Hi all. I've been seeing a daily reboot of my AT&T gateway, has done it three times now. Looked at the logs in the AT&T box and I see several:
host=stats.allstarlink.org url=/uhandler.php hijacked
Anybody know what this might mean?
GeorgeC
--
George Csahanin
10100 Carson Ranch Rd.
Crowley, TX 76036
682-708-5716 home
401-338-0568 cel
http://dyb.com
PLEASE NOTE: Effective January 1, 2018 george@dyb.com will no longer function
USE george@w2db.com
I saw your post from the att forum dated back in Sept 2016. So your router detected a php hijacking and blocked the packet. That’s ok. But… I would guess your getting attacked all around and over loading your router. If you have a consumer-grade router. I would call att and see if they have anyway of looking to see if your being attacked. Getting a new IP address should help. Login to your router check to see what your WAN/Public IP address.
Try powering off your Router and ASL Node for 3-5 minutes.
Some hackers testing your IP address and router.
The power off is to hopefully get a new IP address.
Google online port scanner. Find one a scan your router to see if any of your ports our open. It should show no port. Filtered ports are bad as well.
David KE6UPI
PS: If your into playing with routers and making your own. Try OPNsense.
I use Sophos with a free home lic.
On Sat, Jul 29, 2017 at 10:29 AM, George Csahanin george@dyb.com wrote:
Hi all. I’ve been seeing a daily reboot of my AT&T gateway, has done it three times now. Looked at the logs in the AT&T box and I see several:
host=stats.allstarlink.org url=/uhandler.php hijacked
Anybody know what this might mean?
GeorgeC
–
George Csahanin
10100 Carson Ranch Rd.
Crowley, TX 76036
682-708-5716 home
401-338-0568 cel
PLEASE NOTE: Effective January 1, 2018 george@dyb.com will no longer function
USE george@w2db.com
App_rpt-users mailing list
App_rpt-users@lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
–
Thanks, David
“Laws that forbid the carrying of arms…disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.”
Thomas Jefferson
George,
This thread may help.
https://forums.att.com/t5/AT-T-Internet-Features/DNS-Hijacking/td-p/4809874
73, David KB4FXC
On Sat, 29 Jul 2017, George Csahanin wrote:
Hi all. I've been seeing a daily reboot of my AT&T gateway, has done it
three times now. Looked at the logs in the AT&T box and I see several:
host=stats.allstarlink.org url=/uhandler.php hijacked
Anybody know what this might mean?
GeorgeC
--
George Csahanin
10100 Carson Ranch Rd.
Crowley, TX 76036
682-708-5716 home
401-338-0568 cel
http://dyb.com
PLEASE NOTE: Effective January 1, 2018 george@dyb.com will no longer function
USE george@w2db.com
_______________________________________________
App_rpt-users mailing list
App_rpt-users@lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
Would changing the Allstar port number help, or would the bad guys just discover this in short order?
-Andy
KB7B
42432
On Sat, Jul 29, 2017 at 10:29 AM, George Csahanin george@dyb.com wrote:
Hi all. I’ve been seeing a daily reboot of my AT&T gateway, has done it three times now. Looked at the logs in the AT&T box and I see several:
host=stats.allstarlink.org url=/uhandler.php hijacked
Anybody know what this might mean?
GeorgeC
–
George Csahanin
10100 Carson Ranch Rd.
Crowley, TX 76036
682-708-5716 home
401-338-0568 cel
PLEASE NOTE: Effective January 1, 2018 george@dyb.com will no longer function
USE george@w2db.com
App_rpt-users mailing list
App_rpt-users@lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
–
Thanks, David
“Laws that forbid the carrying of arms…disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.”
Thomas Jefferson
if you are on the public net with an open port…you will be found.
