Computers & Electronics

wow - Malware hacked the linksys router!

  • Last Updated:
  • Feb 9th, 2011 11:47 am
Tags:
None
Deal Addict
User avatar
Feb 8, 2006
3786 posts
271 upvotes
Montreal

wow - Malware hacked the linksys router!

I was fixing someone's computers and I saw something I'd never seen before. Of course, I knew it was possible, but I didn't think I'd ever see it occur.

After installing itself on the computers, it hacked into the linksys router. That is, the router was set to a default password (admin), and it inserted it's own rogue DNS servers into the linksys settings - effectively spreading search redirection spam to all computers on the network via google searches.

I would never have thought to look there.... I was getting bored during the malware scans and decided to poke around in the linksys router to see what options it had when I saw the strange DNS entries. Then I realized that the laptop I had brought in from home was also getting redirected to spam sites on google searches.

Here are the rogue DNS servers in question:
213.109.65.66
213.109.73.174

and third entry that said 1.1.1.1 for some reason.

If you're very brave and curious, Feel free to try these out to see the effect it has on google searches . (WARNING - you'll be forwarded to SPAM and virus sites! Security "professionals" only , in sandbox conditions)

The virus in question was Palladium pro (I think that's what caused it).

Anyway... good to keep in mind! Change the default password on your linksys, since it's vulnerable once an infected machine has penetrated the local network.
Heatware: 2-0-0
eBay: 69-0-0
14 replies
Deal Addict
User avatar
Aug 15, 2010
2175 posts
516 upvotes
Toronto
Wow....

Was the router password protected at all? Or was it a simple password phrase ie, 12345, password, administrator, etc?

Thats crazy... im curious what was the net habits of the person with the infected router/network.
Deal Fanatic
User avatar
Sep 10, 2005
5701 posts
3662 upvotes
GTA
Yes, this has been possible for a while unfortunately. Yet another reason to go in and change your routers password and security settings as soon as possible.
Deal Addict
User avatar
Feb 8, 2006
3786 posts
271 upvotes
Montreal
Ironsmack wrote: Wow....

Was the router password protected at all? Or was it a simple password phrase ie, 12345, password, administrator, etc?

Thats crazy... im curious what was the net habits of the person with the infected router/network.

password was 'admin'. The default linksys password
Heatware: 2-0-0
eBay: 69-0-0
Banned
Apr 15, 2006
4572 posts
126 upvotes
Chatham
cloneman wrote: password was 'admin'. The default linksys password


Its very simple to do actually. EVEN if you change the default password, it can still crack it (if the password is simple enough)

However, there is a new method to crack your router without using a computer as a pivot point. They can crack your router (including DD-WRT and Tomato, OMG RFD's fav setup!) from outside. (unless your password is complicated enough, which is not the case for 90% of ppl )
Deal Expert
User avatar
Apr 16, 2001
16514 posts
3319 upvotes
jetway1212 wrote: however, there is a new method to crack your router without using a computer as a pivot point. They can crack your router (including DD-WRT and Tomato, OMG RFD's fav setup!) from outside. (unless your password is complicated enough, which is not the case for 90% of ppl )

Link, please.
Blacklisted companies: Roku, Lenovo, Motorola, TP-Link, D-Link, Samsung, HP, LG, Public Mobile, EVGA, Blizzard
Deal Fanatic
User avatar
May 1, 2003
6818 posts
565 upvotes
jetway1212 wrote: Its very simple to do actually. EVEN if you change the default password, it can still crack it (if the password is simple enough)

However, there is a new method to crack your router without using a computer as a pivot point. They can crack your router (including DD-WRT and Tomato, OMG RFD's fav setup!) from outside. (unless your password is complicated enough, which is not the case for 90% of ppl )

You know that every router has a setting that you can set to only allow access from the inside network right? And one to only allow access via a wired (not wireless) connection. If you allow wireless and anyone on the internet access to your router administration even with a password, you are just asking for trouble. There is nothing stopping people from running brute force attacks on it.
Deal Addict
User avatar
Nov 9, 2008
4465 posts
426 upvotes
Toronto
bionicbadger wrote: You know that every router has a setting that you can set to only allow access from the inside network right? And one to only allow access via a wired (not wireless) connection. If you allow wireless and anyone on the internet access to your router administration even with a password, you are just asking for trouble. There is nothing stopping people from running brute force attacks on it.
This.
Buy Bell, and you go to HELL! :-0
Banned
Apr 15, 2006
4572 posts
126 upvotes
Chatham
bionicbadger wrote: You know that every router has a setting that you can set to only allow access from the inside network right? And one to only allow access via a wired (not wireless) connection. If you allow wireless and anyone on the internet access to your router administration even with a password, you are just asking for trouble. There is nothing stopping people from running brute force attacks on it.
Nook wrote: This.

You both didnt understand my post.

