After a quick glance last week at this thread seems I have the same prob http://www.wilderssecurity.com/showthread.php?t=211813&highlight=rootkit+router
So here's the situation.

I run windows behind a 4port nat router with the latest available firmware, setup with what might be described as "paranoid settings.
I have had it running untouched this way for a couple of years. The modem I turn off when not being used, and according to the tech at my isp it's firmware is non-upgradeable.

Couple of weeks ago:

nic started to fail. Initially the traffic indicator light on the router became intermittent and then it's prescence (as indicated by the lights) disappeared altogether. Though initially device manager indicated that it was working properly, it eventually vanished altogether.

Initially suspecting a hardware failure of some sort I tried it in different slots, no go.

Next steps:

-Flash mobo bios, rundisk utility and find bad sectors.
-Format, take a "cloned to disk" backup of about a year ago and clone back. (EDIT: again run disk util, all fine)
Voila! All seems fine. Update av, after a few days same thing.
-Take hard drive clone of three years ago off shelf, do not update anything.
Voila! All seems fine. After a few days, same thing.


Under every circumstance linux works fine. (I dual boot) Clones were without linux. Linux was installed after clone back to known functional setup each time.

Would seem nic or router has been comprised, router has not been re-flashed and is currently running fine (EDIT: under linux) for several days, including browsing. Router traffic seems to initiate on it's own with modem off. (I also have a habit of powering off router) Haven't as yet checked for traffic with computer off.

I run several utils to disable all kinds of stuff. I don't normally use IE though it is there, and Internet Properties is even more paranoidly set. Firefox or Opera under Win. After available update at MS (again some years back) the messenger service could not be disabled.

My next step is to replace nic with same model (brand new) and spare unused router of same model, and go through same procedure of flash format and clone. I'm betting all will be fine under Win.

What do you suppose has caused this?

ok, time at cafe about to expire, and I must go shortly, will check back tomorrow.

No thoughts on possibility router has been hacked somehow?

FWIW

All working fine for last few days.

Why it would work fine for a while then fail, (whilst all the while np under linux)......
suggests to me something odd coming from router/nic. (Unless the one site I was visiting for verifying functionality is the source)

Virtually identical system to original (by now I've upgraded a utililty, updated av), new router and nic.

ok, just for a little more info for the security people out there because the usual subjects of blame being raised for this, my scenario does not fall into:

ie
I installed nothing
My router's password was exceptionally crazy (in excess of twelve alpha-numeric and including symbols... set it and forget it, can always flash again) etc

had a look again at what I saved to disk that might be responsible

Some web pages saved, including links to codec packs (I do not believe I followed those links, nor were any saved) at the end of April

java disabled (not up to date, but >ver 1.3x)
vbs (windows scripting host installed)
and, of course, messenger service
FF approx 1.5 with noscript
MS patches not as up to date as was indicated-98se
EDIT: .net too, IIRC


I followed some links off a google search (almost immediately prior to incident) which is out of my ordinary habits but this would be my prime suspect: visiting web pages containing source of attack without my having knowingly run any executables

I could provide a good bit more detailed info but point is there is more going on that caused this then what I can find being talked about

hth

P.S.
Is anybody listening to this? lol

{QUOTE->

P.S.
Is anybody listening to this? lol <-QUOTE}

Yup,

I hate to see a guy talking with himself, so I am replying to let you know someone is "trying" to follow along :)

If this is a comprise of the router or NIC, does it make sense it would affect only windows , and not Linux? The function of both is OS independent isn't it?

What about putting the original NIC back in? If the system works ok, then the router is isolated as the single potential cause. This can then be verified by re-introducing the old router, which should bring back the problems.

The silence may be due to this type of (possible) infection being in unfamiliar territory for most folks. Or perhaps <need smiley here for the three monkeys of see no evil, hear no.......>

lol! thanks


Seems this has been brewing since late last year, maybe those three monkeys have something to do with the silence as you say...., but notwithstanding that,

Your suggestions are something I've been pondering doing, but for now it seems pretty certain that what has happened is some malware wrote to the router. Although the point about why it worked fine under Linux is something..., from what I've read in the meantime one of the things the malware is doing is opening up too many connections, perhaps the linux isn't allowing that. Nor would that, I suppose, account for the nic disappearing from device manager.

But I'm no I.T. pro here!

I've been looking around for possible explanations and solutions, though from my earlier posts one can gather that part of (if not the main) reason for my troubles is not being diligent in keeping everything up to date and patched! Along with foolish browsing of course...
From what I can gather there is a lot of re-directing to malicious sites going on.

At anyrate I found some interesting info while browsing at the cafe. Some quotes below from some sites I cannot vouch for. (I hope I'm not taking liberties here, but if there is an issue I'm sure a moderator will step in.)


From one of the sites: (a quote of a quote)

"They get themselves onto Google, then redirect people to their malware pages," ~ "though the ultra-wary might be suspicious because many of the malicious URLs are just a jumble of characters, with China's .cn top-level domain at their ends."

"Once shunted to a malware-hosting site, the user might face a fake codec installation dialogue. If the user doesn't bite, the page's IFRAME will get him"

And from another:

"You're safest bet is to make sure you've got no-script installed in your Firefox Add-ons. A lot of these are javascript injections (a handful of therecent ones I've seen are .asp) which write IFRAMES into the page linking to the list of sites found in the ShadowServer Report."

It is also being strongly recommended to upgrade your Flash.

I have to say, had I kept to my normal discipline, I likely wouldn't have had this problem in the first place.

That is, to have disabled all the "features" which I neither need nor use, because in reality they are, to me, nothing more than come-ons, annoyances, "raison d'etre" and opportunity for the marketers and hackers to prove their (self)worth. (Do I need to add coders?)
The real problem is that the patches come bundled with the new features, which are full of holes, because the only way to thoroughly test them is to wait for the damage to happen, then bundle new holes with the next set of patches!

Please, just fix the damned stuff before upgrading it! And cut out the crap.


and

Long Live Linus!