cancel
Showing results for 
Search instead for 
Did you mean: 

Router Vulnerability

chrispurvey
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 5,369
Fixes: 1
Registered: ‎13-07-2012

Router Vulnerability

Hi Folks,
As we've recently seen reported a number of router vulnerability's leading to DNS issues, we've put together some guidance on how to help resolve this, this might not cover every router open to the vulnerability as they may be more than we are aware of.
The issue occurs when a routers DNS settings have been changed, this could be due to this being entered wrong by the customer, a firmware issue or a malicious attempt to compromise the router.
Symptoms:
You may/may not notice if your router has had its DNS settings altered, something you may encounter is getting webpage’s you weren't expecting to reach once you've entered your url, i.e, being prompted to update your flash player.

This could indicate that your routers DNS has been compromised.
Affected Routers:
We're aware of a few makes and models that may be susceptible to this, but there are possibly more that we are unaware of;
TP-Link (TD-8840T, TD-W8151N, WR1043ND V1, TL-WDR3600, and potentially more) Linksys (Models: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900 and potentially more) and we've also seen reports of Edimax routers too.
How do I check if I'm affected?
Login to your routers interface and check the DNS server address, this should read - 212.159.6.9 or 212.159.6.10 in some cases both if your router allows for a backup DNS server address. This may also be different if you have set this previously.
To rectify:

  • Check your DNS server address if possible, this should be set to 212.159.6.9 or 212.159.6.10 unless you have chosen otherwise. If they appear to be something you're not familiar with then we'd recommend using the aforementioned settings.

  • Login to your router and make sure no services on your on are open on your WAN (externally) such as DNS, Router Config, telnet and SSH, this will be done via your routers interface.

  • Update to your latest router firmware, this should be found at your router manufactures website.

  • It's also recommended to change your default login credentials for your router, this again is normally done via the routers interface.


Other DNS checks:
Via your computer, you need to find the DNS settings.
Windows user: http://www.plus.net/support/software/dns/changing_dns_windows7.shtml
MAC users: http://www.plus.net/support/software/dns/changing_dns_mac.shtml
You can follow the above steps and enter the DNS server address(as above) manually.

Further detailed information can be found regarding possible router vulnerability and symptons at the articles below:
http://www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-routers-alters-dns-se...
http://www.cbits.co.uk/ourblog/uncategorized/fake-flash-player-update-virus-routers-tp-link/
https://s.aa.net.uk/1900
https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf

If you're router isn't listed above and you are being affected by this issue and none of the above has helped then please let us know, please include the make and model of your router along with if possible the DNS server address that is currently in your router.
27 REPLIES 27
TORPC
Grafter
Posts: 5,163
Registered: ‎08-12-2013

Re: Router Vulnerability

Thanks for the useful guidance Chris Smiley
AndyH
Grafter
Posts: 6,824
Thanks: 1
Registered: ‎27-10-2012

Re: Router Vulnerability

Thanks for this.
A couple of things:
1) Could you make the picture a little bit bigger?
2) Can this be sent out to customers via email (I think only a small % frequent these forums..)?
chrispurvey
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 5,369
Fixes: 1
Registered: ‎13-07-2012

Re: Router Vulnerability

I've made the picture more visible, as this seems to be an issue with 3rd party routers it's not something we'd send out the whole customer base.
Our support staff have been briefed on this though to advise customers.
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Router Vulnerability

Just as a matter of curiosity Chris, was the message sent to this customer an automated one or was the issue reported / spotted and changes made manually ?
http://community.plus.net/forum/index.php/topic,124724.0.html
chrispurvey
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 5,369
Fixes: 1
Registered: ‎13-07-2012

Re: Router Vulnerability

It's our network team have implemented the necessary changes, so a manually process after being spotted.
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Router Vulnerability

Cheers - good to see some proactive work going on Smiley
meastaugh
Newbie
Posts: 2
Registered: ‎13-03-2014

Re: Router Vulnerability

I have a TP Link TD-W8961ND and over the last few days I have experienced one of these "Pharming" attacks. As described above something managed to update my router settings so that the DNS was no longer pointing to a correct one (212.159.6.9) but to a fake one. This meant when accessing Google and BBC sites I got a pop up saying "update your flash player". This affected everything (Windows laptops, android phones and tablets and iphones) connecting via the router.
Clicking through the fake "update Flash Player"  triggered the anti virus so we fortunately we didn't download anything.
One additional thing that took me some time to spot was that the attack also switched off the ethernet ports on the router so wired connections ceased to work.
All this even though I have my own password set up for router administration not the default one.
digitalham
Rising Star
Posts: 97
Fixes: 1
Registered: ‎04-12-2013