On Sat, Jul 29, 2017 at 10:29 AM, George Csahanin george@dyb.com wrote:
Hi all. I’ve been seeing a daily reboot of my AT&T gateway, has done it three times now. Looked at the logs in the AT&T box and I see several:
host=stats.allstarlink.org url=/uhandler.php hijacked
Anybody know what this might mean?
GeorgeC
–
George Csahanin
10100 Carson Ranch Rd.
Crowley, TX 76036
682-708-5716 home
401-338-0568 cel
PLEASE NOTE: Effective January 1, 2018 george@dyb.com will no longer function
USE george@w2db.com
App_rpt-users mailing list
App_rpt-users@lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
–
Thanks, David
“Laws that forbid the carrying of arms…disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.”
Thomas Jefferson
Maybe I wasn’t clear on this point.
host=stats.allstarlink.org url=/uhandler.php is a valid line from rpt.conf, well, technically is.
And my stats show up in stats.allstarlink.org
I found this on ATT forum, from another user (oddly, NOT from AT&T):
" I'll ignore this log entry. The daily reboot is still a mystery, sort of...it IS AT&T
GeorgeC
2360
http://stats.allstarlink.org/uhandler.php"the correct information in regards to the " hijacked" description endings in the logs. They are stating that the Gateway has hijacked the connection, and is providing responses. It does not mean that an external party has hijacked the connection. The gateway does this to send you error messages (i.e. in your browser), but it usually causes more harm than it does good.
On 7/29/2017 12:29 PM, George Csahanin
wrote:
Hiall. I’ve been seeing a daily reboot of my AT&T gateway, has
done it three times now. Looked at the logs in the AT&T box
and I see several:host=stats.allstarlink.org url=/uhandler.php hijacked Anybody know what this might mean? GeorgeC
-- George Csahanin
10100 Carson Ranch Rd.
Crowley, TX 76036
682-708-5716 home
401-338-0568 cel
PLEASE NOTE: Effective January 1, 2018 will no longer function
USE
http://dyb.comgeorge@dyb.comgeorge@w2db.com
No it’s not AT&T’s network.
What is the reason that the gateway (your router) hijacked the packet? Is the packet malformed? Did the packet get hijacked by an internal or external system? I can’t remember if stats.allstarlink.org/uhandler.php sends back a response or not. Why, if it does send a response back. Then it could be an external problem. If it doesn’t then it is an internal problem. Or just get a better router that doesn’t freak out over a this common problem. What model router do you have?
David
KE6UPI
On Sun, Jul 30, 2017 at 9:38 AM, George Csahanin george@dyb.com wrote:
Maybe I wasn’t clear on this point.
host=[stats.allstarlink.org](http://stats.allstarlink.org) url=/uhandler.php is a valid line from rpt.conf, well, technically [http://stats.allstarlink.org/uhandler.php](http://stats.allstarlink.org/uhandler.php) is. And my stats show up in [stats.allstarlink.org](http://stats.allstarlink.org) I found this on ATT forum, from another user (oddly, NOT from AT&T): ***"the correct information in regards to the " hijacked" description endings in the logs. They are stating that the ********Gateway******** has hijacked the connection, and is providing responses. It does not mean that an external party has hijacked the connection. The gateway does this to send you error messages (i.e. in your browser), but it usually causes more harm than it does good.*** " I'll ignore this log entry. The daily reboot is still a mystery, sort of...it IS AT&T GeorgeC 2360On 7/29/2017 12:29 PM, George Csahaninwrote:
Hiall. I’ve been seeing a daily reboot of my AT&T gateway, has
done it three times now. Looked at the logs in the AT&T box
and I see several:host=[stats.allstarlink.org](http://stats.allstarlink.org) url=/uhandler.php hijacked Anybody know what this might mean? GeorgeC-- George Csahanin 10100 Carson Ranch Rd. Crowley, TX 76036 682-708-5716 home 401-338-0568 cel [http://dyb.com](http://dyb.com) PLEASE NOTE: Effective January 1, 2018 george@dyb.com will no longer function USE george@w2db.com
App_rpt-users mailing list
App_rpt-users@lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
–
Thanks, David
“Laws that forbid the carrying of arms…disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.”
