Routers rooted? Oh dear!

Technical Ben · Mar 04, 2014, 16:52:06

http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/

I'm wondering if a friends TP-Link router got hacked too. They had problems with the net. When I arrived, the router had it's lan off (feature to the router is it has individual port activation), but wifi on. The DNS is not one I recognized, and as I don't know their provider (will have to find the paperwork) I could not confirm who/what it was. Add to that that it was returning a strange google.com address, an add to download Chrome ONLY and no search. Plus some other DNS problems, inability to recover DNS settings from the provider, and Googles DNS not working (I was at a loss for a free DNS on the spot

). Eventually it went back to normal, so I said I'll check up on it.

How would I find out/refresh this thing? Firmware upgrade/reflash just to be safe? Or am I being too paranoid? The DNS was 134.19.225.137 (I will blank this if it's confirmed dangerous).

Tacitus · Mar 04, 2014, 17:13:18

A reverse WhoIs on that IP address shows it is based in Georgia:

http://www.hashemian.com/tools/reverse-whois.php

Caucasus Online Ltd.
org-type: LIR
address: Caucasus Online LLC.
address: Alexander Adamia
address: 71 Vaja Pshavela ave
address: 0186
address: Tbilisi
address: GEORGIA

No idea who this is or what he does, but it doesn't look promising.

Technical Ben · Mar 04, 2014, 17:22:47

Yeah. The backup/fallback was Googles own dns. So I thought I assumed it was not malicious, but I guess putting a little bit of the "good" in with the "bad" is the way to pass off this stuff. I'll revert both to Google DNS for now, reflash the firmware and see if I can lock the thing down. Else it's a refund/looooooong call to TP-Link.

Technical Ben · Mar 05, 2014, 14:44:46

As far as we can tell it was!

Technical Ben · Mar 09, 2014, 13:48:36

Happened again. So I'm putting it down to the router not being fit for purpose. I will confirm the user is not clicking anything they should not (forged website etc). Though confirming the PC has nothing rooted on it is hard to impossible sadly.

Any advice on what router is best as a replacement? Only needs to be simple, no bells and whistles.

JB · Mar 09, 2014, 13:58:29

Quote from: Technical Ben on Mar 09, 2014, 13:48:36
Happened again.

I know this might be blindingly obvious but has your friend changed the default login from admin/admin or whatever it uses. Also, some TP-Link routers give the option to disable login via the net and just allow it from a local PC. Of course non of this applies if this is a full blown exploit.

Technical Ben · Mar 09, 2014, 15:42:47

Yep. Have done. The problem being, that while it's a "drive by" hack probably, it's a very annoying thing to have such a risk/exploit. The password has been changed. So all I can assume is it's using existing credentials (login saved etc) from the browser. The pass was "admin:admin" but that was as is provided by the ISP, so I'm not considering the user at fault here (router setup by ISP/user setup to ISP specification). But the "log in remotely" is disabled. This is a spoof/cross site exploit on the routers login it seems.

Other than locking down the entire PC, I'd rather just replace it with a router that does not have such an easy exploit. Virus/malware scans come back clean. It literally seems to be a site/sites/adds are sending a request to the router that it's happy to just plainly accept. So I'll check they are not clicking the link anew each morning, as addblock is on, it also rules out adverts as such. But why worry about sites with problematic code, when the router should not act this way in the first place?

http://securityevaluators.com/knowledge/case_studies/routers/tp-link_wr1043n.php

Changing the IP to the router might help, but assigning IP addresses is beyond me if it's not specifically step by step descriptions. As I'm bound to assign the correct IP but an "illegal" subnet or something, as I don't know the rules to how they have to be created. (Is 192.168.5.3 allowed? How do I set the "route", is it the routers IP, the Subnet... what's the difference between Subnet "mask" and default "gateway", It's all "greek" to me.

)

Technical Ben · Mar 10, 2014, 11:47:16

Called up the tech department to the ISP again. No details on their response, so decided to swap the router out. The original exploit may have been on the users old XP machine. But since then it has not been plugged into the network and I've both flashed the firmware and reset setting (plus doing my best to lock it down, with exception of changing the IP address). It could possibly be an exploit on the Windows8 machine, but it still looks like a "drive by" exploit and not something we can prevent apart from completely locking down the browser.

So I'll wait to see from the ISP/tech department if the exploit is completely remote (and thus not related to the PC) and if they will send a different router out. They have enough complaints that they are checking back with their supplier (TP-Link as said).