Re: Router Vulnerability

Were these changes able to be done even without telnet or http ports open to the WAN? That sounds to be quite a large vulnerability if so. If not it's simply carelessnes.
AndyH
Grafter
Posts: 6,824
Thanks: 1
Registered: ‎27-10-2012

Re: Router Vulnerability

There's a fresh round of DNS router hijacks going on today according to reports on Twitter.
From what I've read, a lot of the Zyxel/Linksys routers have had external WAN (on port 80) access turned on by default. There's a simple command that can be submitted (in the format of http://user:pass@xx.xx.xx.xx/**command** ) that will change the DNS servers of the router to that of the spoof DNS servers.
I don't think any of the affected router manufacturers have released any warnings or firmware updates - which is pretty poor.
I think anyone with a router should:
1) Not use the default username/password supplied with the router.
2) Should ensure that WAN web access is turned off, unless necessary. If it is to be used, a non-standard port should be used and https should preferably be used.
3) External telnet should be disabled, unless necessary.
4) Firewall should be enabled.
Laser
Grafter
Posts: 206
Registered: ‎23-09-2007

Re: Router Vulnerability

My own experience of being "nobbled" by the TP-Link variant was indeed that the changes were made independently of me doing anything, suggesting a WAN route. The DNS would re-assign itself within 48 hrs regardless. Since deactivating the (deafult enabled  Roll_eyes ) WAN configuration access, it has been all good for a couple of weeks now.
I find it incomprehensible that a system weak enough to apparently allow remote config changes, even when the password has been changed to a strong one, would allow WAN access by default! (And make it non-obvious how to turn that off.)
TheScorpionsTal
Newbie
Posts: 3
Registered: ‎27-03-2014

Re: Router Vulnerability

Hi
Firstly, thank you for yesterday’s e-mail concerning the implementation of a firewall. A few questions, if I may:
The e-mail suggests that Plusnet knows what make and model of router I’m using. Out of interest, is this the case? Do routers identify themselves, in the same way that I am identified as a customer having an account? It’s not something I’d ever thought about before, and wondered how global this e-mail was.
The e-mail offers an alternative router for purchase, but doesn’t tell me what make / model it might be. Can Plusnet provide that information please? I’m a bit wary, because the unit being offered seems relatively inexpensive, even before the discount. What assurances can the manufacturer give that it is not as vulnerable to hijacking as any other? It would be pointless to change if for the next hijacking target.
I suppose thanks are due to Adobe for making this so easy for attackers. By providing an application which seems to have all the vulnerabilities of a colendar, no one is surprised to see a supposed update required to Flashplayer, and the unwary just click on it.  
I run openSUSE, and netconfig update -f restored the DNS settings, but finally - and simply out of interest - I wondered why the DNS servers being recommended were the Plusnet tertiary ones, rather than the primary and secondary servers whose IP addresses have been  specified hitherto? I’ve yet to change to them.
Thank you.
GRAHAM
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Router Vulnerability

Graham - the chances are that PN have noticed suspicious activity on certain ports from your connection so have implemented the firewall to protect you (and others) - there are a number of brands of routers that are affected.
The Adobe issue is a bit of a red herring. Your router will redirect you to a page which pretends to be from Adobe - it had absolutely nothing to do with Adobe (this time !).
Also check the DNS servers set on your router itself - this is where the "hackers" reset the DNS servers to their own hijacked ones. I personally use 8.8.8.8 (Google) and whatever the OpenDNS ones are.
TheScorpionsTal
Newbie
Posts: 3
Registered: ‎27-03-2014

Re: Router Vulnerability

I appreciate it's nothing to do with Adobe, Dom, but the seeming perpetual vulnerabilities of Flashplayer just hand the villains something that many are going to fall for !
GRAHAM
PeeGee
Pro
Posts: 1,217
Thanks: 84
Fixes: 3
Registered: ‎05-04-2009

Re: Router Vulnerability

Quote from: TheScorpionsTale
I run openSUSE, and netconfig update -f restored the DNS settings, ....

Have you thought of running something like dnsmasq (provides a caching DNS forwarder/DHCP service) on your system?
I also use openSUSE, but have a "backup" system running Mint with BIND and isc-dhcp-server - the latter added following Plusnet's e-mail, so am no longer using the router for either of these services Roll_eyes
Local caching speeds things up as well Cheesy
Phil
Plusnet FTTC (Sep 2014), Essentials (Feb 2013); ADSL (Apr 2009); Customer since Jan 2004 (on 28kb dial-up)
Using a TP-Link Archer VR600 modem-router.