Question

Hi!

Just got this syslog-entry invalid password for 'UNKNOWN' on 'ttyMSM0' from a RUTX11 on a remote site.

I have syslog logs dating 6 months back and this is the only entry regarding ttyMSM0

What is ttyMSM0 in a RUTX11 and is there a natural cause for this popping up?

Running RUTX_R_00.07.02.7
Uptime is 13:44:24 up 19 days, 19:35

Edit: To add, this is only used for Out-of-band access to a remote network over 4G and only has a reverse SSH-tunnel going through it.

Answer 1

Hello,

ttyMSM0 refers to UART port, present on router's PCB, which provides console access to the device's shell interface.

Other than a physical attempt to login to the device using this interface, I cannot imagine other cases, why this message would pop up.

Best regards,

Comments

Ok! Yes, after some googling i also found some reference to a physical port on the device.

I was onsite about 45 minutes after the log entry and no sign of tampering.

Im not even sure if you can reach the UART on the PCB without having to unplug either power, antennas or the ethernet cable? Im monitoring the ethernet connection and 4G so i should have been notified if that was the case.

The 4G connection is behind CGNAT so it should not be reachable from the internet.

I wonder if /dev/ttyMSM0 is connectable via ssh/CLI in any way, if the device is in some way compromised you could reach it via a terminal program?

Really strange...