This is again mainly for my own reference. If you are stuck in “I don’t like CLI” land – like I am sometimes – this is how you get Webmin configured iptables rules to apply if the GUI isn’t applying them.
ip6tables-restore /etc/iptables/rules.v6 and iptables-restore /etc/iptables/rules.v4
(Rebooting also seems to apply any unapplied changes but rebooting is also very inconvenient!)
Here I will go through the rough and very technical steps to gain root access to this router.
Beware – it is very technical, needs a working GenieACS server and a DHCP server which allows you to set an Option 43 response.
Attack Vector: The takeover of this router hinges around the default configuration of the router picking up an ACS / TR-069 server from DHCP on the WAN. ACS / TR-069 is a remote management protocol for routers, SIP phones and other network items. This means we can plug the H298A WAN port into a network we control and respond with our own ACS Server. Once the router is communicating with our ACS server we can then reset the root password and log into the web admin interface with this root password.
Features Gained: You gain the ability to edit the WAN settings of the router. Possibly use a 3g dongle as backup and you can configure it to use your own VoIP service.
How: Install and make sure you have a working GenieACS server. I’m afraid this is a bit of a mission. I installed VMWare Player; debian as a guest with bridged networking to my LAN.
Make sure you can bring up your GenieACS UI in a browser using port 3000.. e.g. http://10.100.1.81:3000 (replacing the IP with the IP you are running GenieACS on, on your LAN). I had to reboot my debian guest after doing all the install before this web page would work. I’d also check the port that the router will communicate with.. e.g. http://10.100.1.81:7547 (This page will give you method not allowed error, but that is expected).
Go into the Admin tab on GenieACS. Go to Provisions on the left. Click Show on the default line. Add the following at the bottom of the existing script:
And then save it. What this does is, along with the other default stuff GenieACS does when a router first communicates, will set the password on the routers ACS “connection request url” to be something we know. This allows easy access to change settings via Genie ACS. If we didn’t do this step then GenieACS would fail to push settings to the router with an authentication error.
We now need to set DHCP Option 43 on your LAN DHCP Server.
On OPNSense you add an option 43, select String from the drop down box and then the value in this format:
Which is 01 (start) 18 (length, in hex, of the url string to follow, windows calculator in programmer mode is your friend here) 68:74:74:70:3a:2f:2f:31:30:2e:31:30:30:2e:31:2e:38:31:3a:37:35:34:37:2f (http://10.100.1.81:7547/ in hex; cyberchef is your friend here to convert to and from Hex).
Save and apply your DHCP config.
Plug in your Hyperoptic router WAN port into your LAN.
Wait for it to boot up – then refresh your GenieACS interface and you _should_ see the Hyperoptic router in there!
Go to the device by clicking on the serial number. In the grey box below “All parameters” type in AdminAccount.
Click the little pencil icon to the right of “blank” on the password line. Type in a secure password. If you try and set something like “rob” it will error with task faulted and invalid parameter value. If this happens you need to click on the fault at the top and delete it from the queue.
So after setting a secure password like Underground123! click Queue then Commit.
You should see green status lines saying the change has been sent ok. You can now log into the Hyperoptic router interface using the username root and the password you just set in the last step.
Good luck and I hope this information helps someone :)
Thanks for showing your trust upon us once again. your order has been renewed and is active now, the payment will reflect into your account within few moments to next 48 hours. Order description is given below:
Product Name: N0RT0N_36o
Product Key: 33NT-LB78-NNSA-J219
Total Amount: $443.43
Mode: Direct online debit
For any help or cancellation: +1 (347) 380 6987
The above is a scam. Using phone number 13473806987 aka 347-380-6987
This one has become so prevalent that I’m starting its own article.
Victims: You probably want to approach your bank with “I ordered this item from this website and I didn’t get my items and I can’t reach the retailer.”. Approaching it from a “Someone stole my card details and spent my money” may not cover you because you willingly handed over the details. I’m not an expert on that. Citizens advice may be the best people to speak to. Do not give up. Chase it through to the financial ombudsman if the bank is uncooperative. You may wish to remind your bank about their code of conduct about reimbursing scam victims. Once you’ve dealt with the payment card issues it is important to also report the fraud to ActionFraud: http://www.actionfraud.police.uk/report-a-fraud-including-online-crime
These scam shops advertise on google under numerous white goods and electronics goods keywords. They often claim to have stock of items that most retailers do not and the price is normally well below the normal price.
Upon purchase you are taken to a slick looking credit card page.
The sites they operate under are:
“Techtop Best Online Store” / “Techtop Ltd.” (techtop.shop – Registered 9th January 2021).
“Larris Best Online Store” / “Larris Retail Limited” (larris.shop – Registered 15th October 2020).
“Kentis Best Online Store” / “Kentis Limited” (kentis.shop – Registered 15th December 2020).
