Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 07-20-2010, 05:59 PM
Wheelie's Avatar
Wheelie Wheelie is offline
 
Join Date: May 2008
Posts: 564
Wheelie is on a distinguished road
Default "Poisoned" Router DNS Settings

FYI

Discovered a new one today (new to me!). A virus that changed the DNS settings in a Netgear WPN824 router. The router had the default password. A quick search on the Internet shows routers "poisoned" by viruses that can modify router settings when the user has NOT changed the default password. Y'all be sure to change your default passwords on customer routers (I usually do this).

Background:
Customer brings me an infected laptop that has a hijacked browser and I pulled the hard disk and slaved to my bench PC to clean it (SOP). It had several Java script viruses (AVG shows twitters.class, skypeqd.class, mailvue.class, AppleT.class all in jar_cache). Removed viruses with AVG.

So I gave the laptop a "clean up/tune up" afterward. Customer picks up laptop, goes back home, and calls me within hours: "it's still going to the wrong web sites". So I ask him to drop it back by the shop to check it out again. Pull the hard disk, scan with AVG & Malwarebytes and it's clean. The browser is NOT hijacked in my shop. Put it back into PC and scan with his AVG & Malwarebytes and it's clean. He calls while I have it and says: "now my wife's laptop is hijacked!". I pack up his machine and go over to his home and run an IPCONFIG /ALL in a CMD window and the DNS servers shown is 213.109.64.5 (which resolves to a Russian network!) Wow!

Go into his Netgear router and low and behold the DNS setting has been changed from "Get Automatically from ISP" to "use these DNS Servers" with the above numbers typed in. Bingo. Change it to "Get Automatically from ISP" and it's all good.

It is a good reason to always change the default password.

-----------------------------------------------------------

Keyword reference for DNS 213.109.64.5 and 213.109.72.21:

Network Whois record
Queried whois.ripe.net with "-B 213.109.64.5"...
Information related to '213.109.64.0 - 213.109.79.255'

inetnum: 213.109.64.0 - 213.109.79.255
netname: PROLITE-NET
descr: ProLite Ltd.
country: RU
org: ORG-PL83-RIPE
admin-c: NF1275-RIPE
tech-c: NF1275-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-PROLITE
mnt-routes: MNT-PROLITE
mnt-domains: MNT-PROLITE
changed: hostmaster@ripe.net 20090831
source: RIPE

organisation: ORG-PL83-RIPE
org-name: ProLite Ltd.
org-type: OTHER
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
e-mail: prolite@p-lite.ru
mnt-ref: MNT-PROLITE
mnt-by: MNT-PROLITE
changed: prolite@p-lite.ru 20090914
source: RIPE

person: Nikolay N. Filimonov
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
phone: +7 831 4284242
nic-hdl: NF1275-RIPE
changed: prolite@p-lite.ru 20090914
source: RIPE
mnt-by: MNT-PROLITE

-----------------------------------------------------------
__________________
"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote
  #2  
Old 07-20-2010, 07:42 PM
kagman's Avatar
kagman kagman is offline
 
Join Date: Mar 2009
Posts: 1,326
kagman is an unknown quantity at this point
Send a message via AIM to kagman Send a message via Yahoo to kagman
Default Re: "Poisoned" Router DNS Settings

Always change the default password on router and disable remote web management to. I would advise your client to change all their passwords from email accounts to online banking since their internet traffic might have been going to a third party for some time .

Sent from my Eris using Tapatalk
__________________
--Jose--
"Everyone Needs their own I.T. guy :)"
From Queens, New York
Reply With Quote
  #3  
Old 07-20-2010, 09:50 PM
MBF MBF is offline
 
Join Date: May 2009
Posts: 56
MBF is an unknown quantity at this point
Default

Thanks Wheelie, that's handy info.....
Reply With Quote
  #4  
Old 07-23-2010, 12:13 AM
Galdorf Galdorf is offline
 
Join Date: Feb 2009
Location: Ontario, Canada
Posts: 1,578
Galdorf will become famous soon enough
Default

