"Poisoned" Router DNS Settings

[Wheelie]

FYI

Discovered a new one today (new to me!). A virus that changed the DNS settings in a Netgear WPN824 router. The router had the default password. A quick search on the Internet shows routers "poisoned" by viruses that can modify router settings when the user has NOT changed the default password. Y'all be sure to change your default passwords on customer routers (I usually do this).

Background:
Customer brings me an infected laptop that has a hijacked browser and I pulled the hard disk and slaved to my bench PC to clean it (SOP). It had several Java script viruses (AVG shows twitters.class, skypeqd.class, mailvue.class, AppleT.class all in jar_cache). Removed viruses with AVG.

So I gave the laptop a "clean up/tune up" afterward. Customer picks up laptop, goes back home, and calls me within hours: "it's still going to the wrong web sites". So I ask him to drop it back by the shop to check it out again. Pull the hard disk, scan with AVG & Malwarebytes and it's clean. The browser is NOT hijacked in my shop. Put it back into PC and scan with his AVG & Malwarebytes and it's clean. He calls while I have it and says: "now my wife's laptop is hijacked!". I pack up his machine and go over to his home and run an IPCONFIG /ALL in a CMD window and the DNS servers shown is 213.109.64.5 (which resolves to a Russian network!) Wow!

Go into his Netgear router and low and behold the DNS setting has been changed from "Get Automatically from ISP" to "use these DNS Servers" with the above numbers typed in. Bingo. Change it to "Get Automatically from ISP" and it's all good.

It is a good reason to always change the default password.

-----------------------------------------------------------

Keyword reference for DNS 213.109.64.5 and 213.109.72.21:

Network Whois record
Queried whois.ripe.net with "-B 213.109.64.5"...
Information related to '213.109.64.0 - 213.109.79.255'

inetnum: 213.109.64.0 - 213.109.79.255
netname: PROLITE-NET
descr: ProLite Ltd.
country: RU
org: ORG-PL83-RIPE
admin-c: NF1275-RIPE
tech-c: NF1275-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-PROLITE
mnt-routes: MNT-PROLITE
mnt-domains: MNT-PROLITE
changed: hostmaster@ripe.net 20090831
source: RIPE

organisation: ORG-PL83-RIPE
org-name: ProLite Ltd.
org-type: OTHER
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
e-mail: prolite@p-lite.ru
mnt-ref: MNT-PROLITE
mnt-by: MNT-PROLITE
changed: prolite@p-lite.ru 20090914
source: RIPE

person: Nikolay N. Filimonov
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
phone: +7 831 4284242
nic-hdl: NF1275-RIPE
changed: prolite@p-lite.ru 20090914
source: RIPE
mnt-by: MNT-PROLITE

-----------------------------------------------------------

[kagman]

Always change the default password on router and disable remote web management to. I would advise your client to change all their passwords from email accounts to online banking since their internet traffic might have been going to a third party for some time .

Sent from my Eris using Tapatalk

[MBF]

Thanks Wheelie, that's handy info.....

[Galdorf]

You should read this pretty nasty security hole:
http://www.tomsguide.com/us/Router-E...news-7547.html

[Wheelie]

There's yet another reason to change the router's default password.

[Galdorf]

This security hole in router firmware allowing dns rebinding and a hacker to gain access to a persons internal net work is BAD so many people have default passwords my guess 80% of the people with routers.
The hackers seem to be using this to steal world of warcraft accounts its been around for quite some time years in fact, why is it not fixed?.
That makes millions of users at risk the average user does not know how to flash firmware or change password that is where we can make some money.
I have been getting customers to bring in the router and power supply, i update firmware and change passwords/wireless passwords as a service.

[computertech775]

I had this situation yesterday. It happened to a Belkin F5D8233-4v3 which according the Forbes Blog was NOT successfully hacked. Guess they need to update the list. Interestingly, the client is a Private Investigator.

[RegEdit]

Thanks for sharing this story!

I wonder what percentage of hacking is going on in Russia. Seems like it's always those Ruski's that are up to no good, and then when they get caught (rarely) they are respected over there.

Also, I live in Los Angeles, yet my DNS was revealed to be in Port Allegany, Pennsylvania. It showed up as Time Warner, which is correct. I would have thought my DNS would be a Los Angeles location. Is that normal?

[Wheelie]

Quote:

Originally Posted by RegEdit

Thanks for sharing this story!

I wonder what percentage of hacking is going on in Russia. Seems like it's always those Ruski's that are up to no good, and then when they get caught (rarely) they are respected over there.

Also, I live in Los Angeles, yet my DNS was revealed to be in Port Allegany, Pennsylvania. It showed up as Time Warner, which is correct. I would have thought my DNS would be a Los Angeles location. Is that normal?

You should just make sure the DNS settings in your router are set to: "Get Automatically from ISP". If they point you to a TW server in PA that's fine. You should never have to manually set the DNS settings in a router under normal circumstances.

[rhinetech]

They're still at it Wheelie, I had a variant of the IP you traced as the DNS settings on a WRT54G I worked on yesterday evening. 213.109.64.147.

Firmware update, set-to-default, and admin password change...