Thomas Jefferson
George,
I sent you a link to a related, but wrong article, earlier. This link
explains what is going on:
So, basically, what "hijacked" means is that the DNS entry for
stats.allstarlink.org has been spoofed by AT&T, and those queries have
been redirected to an AT&T proxy server (AKA: man in the middle) for
"evaluation" before passing the request along to the REAL stats server.
DNS hijacking is becoming a serious problem these days, even if you set
your DNS server explicitly to a well known address---like google
(8.8.8.8)....This problem is one reason so much traffic on the Internet
these days uses TLS (https), since using TLS will at least notify you of
an invalid host (like a proxy server). BUT, be aware that even using TLS
doesn't eliminate this man-in-the-middle problem, it just makes it easier
to spot.
73, David KB4FXC
On Sun, 30 Jul 2017, George Csahanin wrote:
Maybe I wasn't clear on this point.
host=stats.allstarlink.org url=/uhandler.php is a valid line from rpt.conf, well, technically http://stats.allstarlink.org/uhandler.php is.
And my stats show up in stats.allstarlink.orgI found this on ATT forum, from another user (oddly, NOT from AT&T):
*/"the correct information in regards to the " hijacked" description
endings in the logs. They are stating that the/**/*Gateway*/**/has hijacked the connection, and is providing responses. It does not
mean that an external party has hijacked the connection. The gateway
does this to send you error messages (i.e. in your browser), but it
usually causes more harm than it does good./*"I'll ignore this log entry. The daily reboot is still a mystery, sort of...it IS AT&T
GeorgeC
2360On 7/29/2017 12:29 PM, George Csahanin wrote:
> Hi all. I've been seeing a daily reboot of my AT&T gateway, has done
> it three times now. Looked at the logs in the AT&T box and I see several:
>
> host=stats.allstarlink.org url=/uhandler.php hijacked
>
> Anybody know what this might mean?
>
> GeorgeC
>
>
Well there you have it. If KB4FXC is right. AT&T hijacked your packet and your router acted appropriately. So I’ll check to see if https will work or not. But you’r router is still freaking out.
David
On Sun, Jul 30, 2017 at 11:04 AM, David McGough kb4fxc@inttek.net wrote:
George,
I sent you a link to a related, but wrong article, earlier. This link
explains what is going on:
So, basically, what “hijacked” means is that the DNS entry for
stats.allstarlink.org has been spoofed by AT&T, and those queries have
been redirected to an AT&T proxy server (AKA: man in the middle) for
“evaluation” before passing the request along to the REAL stats server.
DNS hijacking is becoming a serious problem these days, even if you set
your DNS server explicitly to a well known address—like google
(8.8.8.8)…This problem is one reason so much traffic on the Internet
these days uses TLS (https), since using TLS will at least notify you of
an invalid host (like a proxy server). BUT, be aware that even using TLS
doesn’t eliminate this man-in-the-middle problem, it just makes it easier
to spot.
73, David KB4FXC
On Sun, 30 Jul 2017, George Csahanin wrote:
Maybe I wasn’t clear on this point.
host=stats.allstarlink.org url=/uhandler.php is a valid line from rpt.conf, well, technically http://stats.allstarlink.org/uhandler.php is.
And my stats show up in stats.allstarlink.org
I found this on ATT forum, from another user (oddly, NOT from AT&T):
*/“the correct information in regards to the " hijacked” description
endings in the logs. They are stating that the//Gateway//has hijacked the connection, and is providing responses. It does not
mean that an external party has hijacked the connection. The gateway
does this to send you error messages (i.e. in your browser), but it
usually causes more harm than it does good./*"
I’ll ignore this log entry. The daily reboot is still a mystery, sort of…it IS AT&T
GeorgeC
2360
On 7/29/2017 12:29 PM, George Csahanin wrote:
Hi all. I’ve been seeing a daily reboot of my AT&T gateway, has done
it three times now. Looked at the logs in the AT&T box and I see several:
host=stats.allstarlink.org url=/uhandler.php hijacked
Anybody know what this might mean?
