Weird(?) repetative info in logs

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
lesliejones
Newbie
Newbie
Posts: 3
Joined: Sat Feb 11, 2012 12:21 pm

Weird(?) repetative info in logs

Post by lesliejones » Sat Feb 11, 2012 12:50 pm

Hi, this is my first post here so please forgive any protocol or decorum blunders I may make.

I have an old Solwise router (SAR 600 -ER) which we don't really want to upgrade as we like the firmware.
The firmware has never been upgraded and it currently runs:

Code: Select all

Firmware version: RouterTech-3.6.0D-20061121.2.1A (20061121105059) 
This morning we discovered a number of things not working on our local network. One of our switches had maxed out with a full cam table, and a Linux box in the DMZ had been restarted and had its IPTABLES ruleset hosed (which is weird, because even with a power failure - and it's on a UPS so it would probably need to be a PSU failure/glitch - the rules are brought back up before the interface comes up).

Our syslog server, which gets data from the Solwise router was filled with repetitive entries like these:
  • Feb 10 03:05:27 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:27 | FWAN:fwan_evt_rep_if_del, state 5
    Feb 10 03:05:27 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:27 | FWAN:do_flush
    Feb 10 03:05:27 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:27 | FWAN:do_priv, action 0
    Feb 10 03:05:27 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:27 | FWAN:do_app_rules, action 0
    Feb 10 03:05:28 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:28 | FWAN:fwan_evt_rep_if_crt,state 4, old if ppp0, new if ppp0
    Feb 10 03:05:28 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:28 | FWAN: do_install, nat 0, spi 1
    Feb 10 03:05:28 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:28 | FWAN:do_priv, action 1
    Feb 10 03:05:28 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:28 | FWAN:do_app_rules, action 1
    Feb 10 03:05:28 1.2.3.4 cfgmgr(dhcprelay): Feb 10 03:05:28 | dhcpfwd_ehandler event = 503
    Feb 10 03:05:28 1.2.3.4 cfgmgr(rip): Feb 10 03:05:28 | routed_ehandler : EVENT = 503 origin = pppoa-108
    Feb 10 03:05:28 1.2.3.4 cfgmgr(rip): Feb 10 03:05:28 | routed_ehandler name NO HANDLER for EVENT = 503
    Feb 10 03:05:28 1.2.3.4 cfgmgr(landhcpfwd2): Feb 10 03:05:28 | dhcpfwd_ehandler event = 503
    Feb 10 03:05:28 1.2.3.4 cfgmgr(landhcpfwd1): Feb 10 03:05:28 | dhcpfwd_ehandler event = 503
    Feb 10 03:05:28 1.2.3.4 cfgmgr(landhcpfwd0): Feb 10 03:05:28 | dhcpfwd_ehandler event = 503
    Feb 10 03:05:28 1.2.3.4 cfgmgr(landhcps2): Feb 10 03:05:28 | ID = landhcps2 Event Rcvd = 503 STATE = 0
    Feb 10 03:05:28 1.2.3.4 cfgmgr(landhcps1): Feb 10 03:05:28 | ID = landhcps1 Event Rcvd = 503 STATE = 0
    Feb 10 03:05:28 1.2.3.4 cfgmgr(landhcps0): Feb 10 03:05:28 | ID = landhcps0 Event Rcvd = 503 STATE = 0
    Feb 10 03:05:28 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:28 | FWAN:fwan_evt_rep_if_name
    Feb 10 03:05:28 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:05:28 | FWAN:fwan_evt_rep_if_name,state 5
    Feb 10 03:06:02 1.2.3.4 cfgmgr(fwan-106): Feb 10 03:06:02 | FWAN:fwan_evt_rep_if_del, state 5
Is anyone able to give me some insight into what is going on in the logs of the Solwise running the Routertech firmware? I appreciate it's old firmware but Solwise have not, to my knowledge, made any other versions available. If the version we are running has known major holes/vulnerabilities I'd be grateful if someone would point it out so we can discontinue using it.

Thanks, in advance, for any input.
Leslie
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Weird(?) repetative info in logs

Post by thechief » Sat Feb 11, 2012 5:36 pm

Your 600ER has a version of RouterTech v2.1 that we customised for Solwise. There is nothing wrong with the firmware itself, other than that it is very old. The log entries are unfamiliar to me - they may be there for any number of reasons. Your best bet is to restart the router and see whether things settle down.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
lesliejones
Newbie
Newbie
Posts: 3
Joined: Sat Feb 11, 2012 12:21 pm

Re: Weird(?) repetative info in logs

Post by lesliejones » Sat Feb 11, 2012 8:31 pm

thechief wrote:Your 600ER has a version of RouterTech v2.1 that we customised for Solwise. There is nothing wrong with the firmware itself, other than that it is very old. The log entries are unfamiliar to me - they may be there for any number of reasons. Your best bet is to restart the router and see whether things settle down.
Thanks for your very kind response - really appreciated.

They have settled down now, my concern is why they were filling my syslog server. We recently put the Solwise back on to our DSL line because a Zoom was totally compromised from outside, despite all of its access being locked down. The attacker managed to mangle parts of the underlying busybox, insert custom iptables rules to redirect web traffic, put in a DNS proxy. Whilst they made such a hash of it that we quickly picked it up, I now get very jumpy when I see things I cannot easily explain in the logs.

Looking back at weeks of logs I'm not seeing anything else from it, but then it is not untypical for it to be up for 60+ days without us touching it.

Perhaps I should replace the Solwise with something a little more up-to-date? It's just it holds sync so well on our DSL and has a very low error rate.
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Weird(?) repetative info in logs

Post by thechief » Sun Feb 12, 2012 3:56 pm

Check your log settings in the firmware web configuration, and make sure that the default is something sensible (like "Notice"). Perhaps you are logging too many things (avoid "Debug" unless you want to be swamped with data).

As for whether you should change the router, if it is doing the job, then why change it? The firmware is on a read-only squashfs partition, so it is relatively secure. I haven't yet heard of the firmware being compromised from outside. 60+ days operation is excellent - but that is plenty of time for all sorts of things to be going on. Personally, I would restart it every 3 weeks or so (unless that is going to cause problems with how your rig is setup). You can set up a cron job do do it.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
lesliejones
Newbie
Newbie
Posts: 3
Joined: Sat Feb 11, 2012 12:21 pm

Re: Weird(?) repetative info in logs

Post by lesliejones » Sun Feb 12, 2012 4:16 pm

Thank you.

Yes I am tracking 'debug' info as it shows all web interface activity - perhaps it gives way too much info, but it certainly got my attention when something out of the ordinary was going on.

I'm probably being overly paranoid as it has now transpired that we had two short power outages around this time, and the device is not on a UPS as it further away in the building by the telco demark point. If I pull the power on the unit I see pretty much the same messages so I suspect its normal.

I can't find any option on the unit itself to run a cron task to reboot the unit periodically. I'm guessing that perhaps there is an API call for it and have my syslog machine call it? Or I'll need to telnet in to get at this?
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Weird(?) repetative info in logs

Post by thechief » Sun Feb 12, 2012 8:35 pm

lesliejones wrote:I can't find any option on the unit itself to run a cron task to reboot the unit periodically. I'm guessing that perhaps there is an API call for it and have my syslog machine call it? Or I'll need to telnet in to get at this?
You will need telnet.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
Post Reply