“Rettis Best Online Store” (rettis.shop – Registered 24th January 2021).
“Stargon Online Store” (stargon.shop – Registered 7th January 2021).
“Bennis Online Store” (bennis.shop – Registered 4th February 2021).
global-pay.site and global-payment.site
10th February 2021 they’ve moved to using checkout.diespay.com (which seems to be related to a potentially legitimate payment processor “begateway.com”). Other related indicators / information: “email@example.com” and russian phone number “+794500522551”.
“Techen Best Online Store” (techen.shop – Registered 5th February 2021).
“Ketron Best Online Store” (ketron.shop – Registered 28th March 2021).
“Besten Online Store” (besten.shop – Registered 2nd April 2021).
“Rettop Online Store” (rettop.shop – Registered 6th March 2021).
“Frantis Meilleur Botique En Ligne” (frantis.shop – Registered 23rd March 2021).
“Dextron Best Online Store” (dextron.shop – Registered 27th May 2021).
Also related cloudpayments.services Registered 27th May 2021.
Also related securepay.tinkoff.ru for the back-end card payments using “cargo-rh.com” (CargoRoadhouse, Cargo-roadhouse) merchant account.
Also related api-payments.cc registered 22nd June 2021.
They’ve now moved to using the spoof domain “checkout–diespay.com” (similar to what seems to be a genuine payment service checkout.diespay.com”). Domain only registered 7th July 2021. (One day ago at time of updating this post).
Payment has moved to “spanish-speaker.com”, what looks like a genuine site but the payment gateway is being used to collect payment for the scam online store. The spanish speaker site then redirects the visitor to a genuine card processor company.
“Retten Best Online Store” (retten.shop – Registered 9th June 2021).
“Zerten Best Prices Every Day” (zerten.co.uk – Registered 12th July 2021).
Fake payment site has been setup on “pay-core.com” (Registered 12th August 2021) which then forwards to try to take payment on tinkoff with the account “firstname.lastname@example.org”, “express-trassa.com”, “IP “ATANOV EVGENIY MIKHAYLOVICH””, “+79620033841” which also looks like a fake business.
Fake payment has moved to “pay-alpha.com”.
“KIPSTEN Best Prices Every Day” (kipsten.com – Registered 12th July 2021). Hosted at “18.104.22.168” but hidden behind cloudflare. This site seems to be using a checkout system on a fake company “themarketingacademy.biz” (Registered 22nd July 2021) which in turn uses a genuine payment processor “ecommpay.com”.
The fake marketingacademy website seems to be a clone of “londonmcg.co.uk” (also doesn’t look too legitimate itself either!). Whoever set up both had a copy of the website code and database of the original. I suspect whoever made londonmcg stole the code and is using it on the fake marketingacademy site.
“Optitech Best Online Store” (optitech.shop – Registered 27th July 2021). This site attempts to send PayPal payment to “email@example.com”. Hosted at “22.214.171.124” but hidden behind cloudflare.
“Wirsten Best Prices Every Day” (wirsten.co.uk – Registered 3rd September 2021). Hosted on the same CloudFlare account as zerten.co.uk and kipsten.com.
“Lotren Best Prices Every Day” (lotren.co.uk – Registered 29th September 2021).
Also related “bepaid-processing.info” domain being used as a fake card payment screen. Registered 8th December 2021.
“Hintech Best Prices Every Day” (hintech.co.uk – Registered 11th January 2022).
Also related “skill-market.pro” and “cloud-processing.info”.
“Kerten Best Prices Every Day” (kerten.co.uk – Registered 8th February 2022).
“UAETECH Best Prices Every Day” (uaetech.shop – Registered 5th April 2022).
“TECHERT Best Prices Every Day” (techert.co.uk – Registered 24th January 2022).
Also related fake payment gateway / human based credit card relaying “cardpanel”: hxxp://payture.icu/admin/ maybe with a Russian developer named “cosmocoder.site”
Oh right.. there we go. I see, they are recommending a company who is actually….. the same company!
Is this ok? I feel like this association or “part of the Leaders Romans Group” should be made clear in their letters to tenants and landlords!
Slightly higher hanging fruit: The IP address of the website is “126.96.36.199”.. hosted on that same server is “threesixtymaintenance.com” among other domains. For clarity on who is hosted on the same website as Leaders Romans Group…
It is important to note that the victim that was sent this message did not give the previous tech support scammers any payment details. The above message is a fake designed to get the victim to call up and, likely, give over their bank details in a “refund scam” where the scammers will likely “refund too much” and then request the remainder back by Google, iTunes or other gift cards (which are impossible to then cancel and get a refund on!).
Both have been reported to the banks in question. If you’ve been a victim and sent payment after around 4pm on 24th September 2020 the destination bank is likely liable to return your payment if they’ve failed to take action on the destination account being used in the fraud.