Advice Request IP address blacklist

[Victor M]

I never heard for a case where someone got their router hacked.

See this 2025-May report from FBI re:consumer models FBI Warns Of Router Attacks — Is Yours On The List Of 13? and also this: Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions and this older news from 2023 https://cybernews.com/security/chinese-hackers-hijacked-thousands-of-tp-link-wifi-routers/

 

[Marko :)]

See this 2025-May report from FBI re:consumer models FBI Warns Of Router Attacks — Is Yours On The List Of 13?

I covered this one here. The owners of affected models simply disabled firewall and allowed remote administration of the router. Probably also had admin/pass combo for a login.

and also this: Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions

This isn't router issue. It was the issue on ISP side with their API for remote administration.

and this older news from 2023 https://cybernews.com/security/chinese-hackers-hijacked-thousands-of-tp-link-wifi-routers/

Check this out:

• xlogin botnet, composed of compromised TP-Link routers that have both TCP ports TELNET/7777 and 11288 open.
• rlogin botnet, targeting Ruckus Wireless devices with exposed TCP port TELNET/63210.
• alogin botnet, composed of compromised Asus routers that have both TCP ports 63256 and 63260 open.
• axlogin botnet, which appears to be deployed on Axentra NAS. It’s unclear which port may be targeted as the obtained malware sample was not observed in the wild.
• zlogin botnet, deployed on Zyxel VPN appliances, listening to the port TELNET/325

Again, not a router issue. Routers were "hacked" because they had TELNET ports open. Like a house in a street full of crime, protected by everything, but with a window opened in a kitchen.

If you have any more articles like this, post them so I can analyze.

 

[Victor M]

@Marko :) highly doubt that those telnet port openings are documented in their users manual. I think is it plain lax security.."If nobody knows about it then it is safe" - security via obscurity.

 

[Marko :)]

@Marko :) highly doubt that those telnet port openings are documented in their users manual. I think is it plain lax security.."If nobody knows about it then it is safe" - security via obscurity.

And that's exactly the reason why they were open in the first place. You'd be surprised how many people go to router settings to change their Wi-Fi password, just to mess something up. I know this because my parents are exactly the same. When they don't aren't sure of something, they'll just touch random things on their phones and then call me because their phone started acting up. This is why I support ISPs limiting settings in router administration page. Advanced users will buy their own router and get access to full settings either way.

 

[Parkinsond]

Found an explanation:

" The shortish answer is that you have an IP address . A unique one that your provider (say, XYZ Hosting) "loans" you, in most cases. This unique IP allows you to get on and use the Internet. That IP address is one of a block, or bunch, that belongs to your provider. So, if you're the poor tech running ABC Pie Company and you get attacked from a user. You lookup the IP address of the offender and find it's one of the "block" of IP addresses assigned to XYZ Hosting. Well, your boss want's this activity stopped, cold. So, knowing that a user could get ANY IP assigned to them from that block, you block the whole range. Brute force. Not exactly efficient, but effective. That wide net you cast catches some innocent users. It happens. VPNs are sometimes blocked, not just for bad actors, but simply for the fact that they are private -- to some degree or another -- and defeat all the goodies that companies use to track and such.

The probably a host of other reasons an IP gets blocked. It might be a temporary measure that was put in place during an emergency and will work itself into a more effective block. The hosting provider may move all the users to a unblocked chunk they own. It's ugly, it happens. If you're working closely with a business that has your business blocked, they can use a "white list" or similar to allow access -- again, brute force."