possible remote router firmware flash--interesting, but alarming

Discussion in 'malware problems & news' started by cryptofox, Apr 8, 2015.

  1. cryptofox

    cryptofox Registered Member

    Joined:
    Apr 8, 2015
    Posts:
    1
    I have two routers--one is the gateway from ATT, and then I'm using another router as a repeater bridge in the other room. Last night, my gateway turned off because my alarm started beeping as it does when there is no phone connection. Eventually, it was able to reconnect. However, my bridge was unresponsive and showed an error. I then checked to see what the logs said, but the bridge was not reachable--it turns out I had been assigned an address of 169.254.14.240, which is not a default or something I assigned. So I find this very interesting.

    The router, bridge, and pc remain suspect, and I'm curious as to what you guys would check, assuming the worst. I am not anyone special, so I cannot imagine being targeted by a three-letter organization. However, I consider myself a cryptography enthusiast and activist.

    I plan to dump the firmware into a bin and hash it against stock, but I imagine there's far more to be done. I'm more curious than anything and want to be as thorough as possible. It is not a possibility to trash these items, though that may be what helps me sleep easy.
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Under certain conditions hardware that fails to connect via an established domain/network may reset itself to a local / non-routable IP, like the one you mention. I leave the conspiracy theory to others and I would simply lean towards a NET/hardware event that cause the device to reset to locahost.
     
    Last edited: Apr 9, 2015
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    169.254... addresses are APIPAs. The bridge might do that when it can't connect.

    Not sure what the deal is with the gateway. Automatic firmware update maybe? Overheating? Who knows.

    However, keep in mind you needn't be getting TLA attention to attract router attacks. There are LOT of attacks against commodity router firmware, since it rarely gets updated. Personally I use an old laptop for my gateway, running a router/firewall Linux or BSD distro.
     
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,087
    Logs? Uptime? Firmware version change? Any other clues?
     
  5. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    169.254.0.0/16 are RFC 3927 addresses. For example, booting systems that are configured for DHCP but can't locate a DHCP server may auto-configure with an RFC 3927 address.
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    169.254.14.240 is a normal, default, non-routable IP address when DHCP can't be grabbed. I see it 1000 times a week.

    Nothing to worry about.
     
Loading...