You should read this pretty nasty security hole:
http://www.tomsguide.com/us/Router-E...news-7547.html
Reply With Quote
  #5  
Old 07-23-2010, 11:03 AM
Wheelie's Avatar
Wheelie Wheelie is offline
 
Join Date: May 2008
Posts: 564
Wheelie is on a distinguished road
Default

There's yet another reason to change the router's default password.
__________________
"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote
  #6  
Old 07-23-2010, 12:59 PM
Galdorf Galdorf is offline
 
Join Date: Feb 2009
Location: Ontario, Canada
Posts: 1,578
Galdorf will become famous soon enough
Default

This security hole in router firmware allowing dns rebinding and a hacker to gain access to a persons internal net work is BAD so many people have default passwords my guess 80% of the people with routers.
The hackers seem to be using this to steal world of warcraft accounts its been around for quite some time years in fact, why is it not fixed?.
That makes millions of users at risk the average user does not know how to flash firmware or change password that is where we can make some money.
I have been getting customers to bring in the router and power supply, i update firmware and change passwords/wireless passwords as a service.
Reply With Quote
  #7  
Old 07-28-2010, 02:34 PM
computertech775's Avatar
computertech775 computertech775 is offline
 
Join Date: Jul 2009
Location: Reno, NV
Posts: 16
computertech775 is an unknown quantity at this point
Default

I had this situation yesterday. It happened to a Belkin F5D8233-4v3 which according the Forbes Blog was NOT successfully hacked. Guess they need to update the list. Interestingly, the client is a Private Investigator.
__________________
Follow my interesting computer support & repair stories, business insight & technology thoughts on Google+ and Twitter @MyTechLife2
Reply With Quote
  #8  
Old 08-02-2010, 07:34 AM
RegEdit RegEdit is offline
 
Join Date: Feb 2010
Location: Pacific Palisades, CA
Posts: 1,723
RegEdit is on a distinguished road
Default

Thanks for sharing this story!

I wonder what percentage of hacking is going on in Russia. Seems like it's always those Ruski's that are up to no good, and then when they get caught (rarely) they are respected over there.

Also, I live in Los Angeles, yet my DNS was revealed to be in Port Allegany, Pennsylvania. It showed up as Time Warner, which is correct. I would have thought my DNS would be a Los Angeles location. Is that normal?
Reply With Quote
  #9  
Old 08-02-2010, 01:21 PM
Wheelie's Avatar
Wheelie Wheelie is offline
 
Join Date: May 2008
Posts: 564
Wheelie is on a distinguished road
Default

Quote:
Originally Posted by RegEdit View Post
Thanks for sharing this story!

I wonder what percentage of hacking is going on in Russia. Seems like it's always those Ruski's that are up to no good, and then when they get caught (rarely) they are respected over there.

Also, I live in Los Angeles, yet my DNS was revealed to be in Port Allegany, Pennsylvania. It showed up as Time Warner, which is correct. I would have thought my DNS would be a Los Angeles location. Is that normal?
You should just make sure the DNS settings in your router are set to: "Get Automatically from ISP". If they point you to a TW server in PA that's fine. You should never have to manually set the DNS settings in a router under normal circumstances.
__________________
"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote
  #10  
Old 01-31-2011, 12:10 PM
rhinetech's Avatar
rhinetech rhinetech is offline
 
Join Date: Apr 2010
Location: Northern New Jersey, USA
Posts: 314
rhinetech is on a distinguished road
Send a message via AIM to rhinetech Send a message via Skype™ to rhinetech
Default

They're still at it Wheelie, I had a variant of the IP you traced as the DNS settings on a WRT54G I worked on yesterday evening. 213.109.64.147.

Firmware update, set-to-default, and admin password change...
__________________
Steve Rhinesmith, Owner, RhineTech Computer Repair LLC
Apple Certified Macintosh Technician (2012)
MCTS: Windows 7 - Configuration (2011)
CompTIA A+ (2005), Network+ (2010), and Security+ (2010) Certified.

http://www.rhinetech.com
Reply With Quote
Reply

Tags
dns, javascript, poisoned, router, virus

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:48 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.