Linksys Wireless Router Hijacked

Discussion in 'hardware' started by billstephenson, Jun 24, 2010.

Thread Status:
Not open for further replies.
  1. billstephenson

    billstephenson Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    2
    I am no security expert, but this is an issue I recently came across.

    Awhile back "Ask.com" started redirecting me to web sites other than the one listed when I clicked a link in their search results pages.

    This problem continued to get worse and started affecting Yahoo and Google as well. It was driving me pretty crazy because I knew my Mac computers did not have a virus.

    Well, I spent some time tracking the issue down this week and found it was caused my Linksys Wireless Router made by Cisco Systems.

    These routers are sold in Wal-Marts everywhere and meant to be used for home networks. The problem did not show up until the router's warranty had expired.

    The router had DNS numbers that pointed to a server that redirects URL requests to sites that display ads that someone collects money from when a user clicks on them.

    Here's the info on the DNS server that the router was using:

    It is hosted by ukrtelegroup.com.ua

    The DNS numbers are:

    93.188.161.105

    93.188.166.105

    If you use one of these Linksys routers you should check to see what DNS numbers it's using and I recommend changing them no matter what, as other pre-installed numbers from unreliable sources could also cause the problem.

    I called Cisco, they were no help at all. Said they've never heard of the problem. Wanted $100 bucks to tell me how to update the firmware, which did not solve the problem.

    If anyone here knows more about this please respond, as this is really all I know about it.

    Kindest Regards,

    Bill Stephenson
     
  2. robertoa81

    robertoa81 Registered Member

    Joined:
    Dec 16, 2009
    Posts:
    23
    Do you have the factory password and ip scheme set on your router? if so its's not really that hard to hijack someones router. I've done it with my neighbors wifi Routers before and its really not that hard to do (only did it to prove a point to them). I dont know of any manufacturer that pre-configures the DNS settings in your router. Reset it to the default settings and change your admin password. Also, if you are using a wifi router make sure you have it set to the strongest encryption posible.
     
  3. billstephenson

    billstephenson Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    2
    Thanks, I'll do that, I'll still haven't reset the password.

    But I doubt anyone got to the wireless network, it sits inside a metal pole barn. They'd have had to be sitting right outside the door, and that's unlikely where I live.

    Since it sits behind the DSL modem, I wouldn't think it could be accessed over the web, am I wrong about that?
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  5. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Hi billstephenson

    I don't think it's likely a Linksys thing: Googling 'Trojan DNS Changer' will give you a steer on how the router's DNS settings may have been switched.

    Read here, for example.

    philby
     
  6. MaxEntropy

    MaxEntropy Registered Member

    Joined:
    May 21, 2009
    Posts:
    101
    Location:
    UK
    You might find that it's safer to configure your DNS server addresses in Windows (under the TCP/IP Properties for your LAN or WLAN). The default is to get DNS addresses automatically, but you can enter the DNS addresses of your ISP or use a free service like OpenDNS (my own preference). I also configure my security suite (Kaspersky) so that only those DNS addresses are allowed.

    I'm not a security expert, but I think that this is more secure than relying on getting DNS addresses from a router.
     
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Routers and other peripheral devices are compromised by attackers because they are the least secure items, least paid attention to, in most set ups.
    One study of 1000 routers found 69% made no changes to the router security from default.

    There is malware designed specifically for routers, DroneBL rootkit, psyb0t, Chuck Norris botnet, ZLOB DNS Changer. Some are memory resident only while others change the firmware (embedded OS), and some change the DNS settings.
    In a majority of the cases it requires an infection on a host inside the LAN to launch a secondary attack against devices like Routers, Printers, and Set Top Boxes.
    The DroneBL team states that some devices can be compromised from the WAN (internet) side.

    In addition to checking the DNS check the routing tables. You may be able to check the routing table from the administration console of your router. If it is a home type router, you may only be able to change the routing table by telneting into the router and using the CLI to check and flush.
    Router routing tables
     
  8. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    before getting to conclusion

    please check your system with some live cd of linux


    i sugest you simple solution use live cd of ubuntu......etc without installing it to your computer try surfing via it if you see same problem then your router might causing it

    if no then may be your mac system or browser generating the link causing it also check what packets generating from your system.

    check this thread as well

    https://www.wilderssecurity.com/showthread.php?t=272327


    secondly please what i am telling you is listen to it with open mind

    there is no such this as fully security many users believe that mac are cannot be hacked which is so untrue there been serious threats regarding browser and specially plugin adobe and flash player ...etc if they exploited it can happen to any system windows mac bsd linux ...............etc


    please check your browser plugins .........etc and patch them most of them having serious threats.

    for example if adobe flash is going through exploit i got windows mac linux.......may be my system dont compromise but still my browser can be hijacked by that threat so best solution is keep all your softwares upto date and patched

    check that site as well

    http://secunia.com/

    http://secunia.com/advisories/40220
     
    Last edited: Jun 28, 2010
  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Another DNS attack that may be relevent to your situation, DNS Rebinding.
    DNS Rebinding PDF

     
  10. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,271
    Location:
    Nebraska, USA
    No. Wireless routers, yes. But wired routers are very secure - as long as users change the default password and don't keep it written down on a sticky note under their keyboard or stuck to their monitor.
     
  11. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Also, disable your router's WAN (external) management interface.
     
Loading...
Thread Status:
Not open for further replies.