6

Just bought a 3G router from China and then checked the log:

[1970-01-01 00:00:00] The system will be restored the factory value.
[1970-01-01 00:00:00] The system current version: 1.0.5.1.
[1970-01-01 00:00:00] The system restart all services.
[1970-01-01 00:00:03] UPnP had been enabled.
[1970-01-01 00:00:03] The IP&MAC bind had been enabled.
[1970-01-01 00:00:03] arpspoof had been enabled.
[1970-01-01 00:00:03] The Telnet service had been enabled
[1970-01-01 00:00:03] WAN Mode is : DHCP.

This is the router: http://www.ebay.com/itm/300M-3G-WAN-Wireless-N-WiFi-USB-AP-Router-2-Antennas-/200542526515?pt=AU_Networking&hash=item2eb1441c33

Is it normal? maybe It legitimate for configuration purposes? Like the citation bellow:

ARP spoofing can also be used for legitimate purposes. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network. This technique is used in hotels and other semi-public networks to allow traveling laptop users to access the Internet through a device known as a head end processor (HEP).[citation needed]

ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over for a defective server and transparently offer redundancy.

In case not, what should I do?

2 Answers2

5

If you Google the log entry about arpspoofing you get a hit on the probable manufacture which is Huawei. They hold a patent to prevent arpspoofing link to patent and their products are discussed in several articles as a solution to same. TomTop appears to be a wholesale marketer of Chinese products including Huawei routers.

It appears you have a poorly written/translated standard log entry to a good feature. ​​​​​​

Pacerier
  • 3,253
  • 6
  • 34
  • 61
zedman9991
  • 3,377
  • 15
  • 22
3

It is possible, but first I would try to confirm what is going on in more detail. I would hesitate to rely too heavily upon the appearance of the word "arpspoof" in a log file.

If you want to learn more about what your router is doing, there are several steps you could take. You could start by logging into the router as root, and try to learn more about what is running. You could check whether there is a process called arpspoof running, and if so, check what command-line arguments have been passed to it. You could poke around and see if you can find the startup scripts that are starting arpspoof, and see how they invoke it. You could use Ethereal (or some other packet sniffer) to see observe packets on the network and see if you can detect instances of ARP spoofing.

If your router is used for a simple home network, I don't immediately see obvious risks, if the router is running some sort of ARP spoofing software.

D.W.
  • 98,420
  • 30
  • 267
  • 572