11-10-2012 6:13 AM
I have a couple of applications on a server behind my residential gateway, one that uses protocol 443 (https). At some point last year I found that upon invocation of my address, I was presented with a false and expired SSL certificate. After some hunting around, I found that this certificate is associated with a small web server named "mini_httpd", and further I found that it is mounted on a number of other AT&T Residential Gateways. I don't know what it is doing, I don't know how it gets installed, but I can tell you how to detect if you have it, and how to get rid of it.
Here is a link that tipped me off that a number of people with UVerse RG's have the same problem I had: http://dazzlepod.com/ip/220.127.116.11/. If that's your IP address... for that matter if you're curious whether this is on your gateway, go to a computer that is outside your network (like at work) and try to link to your IP address on port 443, like so - 18.104.22.168:443. You have to know your external IP address, but you can find it on the RG setup pages.
I believe that whoever puts this thing on the RG's is doing a brute force attack on the RG password, then doing whatever he does to install the web server. The way to get rid of it is to do a reset of all settings then a hard reboot. But you have to change the password to something harder than the default - tip, use combinations of letters, numbers, and symbols, maybe 20+ characters long. Also you need to enable an option on the firewall|advanced configuration screen that prevents excessive session attempts. I believe this will prevent it from happening again, but not exactly sure. I never changed my default password, which is only 10 numeric characters, so I figure it was breached and the virus installed.
AT&T should enable the excessive session option by default and should figure out how this thing was mounted in the first place. I am assuming that there is a lot of traffic among these things between gateways but can't be sure.
Solved! Go to Solution.
11-10-2012 9:19 AM
11-10-2012 6:46 PM - last edited on 11-10-2012 8:35 PM by Phil-101
I do.... that would be quite frustrating.
But I can't believe they would use a personal, unverified ssl certificate that is posted on a hackers web site, that expired in 2010 etc etc etc. I didn't post it above, but I found that certificate in a code repository and while I didn't look into what the code did, I'm not sure I want to know. Here it is -
[removed third party link]
I can't believe that ATT would put that same certificate in the RG. And now that I've reset/rebooted, I'm not getting the behavior anymore. But I guess that anything is possible.
11-10-2012 8:58 PM
11-14-2012 2:57 PM
Now it is back again. I cannot understand why they would put it on port 443. Take a look at this certificate, AT&T isn't that bad is it? The specific cisco application appears to have a special pinhole in the ~3300 port neighborhood, which would be more logical to me. Attached below is a summary of the certificate (same stuff I sent earlier from that hacker web site).
11-14-2012 5:09 PM
11-16-2012 3:07 PM
I would assume that if I got rid of the wireless STB and had that TV hardwired, that this would go away, no? Further, since my earlier posts, I've found that the wireless transmitter that connects to the STB is the one that maintains that port, so sorry for the questions ealier!
11-16-2012 4:46 PM
Welcome to the internet boards! Check out our troubleshooting articles below and don’t forget to search the forums - your question may have been answered already!
Service acting up? Click here to troubleshoot now!
For DSL related issues. We highly recommend chatting with our teams to address this as quickly as possible.
Congratulations! You earned the Liz badge!