possible remote router firmware flash--interesting, but alarming

Discussion in 'malware problems & news' started by cryptofox, Apr 8, 2015.

  1. cryptofox

    cryptofox Registered Member

    Apr 8, 2015
    I have two routers--one is the gateway from ATT, and then I'm using another router as a repeater bridge in the other room. Last night, my gateway turned off because my alarm started beeping as it does when there is no phone connection. Eventually, it was able to reconnect. However, my bridge was unresponsive and showed an error. I then checked to see what the logs said, but the bridge was not reachable--it turns out I had been assigned an address of, which is not a default or something I assigned. So I find this very interesting.

    The router, bridge, and pc remain suspect, and I'm curious as to what you guys would check, assuming the worst. I am not anyone special, so I cannot imagine being targeted by a three-letter organization. However, I consider myself a cryptography enthusiast and activist.

    I plan to dump the firmware into a bin and hash it against stock, but I imagine there's far more to be done. I'm more curious than anything and want to be as thorough as possible. It is not a possibility to trash these items, though that may be what helps me sleep easy.
  2. fax

    fax Registered Member

    May 30, 2005
    Under certain conditions hardware that fails to connect via an established domain/network may reset itself to a local / non-routable IP, like the one you mention. I leave the conspiracy theory to others and I would simply lean towards a NET/hardware event that cause the device to reset to locahost.
    Last edited: Apr 9, 2015
  3. Gullible Jones

    Gullible Jones Registered Member

    May 16, 2013
    169.254... addresses are APIPAs. The bridge might do that when it can't connect.

    Not sure what the deal is with the gateway. Automatic firmware update maybe? Overheating? Who knows.

    However, keep in mind you needn't be getting TLA attention to attract router attacks. There are LOT of attacks against commodity router firmware, since it rarely gets updated. Personally I use an old laptop for my gateway, running a router/firewall Linux or BSD distro.
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Feb 29, 2012
    Logs? Uptime? Firmware version change? Any other clues?
  5. mvario

    mvario Registered Member

    Sep 16, 2008
    Haddonfield, IL are RFC 3927 addresses. For example, booting systems that are configured for DHCP but can't locate a DHCP server may auto-configure with an RFC 3927 address.
  6. Mayahana

    Mayahana Banned

    Sep 13, 2014
    2,220 is a normal, default, non-routable IP address when DHCP can't be grabbed. I see it 1000 times a week.

    Nothing to worry about.