D-link security issue

B

beeskuiken

Active Member
Joined
Jan 6, 2010
Messages
51
Reaction score
0
Location
Cape Town
I'm getting this error on my d-link router (DSL-2750U) configuration after enabling remote access (http): " Another user is already using this router" and it gives an ip 66.249.93.86 or79 .

All 3 passwords have been changed from the default.

I then found this article: D-Link router flaw lets anyone login through “Joel’s Backdoor”
https://nakedsecurity.sophos.com/20...-flaw-lets-anyone-login-using-joels-backdoor/

Does anybody know if this is related?
 
The models mentioned in the article does not mention the 2750U. My guess is the attacker found a vulnerability in the router's firmware and used to to gain access to your router's Internet-facing management interface or, much more likely, used one of your LAN/WiFi devices (e.g. compromised Laptop), as a springboard to access the router from the LAN side and opening up the Internet-facing management interface.
 
Last edited:
It seems to an automated thing for whenever I open it up, this dude gets in under 60sek. Have to reboot the router then.

Can I use the source network and source mask values to block this IP? How?

Thanks
 
beeskuiken said:
It seems to an automated thing for whenever I open it up, this dude gets in under 60sek. Have to reboot the router then.

Can I use the source network and source mask values to block this IP? How?

Thanks
Click to expand...
To be sure the hacker is not getting in via one of your inside devices, reset and securely configure the router from another device not familiar to your network, such as a non-jailbroken Tablet/Phone from a friend or family member. If the Router still gets compromised after that it is very possible that the Firmware has a hole/vulnerability in it that allows the script-kiddie to gain access to it. Get hold of DLink and make them aware of what is happening. Temporarily create Bridged/PPPoE connections from your LAN devices, with an enabled Personal Firewall at least, across the Router until DLink reverts with feedback or a patch.
Another test is to try another ISP and see if it still happens - the hacker might be running something against your ISP's IP Subnet only.
 
Turned off wifi and disconnected all devices from router, accept pc, and he still gets in. I assume this means that the router is attacked directly.
 
beeskuiken said:
Turned off wifi and disconnected all devices from router, accept pc, and he still gets in. I assume this means that the router is attacked directly.
Click to expand...
Seems like the router's firmware is compromised in some way.
Try another ISP and see if it still happens - the hacker might be running something against your ISP's IP Subnet only
Delete all PPPoE connections from the router and create them from your LAN devices, with an enabled Personal Firewall at least, across the Router until DLink reverts with feedback or a patch/fix.
 
gilqd.png

Maybe make sure that management isn't port forwarded/internet facing.
 
Disable telnet, ssh and http access of the web console in the router settings.

They might have been left enabled by default.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X