I said i can crack your router just by knowing your WAN IP. I dont even care if you have a wired or wireless router or if i'm in your network (lol what kind of dumb assumption is that?)
Deal Fanatic
User avatar
May 1, 2003
6818 posts
565 upvotes
jetway1212 wrote: You both didnt understand my post.

I said i can crack your router just by knowing your WAN IP. I dont even care if you have a wired or wireless router or if i'm in your network (lol what kind of dumb assumption is that?)

send me a link to this article or crack. I'm curious as to how you can "crack" a router that is set to allow console access only from the inside wired network. The only things that you should be able to do is a denial of service or you may be able to flood the routing table and hang the router, but even that is pretty unlikely. So please post a link or article
Deal Expert
User avatar
Apr 16, 2001
16514 posts
3319 upvotes
jetway1212 wrote: You both didnt understand my post.

I said i can crack your router just by knowing your WAN IP. I dont even care if you have a wired or wireless router or if i'm in your network (lol what kind of dumb assumption is that?)

And I call nonsense unless you post a link to proof of concept.
Blacklisted companies: Roku, Lenovo, Motorola, TP-Link, D-Link, Samsung, HP, LG, Public Mobile, EVGA, Blizzard
Deal Addict
User avatar
Feb 8, 2006
3786 posts
271 upvotes
Montreal
bionicbadger wrote: You know that every router has a setting that you can set to only allow access from the inside network right? And one to only allow access via a wired (not wireless) connection. If you allow wireless and anyone on the internet access to your router administration even with a password, you are just asking for trouble. There is nothing stopping people from running brute force attacks on it.

this is valid, but the point here is that a router can be compromised even with everything you've suggested. once a machine gets infected on the wired network, it can attack the router freely (brute force, vulnerabilities, default password)
Heatware: 2-0-0
eBay: 69-0-0
Deal Expert
Aug 2, 2004
38392 posts
12014 upvotes
East Gwillimbury
JAC wrote: And I call nonsense unless you post a link to proof of concept.

It is total nonsense.

Sure, there is a chance if you enable remote admin. If it is disabled, I don't care if the password is 1234, good luck getting into the router.

Most firmware don't even allow remote admin if the default password is not changed.
Banned
Apr 15, 2006
4572 posts
126 upvotes
Chatham
bionicbadger wrote: send me a link to this article or crack. I'm curious as to how you can "crack" a router that is set to allow console access only from the inside wired network. The only things that you should be able to do is a denial of service or you may be able to flood the routing table and hang the router, but even that is pretty unlikely. So please post a link or article
Hmm You never mentioned console access only in your previous post. Dont try back pedaling. 99.9% of all the consumer router products use web administration. Even OpenWRT (father of Tomato) and DDWRT enable web admin by default. The odd of someone using such firmware just to access thro console is NIL. Ask any network admin, they all dont wantto use console just to monitor and make changes to the router configuration. Console access is mostly for major work like migration ...etc

There is no "link" i can give you. But i give you a hint, it has something to do with DNS
JAC wrote: And I call nonsense unless you post a link to proof of concept.
Its not a proof of concept. Its been done as a proof of exploit. I believe all the manufactures have been notified, including the developers of DDWRT.

The exploit is not about hacking routers but more of browser. To give you hint: dont use the same browser that you're surfing to access the router webmin.
Gee wrote: It is total nonsense.

Sure, there is a chance if you enable remote admin. If it is disabled, I don't care if the password is 1234, good luck getting into the router.

Most firmware don't even allow remote admin if the default password is not changed.
I never said if you disable web admin. 99% of routers we buy off shelf use web access.
Deal Expert
User avatar
Apr 16, 2001
16514 posts
3319 upvotes
jetway1212 wrote: Hmm You never mentioned console access only in your previous post. Dont try back pedaling. 99.9% of all the consumer router products use web administration. Even OpenWRT (father of Tomato) and DDWRT enable web admin by default. The odd of someone using such firmware just to access thro console is NIL. Ask any network admin, they all dont wantto use console just to monitor and make changes to the router configuration. Console access is mostly for major work like migration ...etc

There is no "link" i can give you. But i give you a hint, it has something to do with DNS
Its not a proof of concept. Its been done as a proof of exploit. I believe all the manufactures have been notified, including the developers of DDWRT.
The exploit is not about hacking routers but more of browser. To give you hint: dont use the same browser that you're surfing to access the router webmin.
I never said if you disable web admin. 99% of routers we buy off shelf use web access.

What, Heffner's exploit? You still need to hack the router's password, if it's not the default.


Anyhow.

1. Use Tomato firmware
2. Disable WAN & wirless access
3. Enable local HTTPS access and disable HTTP
4. Use a strong router password
5. Add "stop-dns-rebind" (without quotes) into the "Dnsmasq Custom Configuration" box
Blacklisted companies: Roku, Lenovo, Motorola, TP-Link, D-Link, Samsung, HP, LG, Public Mobile, EVGA, Blizzard

Top

Thread Information

There is currently 1 user viewing this thread. (0 members and 1 guest)