Compromised router?

Right, these are the steps I would take. Please note I am teaching myself network security I am no expert.

Step 1: Factory reset your router.
Step 2: Get the latest firmware update and do a manual install. [This can brick the router]
Step 3: Set up your security and enable Mac binding and disable WPS and hide your SSID.
Step 4: Look at what security your router has built-in and enable it where possible.

Optional steps.

Step 6: Make sure you clear the computer of the old router login information. Do the same for phones and other devices like printers and so on.

Step 7: if your router allows it create a Guest Network. use the guest network and see if it gets compromised. It is easier to reset a Guest Network.

Step 8: Get a good antivirus and scan all your computers.
Step 9: Look for devices that are plugged into your computers. If they don't belong unplug them.
Step 10: Look for devices on your network that don't belong this will be the attacker.
 
porchrat said:
Sounds like this. I had an issue with similar symptoms a while back. ISP refused to acknowledge the problem. I eventually had to change ISP to resolve the problem.
Click to expand...
I've had this most frequently with Telkom LTE. Switched to unrestricted APN to fix it.
 
So it appears that the router/network has been compromised via the DNS settings.

When I got home I logged in to the router and went over the settings. I have personally manually set the DNS to 1.1.1.1 (Cloudfare) and 8.8.8.8 (Google - prompted by the ISP as the secondary) but what I found instead were IP addresses in the DNS fields;

NS4qpty.png


Upon inspection, the addresses divert you here;

zf4ok1h.png


Bloody Russians.

Now some of the solutions you folks posted are a bit above my pay grade, but I have since done the following;
  • Factory reset the router.
  • Manually updated the firmware.
  • Disabled remote management; disabled WSP (I haven't hid the SSID yet as I cannot figure out how to manually enter a network on DSTV) and activated the IPv4 SPI Firewall.
  • Changed all passwords.
On Mac binding, there are multiple devices connected, would binding to a specific device's IP not lock everything else out?

If this doesn't solve it then I'm burning the router. I'm also concerned if one of the devices in the house is/was the entry point and finding out may be tricky.

*IPs hidden for the sake of safety.
 
I suspect the ISP box then, not your router.

Also - you're double nat'ing from the look of it, which isn't really advised.

My preferred setup is have the ISP as a dumb box, and login to PPoE or however its set on your router.

Whats the "fibre box", so I can check if that has vulnerabilities. (model / brand / version if you know)

can you also let me know what your router is also - model / brand / firmware version (just in case), so I can check also. thanks.
 
itareanlnotani said:
Also - you're double nat'ing from the look of it, which isn't really advised.

My preferred setup is have the ISP as a dumb box, and login to PPoE or however its set on your router.
Click to expand...

Admittedly, I'm not too knowledgeable on this.

itareanlnotani said:
Whats the "fibre box", so I can check if that has vulnerabilities. (model / brand / version if you know)
Click to expand...

Brand is 'Raycore', no other markings are visible.

hVZhqgR.jpg



itareanlnotani said:
can you also let me know what your router is also - model / brand / firmware version (just in case), so I can check also. thanks.
Click to expand...

Router is a TP-Link Archer C20 (It is pretty vintage) and the firmware is the latest I could update from their website - 0.9.1 4.16 v0001.0 Build 170822 Rel.41366n

1689709683211.png
 
Harold_Crick said:
Admittedly, I'm not too knowledgeable on this.



Brand is 'Raycore', no other markings are visible.

hVZhqgR.jpg





Router is a TP-Link Archer C20 (It is pretty vintage) and the firmware is the latest I could update from their website - 0.9.1 4.16 v0001.0 Build 170822 Rel.41366n

View attachment 1559015
Click to expand...

Looking at this - https://mybroadband.co.za/forum/threads/vumatel-trenched-eliminate-the-cpe.1161662/ your ONT should be in bridge mode, so yes, could be that your TPLink is backdoored.

I haven't seen any vulnerabilities for the Raycore (or public ones), so lets assume its the TP-Link needing love.



I would suggest use a more recent openwrt image on the router, vs the TPLink firmware, and that will also remove any nasties left in the flash on the router, so should clean it.

i.e. - https://openwrt.org/toh/tp-link/archer_c20_v4 (the TFTP bits)

If you're in Cape Town I can assist with that for you though (no charge).
Not something that can be done remotely unfortunately. pm if you want me to assist.



Otherwise if you want to diy:

**Note this can brick your router if eskom dies at the wrong time**

Do this at your own risk, as you'll need to reconfigure the router again. If you aren't comfortable with this, get an expert to assist.

Before you do this though, write down existing settings. i.e. wifi name, pass, ONT login settings if any that need to be configured etc etc.

