In the Zyxel admin panel / GUI there is no "supervisor" account, only Admin.
-I cannot access the router via SSH (I guess I can re-import the config file with the adjusted settings for ssh but that is not the issue discussed here).
-I can access the router via Telnet and there I can only see the Admin account using the embedded commands.
-Router documentation states that 4 login accounts are present by default: root, admin, supervisor and guest. Although I only see Admin.
-When exporting the Zyxel configuration via "Maintenance > Configuration > Backup Configuration", I see the following lines at the bottom of the exported "configuration-backupsettings.conf" config file:
<X_5067F0_AccessServiceCfg>
<SshStatus>TRUST_ONLY</SshStatus> <TrustDomainIP>194.134.170.2@194.134.191.85@83.119.32.10@</TrustDomainIP>
<CustomerWebRedirection>url</CustomerWebRedirection>
</X_5067F0_AccessServiceCfg>
I understand that the ISP needs to be able to update my router configs when required.
But I have now serious security concerns. That have connected to my router every day and multiple times per day, what are they looking at? Are they also tapping and listening to the traffic that goes inside my local network? Who has the supervisor credentials and how do they store them and why?
The service desk technicians from Online.nl state that they are not aware of the "supervisor" account. They also stated that they cannot see the security logs of my router because of privacy and they cannot provide further support, but it is clear that their systems have full control over the router (including its logs).
Have you experienced the same? Should we be worried? Is this a security breach? Have they been affected by SolarWinds and their systems are trying to hack into everybody's homes? I'm not trying to be alarmist but I need more clues.
Regards
I have been looking into the Security Logs from my Zyxel VMG8324-B10A router provided by Online.nl and for some reason I see the following in multiple days and multiple times a day (same situation with my previous router which has been replaced days ago):
"User supervisor login from 194.134.170.2 succesful"
The following are facts:
-This is an SSH succesful connection attemp to my router from outside my network.
-This IP is from my ISP provider https://www.findip-address.com/194.134.170.2.
-In the Zyxel admin panel / GUI there is no "supervisor" account, only Admin.
-I cannot access the router via SSH (I guess I can re-import the config file with the adjusted settings for ssh but that is not the issue discussed here).
-I can access the router via Telnet and there I can only see the Admin account using the embedded commands.
-Router documentation states that 4 login accounts are present by default: root, admin, supervisor and guest. Although I only see Admin.
-When exporting the Zyxel configuration via "Maintenance > Configuration > Backup Configuration", I see the following lines at the bottom of the exported "configuration-backupsettings.conf" config file:
<X_5067F0_AccessServiceCfg>
<SshStatus>TRUST_ONLY</SshStatus> <TrustDomainIP>194.134.170.2@194.134.191.85@83.119.32.10@</TrustDomainIP>
<CustomerWebRedirection>url</CustomerWebRedirection>
</X_5067F0_AccessServiceCfg>
I understand that the ISP needs to be able to update my router configs when required.
But I have now serious security concerns. That have connected to my router every day and multiple times per day, what are they looking at? Are they also tapping and listening to the traffic that goes inside my local network? Who has the supervisor credentials and how do they store them and why?
The service desk technicians from Online.nl state that they are not aware of the "supervisor" account. They also stated that they cannot see the security logs of my router because of privacy and they cannot provide further support, but it is clear that their systems have full control over the router (including its logs).
Have you experienced the same? Should we be worried? Is this a security breach? Have they been affected by SolarWinds and their systems are trying to hack into everybody's homes? I'm not trying to be alarmist but I need more clues.
Regards
:strip_icc():strip_exif()/u/55250/crop5bfe6e8b5ddb6_cropped.jpeg?f=community)
/u/8363/crop62ded9777bfd0_cropped.png?f=community)
:fill(white):strip_exif()/f/image/pJV7g6soKnedRl9KJu2mzTCT.png?f=user_large)
:strip_icc():strip_exif()/u/2652/eend.jpeg?f=community)