Router compromised

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
mastershake
Newbie
Newbie
Posts: 8
Joined: Thu Apr 11, 2013 10:16 am

Router compromised

Post by mastershake » Thu Apr 11, 2013 10:21 am

hi

i have two dlink router got compromised by somekind of botnet

anyway first router 2540u
opened the port 80 and 5432
and started to show huge netwrok activity (like i'm downloading somthing) on the led when
the computer attached to it turend off

anyway also another router 2640u showed the same symptoms

tried to reset , hard reset , and firmware both downgrading / upgrading
nothing worked

why do you think the problem presist ?
and how the worm is able to survive the flash ?
how do i fix this ?

thanks in advance
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Router compromised

Post by thechief » Thu Apr 11, 2013 2:30 pm

1. The first thing that any sensible bot would do is to install a trojan on your PC. Scan your PC for trojans, using a rescue disk.
2. Are the ports still open? If so, then close them to remote accesses
3. Do the routers have a writeable partition? If so, check this partition.
4. Run the port scanner on grc.com
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
mastershake
Newbie
Newbie
Posts: 8
Joined: Thu Apr 11, 2013 10:16 am

Re: Router compromised

Post by mastershake » Thu Apr 11, 2013 9:30 pm

1- formated computer
but i think this attak has a more than botnet in mind
it was some kind of targated attack

2- tried closing the port
the router didn't respond
also after reset . and re firmware

3- tried forwarding the open ports to unused IP
didn't do anything either
also the router is closed to remote access
+ there is no wireless

4- one of the routers stoped behaving like botnet
just one now send a lot of traffic when the computer get shut down
yes i ran the port scanner on grc that's how i know if the ports open / closed
also checked with another port scanner same result
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Router compromised

Post by thechief » Thu Apr 11, 2013 11:22 pm

Do you have a static IP ?

By the way, you may want to install something like wireshark so that you can see exactly what is being transmitted.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
mastershake
Newbie
Newbie
Posts: 8
Joined: Thu Apr 11, 2013 10:16 am

Re: Router compromised

Post by mastershake » Fri Apr 12, 2013 7:41 pm

1- nope i don't have a static IP

2- i don't have an experiance in wireshark it's kind of hard for me to work with
it
mastershake
Newbie
Newbie
Posts: 8
Joined: Thu Apr 11, 2013 10:16 am

Re: Router compromised

Post by mastershake » Sun Apr 14, 2013 9:34 pm

is something reinfecting the router ?
or form the router it self ?

how do i fix this ?
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Router compromised

Post by thechief » Sun Apr 14, 2013 9:44 pm

We can't know unless you post some logs.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
mastershake
Newbie
Newbie
Posts: 8
Joined: Thu Apr 11, 2013 10:16 am

Re: Router compromised

Post by mastershake » Mon Apr 15, 2013 11:03 pm

well according to google search
i found a lot of topics on router botnet and router getting hacked
exactly a Dlink routers by sans blog post (maybe this is the same one ??)

also according to a post on other forum i read that it's possible for the malware
to add it self to the new firmware image when you trying to flash it because it's handeld by code

anyway how do i get the logs ?
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Router compromised

Post by thechief » Tue Apr 16, 2013 4:26 pm

mastershake wrote:anyway how do i get the logs ?
It should be available as one of the menu items in the firmware's web interface. If it isn't, then I have nothing else to suggest.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
mastershake
Newbie
Newbie
Posts: 8
Joined: Thu Apr 11, 2013 10:16 am

Re: Router compromised

Post by mastershake » Tue Apr 16, 2013 10:45 pm

oh well you mean the router system logs
well i will check on this router and report back

anyway on the old router i remember the log stated :
3 introsin detected with a russion ip number
anyway i will get a better logs from the new router and report back
mastershake
Newbie
Newbie
Posts: 8
Joined: Thu Apr 11, 2013 10:16 am

Re: Router compromised

Post by mastershake » Sat Apr 20, 2013 11:16 pm

there was a tone of option to choose
anyway here is two logs directly after router being reseted
http://pastebin.com/cpn3u0cm
http://pastebin.com/ecg1bmex
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Router compromised

Post by thechief » Mon Apr 22, 2013 6:02 pm

I don't see anything in the logs that looks suspicious, except possibly the frequent occurrence of "spi_flash_sector_erase_int". I have no idea what it means in practical terms.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
mastershake
Newbie
Newbie
Posts: 8
Joined: Thu Apr 11, 2013 10:16 am

Re: Router compromised

Post by mastershake » Tue Apr 23, 2013 8:50 pm

that's probably the backdoor or something
anyway those logs are after a Reset so i think some info is missing
i will try to get another logs after a period of running the router

because if it's not the router what is it ?!!? where is this hidden backdoor ?
Post Reply