First download: https://downloads.openwrt.org/relea...link_archer-c20-v4-squashfs-tftp-recovery.bin
Second, download some tftpd software ( http://www.tftpd64.com/ is ok assuming windows? )

configure your computer with a static ip of 192.168.0.66, subnet mask 255.255.255.0, gateway 192.168.0.1


rename the downloaded bin file to: tp_recovery.bin
place somewhere that the tftpd software can serve it from.
make sure the tfptd software is running, and has the renamed file ready to serve.

when ready to flash:
connect the computer directly to one of the ports on the tplink.

unplug router power.
Press and keep pressed the router's reset button and power it up. After about 7-10 seconds release the reset button. The power LED will flicker rapidly for ~3 seconds, indicating download of the firmware file.

you should see the tfpd software showing some file transfer.


once done, wait till the router reboots, then change computer back to DHCP, and see if you get an ip address, and can visit the openwrt firmware router default ip, which is 192.168.1.1

you'll need to reconfigure the router settings again though for your wifi etc. I'd also advise updating openwrt also once the base is installed.
 
Last edited:
@itareanlnotani Thank you for looking into this and advising. The DIY is a little out of my comfort zone, but I will spend some time with this over the weekend when I can focus on it without distractions.
 
Harold_Crick said:
So it appears that the router/network has been compromised via the DNS settings.

When I got home I logged in to the router and went over the settings. I have personally manually set the DNS to 1.1.1.1 (Cloudfare) and 8.8.8.8 (Google - prompted by the ISP as the secondary) but what I found instead were IP addresses in the DNS fields;

NS4qpty.png
Click to expand...
Unfortunately this is more common than you think. I have seen multiple TP-link compromised like this. The common one is DNS hijacking, IE diverting you from a legitimate page to steal credentials. If you google TP-link CVE's you will get a shock.

Unless the firmware has been updated by TP-link this year I would recommend getting a new router to remain safe.
 
eddief1 said:
Unfortunately this is more common than you think. I have seen multiple TP-link compromised like this. The common one is DNS hijacking, IE diverting you from a legitimate page to steal credentials. If you google TP-link CVE's you will get a shock.

Unless the firmware has been updated by TP-link this year I would recommend getting a new router to remain safe.
Click to expand...

Any recommendations on routers (brand)?
 
Harold_Crick said:
Any recommendations on routers (brand)?
Click to expand...

Unifi Edgemax or Microtik, depends on your needs if you want internal wifi etc...
Or Pfsense/Opensense if you have a spare pc floating around.

But I would reflash your router first as mentioned above , Openwrt is amazing and a big improvement over the stock TP-Link not only in security but features.
 
Do you have one of those TV box things? It is very important that your TV Box is Google certified or a Google product. I know cheap and nasty TV Box devices are filled to the brim with nasty apps and backdoors. Maybe start with that.

Just to add. Your router login password to its settings and the password it uses to connect with other devices must not be the same thing. You probably did this already but I am just mentioning it.

Also, I like TP link they are normally really good.

Also honestly hiding your SSID will not help that much so don't worry about it too much. Any software you can download for your phone will identify a hidden network anyway.
 
Another advantage of OpenWRT is that you can configure Smart Queue Management (SQM) to negate bufferbloat. Essentially, that reduces your latency while uploads and downloads are running.

Example:

1689764548451.png
 
netstrider said:
Another advantage of OpenWRT is that you can configure Smart Queue Management (SQM) to negate bufferbloat. Essentially, that reduces your latency while uploads and downloads are running.

Example:

View attachment 1559345
Click to expand...
Can I maybe convert my Huawei B618s-22d to OpenWRT? It is a lot faster then my TP-Link but it doesn't have the functionality of my TP-Link also I can't get updates for it anymore.
 
Huawei routers are notoriously bad when it comes to loading other firmware, more often than not they are extremely closed off.
I cant even do IP registration on DHCP with the ones I have, they are best just avoided at all cost.

Here is a device list: https://openwrt.org/toh/huawei/start not all of these are supported but at least you can read up on their specs in most cases.

If your teaching yourself network security I can strongly recommend getting Microtik, its a power house of a router, with a good solid OS.
 
FaSMaN said:
Huawei routers are notoriously bad when it comes to loading other firmware, more often than not they are extremely closed off.
I cant even do IP registration on DHCP with the ones I have, they are best just avoided at all cost.

Here is a device list: https://openwrt.org/toh/huawei/start not all of these are supported but at least you can read up on their specs in most cases.

If your teaching yourself network security I can strongly recommend getting Microtik, its a power house of a router, with a good solid OS.
Click to expand...
Its more about the broadcom chipsets used not having drivers, but yeah, historically a pain for the huawei's.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X