10502 questions

12508 answers

19436 comments

22021 members

0 votes
11,493 views 0 comments
by
Hello,

We have some RUT950 installed as 4g modem. For some needs their sim card has a public IP, so we can go inside our equipment via VPN.

But since last september we encontered an increase in consumption of data. The tcpdebug isn't showing something clear. When we inspect the state of connexion, a destination host is at the high : rev.poneytelecom.eu:443. When I want to block it's IP address, another IP give the place, with the same name.

Have one of you meet this host ? I don't see what that means. And how to block definitively that.

Regards,

Stephane

3 Answers

0 votes
by

Hello all,

Finally, I have found what is the cause of our trouble.

In User Script that was the line /sbin/keepaliver added. In any case, not by us. I removed the script (via ssh) and reseted User Script as the default value.
The suspicious connections did not reappear. Great.

But I keep watching in case.

Stéphane

Best answer
0 votes
by

Salu Stephane,

I quote:

Poney Telecom is an internet server company run from France has been at the centre of multiple allegations of organised international criminal activity for a few years with all warnings, court summons and legal demands to be closed ignored.

Read here.

Cheers,

Joerg

0 votes
by
Please check your Firmware Version. It looks like your Router was owned due to a bug in firmware <= 00.03.265.

Search for "CVE-2017-8116: Teltonika router unauthenticated remote code execution" and update the firmware asap and check if WAN HTTP(S) access is activated in Administration --> Access Control Menu.

BR, Ronald