GeorgeC
App_rpt-users mailing list
App_rpt-users@lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
–
Thanks, David
“Laws that forbid the carrying of arms…disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.”
Thomas Jefferson
The first thing to check in resolving the need to regularly reboot the
router is if there is a firmware upgrade available for it.
Also, google the router model and some extra words like "locks up" or
"reboot" or similar. Some ISP supplied routers are just buggy, with no
easy fix other than to replace it with a different model.
73, David KB4FXC
On Sun, 30 Jul 2017, David Shaw wrote:
Well there you have it. If KB4FXC is right. AT&T hijacked your packet and
your router acted appropriately. So I'll check to see if https will work or
not. But you'r router is still freaking out.David
--
Thanks, David"Laws that forbid the carrying of arms...disarm only those who are neither
inclined nor determined to commit crimes. Such laws make things worse for
the assaulted and better for the assailants; they serve rather to encourage
than prevent homicides, for an unarmed man may be attacked with greater
confidence than an armed one."
Thomas JeffersonOn Sun, Jul 30, 2017 at 11:04 AM, David McGough <kb4fxc@inttek.net> wrote:
>
> George,
>
> I sent you a link to a related, but wrong article, earlier. This link
> explains what is going on:
>
> 2015 | Ars Technica
> 03/atts-plan-to-watch-your-web-browsing-and-what-you-can-do-about-it/
>
> So, basically, what "hijacked" means is that the DNS entry for
> stats.allstarlink.org has been spoofed by AT&T, and those queries have
> been redirected to an AT&T proxy server (AKA: man in the middle) for
> "evaluation" before passing the request along to the REAL stats server.
>
> DNS hijacking is becoming a serious problem these days, even if you set
> your DNS server explicitly to a well known address---like google
> (8.8.8.8)....This problem is one reason so much traffic on the Internet
> these days uses TLS (https), since using TLS will at least notify you of
> an invalid host (like a proxy server). BUT, be aware that even using TLS
> doesn't eliminate this man-in-the-middle problem, it just makes it easier
> to spot.
>
> 73, David KB4FXC
>
>
>
>
>
> On Sun, 30 Jul 2017, George Csahanin wrote:
>
> > Maybe I wasn't clear on this point.
> >
> > host=stats.allstarlink.org url=/uhandler.php is a valid line from
> rpt.conf, well, technically http://stats.allstarlink.org/uhandler.php is.
> > And my stats show up in stats.allstarlink.org
> >
> > I found this on ATT forum, from another user (oddly, NOT from AT&T):
> > */"the correct information in regards to the " hijacked" description
> > endings in the logs. They are stating that the/**/*Gateway*/**/has
> hijacked the connection, and is providing responses. It does not
> > mean that an external party has hijacked the connection. The gateway
> > does this to send you error messages (i.e. in your browser), but it
> > usually causes more harm than it does good./*"
> >
> > I'll ignore this log entry. The daily reboot is still a mystery, sort
> of...it IS AT&T
> >
> > GeorgeC
> > 2360
> >
> >
> > On 7/29/2017 12:29 PM, George Csahanin wrote:
> > > Hi all. I've been seeing a daily reboot of my AT&T gateway, has done
> > > it three times now. Looked at the logs in the AT&T box and I see
> several:
> > >
> > > host=stats.allstarlink.org url=/uhandler.php hijacked
> > >
> > > Anybody know what this might mean?
> > >
> > > GeorgeC
> > >
> > >
> >
> >
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users@lists.allstarlink.org
> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://lists.allstarlink.org/
> cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of
> the page. Enter your email address and press the "Unsubscribe or edit
> options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a message to
> the list detailing the problem.
>