Router Vulnerability
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Router Vulnerability
Router Vulnerability
11-03-2014 5:24 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
As we've recently seen reported a number of router vulnerability's leading to DNS issues, we've put together some guidance on how to help resolve this, this might not cover every router open to the vulnerability as they may be more than we are aware of.
The issue occurs when a routers DNS settings have been changed, this could be due to this being entered wrong by the customer, a firmware issue or a malicious attempt to compromise the router.
Symptoms:
You may/may not notice if your router has had its DNS settings altered, something you may encounter is getting webpage’s you weren't expecting to reach once you've entered your url, i.e, being prompted to update your flash player.
This could indicate that your routers DNS has been compromised.
Affected Routers:
We're aware of a few makes and models that may be susceptible to this, but there are possibly more that we are unaware of;
TP-Link (TD-8840T, TD-W8151N, WR1043ND V1, TL-WDR3600, and potentially more) Linksys (Models: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900 and potentially more) and we've also seen reports of Edimax routers too.
How do I check if I'm affected?
Login to your routers interface and check the DNS server address, this should read - 212.159.6.9 or 212.159.6.10 in some cases both if your router allows for a backup DNS server address. This may also be different if you have set this previously.
To rectify:
- Check your DNS server address if possible, this should be set to 212.159.6.9 or 212.159.6.10 unless you have chosen otherwise. If they appear to be something you're not familiar with then we'd recommend using the aforementioned settings.
- Login to your router and make sure no services on your on are open on your WAN (externally) such as DNS, Router Config, telnet and SSH, this will be done via your routers interface.
- Update to your latest router firmware, this should be found at your router manufactures website.
- It's also recommended to change your default login credentials for your router, this again is normally done via the routers interface.
Other DNS checks:
Via your computer, you need to find the DNS settings.
Windows user: http://www.plus.net/support/software/dns/changing_dns_windows7.shtml
MAC users: http://www.plus.net/support/software/dns/changing_dns_mac.shtml
You can follow the above steps and enter the DNS server address(as above) manually.
Further detailed information can be found regarding possible router vulnerability and symptons at the articles below:
http://www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-routers-alters-dns-se...
http://www.cbits.co.uk/ourblog/uncategorized/fake-flash-player-update-virus-routers-tp-link/
https://s.aa.net.uk/1900
https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf
If you're router isn't listed above and you are being affected by this issue and none of the above has helped then please let us know, please include the make and model of your router along with if possible the DNS server address that is currently in your router.
Re: Router Vulnerability
11-03-2014 8:37 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Router Vulnerability
12-03-2014 8:51 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
A couple of things:
1) Could you make the picture a little bit bigger?
2) Can this be sent out to customers via email (I think only a small % frequent these forums..)?
Re: Router Vulnerability
12-03-2014 9:28 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Our support staff have been briefed on this though to advise customers.
Re: Router Vulnerability
12-03-2014 9:40 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
http://community.plus.net/forum/index.php/topic,124724.0.html
Re: Router Vulnerability
12-03-2014 11:28 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Router Vulnerability
12-03-2014 11:51 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Router Vulnerability
13-03-2014 7:41 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Clicking through the fake "update Flash Player" triggered the anti virus so we fortunately we didn't download anything.
One additional thing that took me some time to spot was that the attack also switched off the ethernet ports on the router so wired connections ceased to work.
All this even though I have my own password set up for router administration not the default one.
Re: Router Vulnerability
23-03-2014 12:03 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Router Vulnerability
25-03-2014 10:39 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
From what I've read, a lot of the Zyxel/Linksys routers have had external WAN (on port 80) access turned on by default. There's a simple command that can be submitted (in the format of http://user:pass@xx.xx.xx.xx/**command** ) that will change the DNS servers of the router to that of the spoof DNS servers.
I don't think any of the affected router manufacturers have released any warnings or firmware updates - which is pretty poor.
I think anyone with a router should:
1) Not use the default username/password supplied with the router.
2) Should ensure that WAN web access is turned off, unless necessary. If it is to be used, a non-standard port should be used and https should preferably be used.
3) External telnet should be disabled, unless necessary.
4) Firewall should be enabled.
Re: Router Vulnerability
26-03-2014 1:20 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I find it incomprehensible that a system weak enough to apparently allow remote config changes, even when the password has been changed to a strong one, would allow WAN access by default! (And make it non-obvious how to turn that off.)
Re: Router Vulnerability
27-03-2014 9:48 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Firstly, thank you for yesterday’s e-mail concerning the implementation of a firewall. A few questions, if I may:
The e-mail suggests that Plusnet knows what make and model of router I’m using. Out of interest, is this the case? Do routers identify themselves, in the same way that I am identified as a customer having an account? It’s not something I’d ever thought about before, and wondered how global this e-mail was.
The e-mail offers an alternative router for purchase, but doesn’t tell me what make / model it might be. Can Plusnet provide that information please? I’m a bit wary, because the unit being offered seems relatively inexpensive, even before the discount. What assurances can the manufacturer give that it is not as vulnerable to hijacking as any other? It would be pointless to change if for the next hijacking target.
I suppose thanks are due to Adobe for making this so easy for attackers. By providing an application which seems to have all the vulnerabilities of a colendar, no one is surprised to see a supposed update required to Flashplayer, and the unwary just click on it.
I run openSUSE, and netconfig update -f restored the DNS settings, but finally - and simply out of interest - I wondered why the DNS servers being recommended were the Plusnet tertiary ones, rather than the primary and secondary servers whose IP addresses have been specified hitherto? I’ve yet to change to them.
Thank you.
GRAHAM
Re: Router Vulnerability
27-03-2014 10:29 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The Adobe issue is a bit of a red herring. Your router will redirect you to a page which pretends to be from Adobe - it had absolutely nothing to do with Adobe (this time !).
Also check the DNS servers set on your router itself - this is where the "hackers" reset the DNS servers to their own hijacked ones. I personally use 8.8.8.8 (Google) and whatever the OpenDNS ones are.
Re: Router Vulnerability
27-03-2014 1:30 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
GRAHAM
Re: Router Vulnerability
27-03-2014 2:16 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: TheScorpionsTale I run openSUSE, and netconfig update -f restored the DNS settings, ....
Have you thought of running something like dnsmasq (provides a caching DNS forwarder/DHCP service) on your system?
I also use openSUSE, but have a "backup" system running Mint with BIND and isc-dhcp-server - the latter added following Plusnet's e-mail, so am no longer using the router for either of these services
Local caching speeds things up as well
Phil
Using a TP-Link Archer VR600 modem-router.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page