Linksys Wireless Router Hijacked

I am no security expert, but this is an issue I recently came across.

Awhile back "Ask.com" started redirecting me to web sites other than the one listed when I clicked a link in their search results pages.

This problem continued to get worse and started affecting Yahoo and Google as well. It was driving me pretty crazy because I knew my Mac computers did not have a virus.

Well, I spent some time tracking the issue down this week and found it was caused my Linksys Wireless Router made by Cisco Systems.

These routers are sold in Wal-Marts everywhere and meant to be used for home networks. The problem did not show up until the router's warranty had expired.

The router had DNS numbers that pointed to a server that redirects URL requests to sites that display ads that someone collects money from when a user clicks on them.

Here's the info on the DNS server that the router was using:

It is hosted by ukrtelegroup.com.ua

The DNS numbers are:

93.188.161.105

93.188.166.105

If you use one of these Linksys routers you should check to see what DNS numbers it's using and I recommend changing them no matter what, as other pre-installed numbers from unreliable sources could also cause the problem.

I called Cisco, they were no help at all. Said they've never heard of the problem. Wanted $100 bucks to tell me how to update the firmware, which did not solve the problem.

If anyone here knows more about this please respond, as this is really all I know about it.

Kindest Regards,

Bill Stephenson

 

Do you have the factory password and ip scheme set on your router? if so its's not really that hard to hijack someones router. I've done it with my neighbors wifi Routers before and its really not that hard to do (only did it to prove a point to them). I dont know of any manufacturer that pre-configures the DNS settings in your router. Reset it to the default settings and change your admin password. Also, if you are using a wifi router make sure you have it set to the strongest encryption posible.

 

Thanks, I'll do that, I'll still haven't reset the password.

But I doubt anyone got to the wireless network, it sits inside a metal pole barn. They'd have had to be sitting right outside the door, and that's unlikely where I live.

Since it sits behind the DSL modem, I wouldn't think it could be accessed over the web, am I wrong about that?

 

are you confident that there is no malware running on your machine? if not, visit one of the volunteer sites for further assistance
https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3

 

Hi billstephenson

I don't think it's likely a Linksys thing: Googling 'Trojan DNS Changer' will give you a steer on how the router's DNS settings may have been switched.

Read here, for example.

philby

 

You might find that it's safer to configure your DNS server addresses in Windows (under the TCP/IP Properties for your LAN or WLAN). The default is to get DNS addresses automatically, but you can enter the DNS addresses of your ISP or use a free service like OpenDNS (my own preference). I also configure my security suite (Kaspersky) so that only those DNS addresses are allowed.

I'm not a security expert, but I think that this is more secure than relying on getting DNS addresses from a router.

 

Routers and other peripheral devices are compromised by attackers because they are the least secure items, least paid attention to, in most set ups.
One study of 1000 routers found 69% made no changes to the router security from default.

There is malware designed specifically for routers, DroneBL rootkit, psyb0t, Chuck Norris botnet, ZLOB DNS Changer. Some are memory resident only while others change the firmware (embedded OS), and some change the DNS settings.
In a majority of the cases it requires an infection on a host inside the LAN to launch a secondary attack against devices like Routers, Printers, and Set Top Boxes.
The DroneBL team states that some devices can be compromised from the WAN (internet) side.

In addition to checking the DNS check the routing tables. You may be able to check the routing table from the administration console of your router. If it is a home type router, you may only be able to change the routing table by telneting into the router and using the CLI to check and flush.
Router routing tables

 

before getting to conclusion

please check your system with some live cd of linux


i sugest you simple solution use live cd of ubuntu......etc without installing it to your computer try surfing via it if you see same problem then your router might causing it

if no then may be your mac system or browser generating the link causing it also check what packets generating from your system.

check this thread as well

https://www.wilderssecurity.com/showthread.php?t=272327


secondly please what i am telling you is listen to it with open mind

there is no such this as fully security many users believe that mac are cannot be hacked which is so untrue there been serious threats regarding browser and specially plugin adobe and flash player ...etc if they exploited it can happen to any system windows mac bsd linux ...............etc


please check your browser plugins .........etc and patch them most of them having serious threats.

for example if adobe flash is going through exploit i got windows mac linux.......may be my system dont compromise but still my browser can be hijacked by that threat so best solution is keep all your softwares upto date and patched

check that site as well

http://secunia.com/

http://secunia.com/advisories/40220

 

Another DNS attack that may be relevent to your situation, DNS Rebinding.
DNS Rebinding PDF

 

No. Wireless routers, yes. But wired routers are very secure - as long as users change the default password and don't keep it written down on a sticky note under their keyboard or stuck to their monitor.

 

Also, disable your router's WAN (external) management interface.