cancel
Showing results for 
Search instead for 
Did you mean: 

Netgear WNR1000v3 Router Hacked - DNS Entries Changed

paulalexleeds
Newbie
Posts: 8
Registered: 27-01-2011

Netgear WNR1000v3 Router Hacked - DNS Entries Changed

It would appear that my Netgear WNR1000v3 router, which was supplied by Plusnet as part of the FTTC Trial, has been hacked in the last few days. We noticed that we were getting random popups in our browser across all devices attached to the router.
When I checked the settings via the router admin console the DNS entries has changed. The primary DNS was set to 107.170.189.30 and the secondary to 162.243.207.106. A quick google search for these IPs shows they are linked to similar hacks and spam.
I'd always had the router admin password changed from the default and it was fairly strong, so the hack must have happened as part of a vulnerability in the router firmware. My firmware is old at version v1.0.2.28_50.0.60 and I known there is an update available, so will apply that, but even the latest one seems to have vulnerabilities.
I have now disabled the remote admin maintenance setting, as although it was useful to login from work to check things over, that was probably how the attacker got in.
My questions really is this: Are Plusnet aware of any vulnerabilities in the routers they supply and if so, why wasn't I contacted and asked to update the firmware. They also don't seem to be blocking these DNS IP addresses at their side.
9 REPLIES
Community Veteran
Posts: 3,380
Thanks: 4
Registered: 18-01-2013

Re: Netgear WNR1000v3 Router Hacked - DNS Entries Changed

There were a spate of hacked routers a while ago but I don't recall any of them being PN supplied - most were third party routers.
The DNS hacks would redirect customers to a fake Adobe page (or similar) when certain sites were accessed. This in turn would infect customers machines.
All the above I may add was not a Plusnet issue.
You're the first customer I've heard who has had a PN supplied router hacked although the Netgear isn't the usual router they supply (they normally send out the almighty Thomson .......)
*Edit - some more info here : http://www.tntnetworx.net/netgear-wnr1000v3-backdoorbug/
Plusnet Staff
Plusnet Staff
Posts: 6,346
Thanks: 31
Fixes: 5
Registered: 26-11-2011

Re: Netgear WNR1000v3 Router Hacked - DNS Entries Changed

Hi paulalexleeds,
I can only really echo DomS' comments here, this is the first Netgear Router that we've supplied that I've heard about having such issues. It's a router that we supplied quite some time ago as part of a trial, I'd be happy to send a replacement router out which would be a Technicolor 582n?
Chris Pettitt
Cloud Environments Engineer
Moderator
Moderator
Posts: 18,518
Thanks: 1,812
Fixes: 223
Registered: 11-01-2008

Re: Netgear WNR1000v3 Router Hacked - DNS Entries Changed

I suppose if remote access was switched on then this might have been used, lot of effort though. http://seclists.org/bugtraq/2014/Jan/28

Customer / Moderator / If it helped click the thumb / If it fixed it click 'This fixed my problem'

rongtw
Seasoned Hero
Posts: 6,973
Thanks: 1,531
Fixes: 12
Registered: 01-12-2010

Re: Netgear WNR1000v3 Router Hacked - DNS Entries Changed

I have the Netgear Router  Cool and must say i think  its much  better than the Mighty Thompson  Tongue  , which i have as a spare .
I have Firmware Version
V1.0.2.62_60.0.87        http://support.netgear.com/product/WNR1000v3#wrapper
and Remote Access OFF !  and have had no problems  Wink
Asus ROG Hero Vii Z97 , Intel i5 4690k ,ROG Asus Strix 1070,
samsung 850evo 250gig , WD black 2 TB . Asus Phoebus sound ,
16 gig Avexir ram 2400 , water cooling Corsair H100i gtx ,
Corsair 750HXI Psu , Phanteks Enthoo pro case .
paulalexleeds
Newbie
Posts: 8
Registered: 27-01-2011

Re: Netgear WNR1000v3 Router Hacked - DNS Entries Changed

Thanks for all the responses, looks like there is a problem with the 1.0.2.28 firmware then and the timing seems to match, and is related to me having the remote access setting enabled.
I think Plusnet should get a communication out to customers who were sent the Netgear's.
Probably off topic, but is the Technicolor 582n a good router? Can't hurt trying it out I suppose, and might put the wife's mind at rest if using a different router. Chris, do you need my contact details?
Regards
Paul.
Plusnet Staff
Plusnet Staff
Posts: 6,346
Thanks: 31
Fixes: 5
Registered: 26-11-2011

Re: Netgear WNR1000v3 Router Hacked - DNS Entries Changed

Hi Paul,
We no longer supply the Netgear Router and as it was only sent out as a trial we have very limited support for it. You're the first person we've heard back from with regards to this, but I'll pass your comments on.
I've posted you out a Technicolor 582n router. I've used a 582n and have never had any issues with it personally.
Chris Pettitt
Cloud Environments Engineer
paulalexleeds
Newbie
Posts: 8
Registered: 27-01-2011

Re: Netgear WNR1000v3 Router Hacked - DNS Entries Changed

Thanks Chris, superb customer service.
kevinduke
Grafter
Posts: 26
Thanks: 2
Registered: 09-04-2013

Re: Netgear WNR1000v3 Router Hacked - DNS Entries Changed

paulalexleeds
Newbie
Posts: 8
Registered: 27-01-2011

Re: Netgear WNR1000v3 Router Hacked - DNS Entries Changed

From reading that post, I think you are right, it is releated as I too had the "Internet connection require to login" setting changed to no, when it should be yes. When I set it back to yes, it had remembered all the login details for plusnet, but I hadn't noticed it had also changed the DNS entries, unless this was done in a separate hack later. I hope Netgear sort this out once and for all, because it doesn't look like they have fixed it properly in the newest firmware. In the meantime the lovely Yorkshire folk are sending me a new router.
adie:quote