Router compromised
-
- Newbie
- Posts: 8
- Joined: Thu Apr 11, 2013 10:16 am
Router compromised
hi
i have two dlink router got compromised by somekind of botnet
anyway first router 2540u
opened the port 80 and 5432
and started to show huge netwrok activity (like i'm downloading somthing) on the led when
the computer attached to it turend off
anyway also another router 2640u showed the same symptoms
tried to reset , hard reset , and firmware both downgrading / upgrading
nothing worked
why do you think the problem presist ?
and how the worm is able to survive the flash ?
how do i fix this ?
thanks in advance
i have two dlink router got compromised by somekind of botnet
anyway first router 2540u
opened the port 80 and 5432
and started to show huge netwrok activity (like i'm downloading somthing) on the led when
the computer attached to it turend off
anyway also another router 2640u showed the same symptoms
tried to reset , hard reset , and firmware both downgrading / upgrading
nothing worked
why do you think the problem presist ?
and how the worm is able to survive the flash ?
how do i fix this ?
thanks in advance
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Router compromised
1. The first thing that any sensible bot would do is to install a trojan on your PC. Scan your PC for trojans, using a rescue disk.
2. Are the ports still open? If so, then close them to remote accesses
3. Do the routers have a writeable partition? If so, check this partition.
4. Run the port scanner on grc.com
2. Are the ports still open? If so, then close them to remote accesses
3. Do the routers have a writeable partition? If so, check this partition.
4. Run the port scanner on grc.com
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
-
- Newbie
- Posts: 8
- Joined: Thu Apr 11, 2013 10:16 am
Re: Router compromised
1- formated computer
but i think this attak has a more than botnet in mind
it was some kind of targated attack
2- tried closing the port
the router didn't respond
also after reset . and re firmware
3- tried forwarding the open ports to unused IP
didn't do anything either
also the router is closed to remote access
+ there is no wireless
4- one of the routers stoped behaving like botnet
just one now send a lot of traffic when the computer get shut down
yes i ran the port scanner on grc that's how i know if the ports open / closed
also checked with another port scanner same result
but i think this attak has a more than botnet in mind
it was some kind of targated attack
2- tried closing the port
the router didn't respond
also after reset . and re firmware
3- tried forwarding the open ports to unused IP
didn't do anything either
also the router is closed to remote access
+ there is no wireless
4- one of the routers stoped behaving like botnet
just one now send a lot of traffic when the computer get shut down
yes i ran the port scanner on grc that's how i know if the ports open / closed
also checked with another port scanner same result
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Router compromised
Do you have a static IP ?
By the way, you may want to install something like wireshark so that you can see exactly what is being transmitted.
By the way, you may want to install something like wireshark so that you can see exactly what is being transmitted.
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
-
- Newbie
- Posts: 8
- Joined: Thu Apr 11, 2013 10:16 am
Re: Router compromised
1- nope i don't have a static IP
2- i don't have an experiance in wireshark it's kind of hard for me to work with
it
2- i don't have an experiance in wireshark it's kind of hard for me to work with
it
-
- Newbie
- Posts: 8
- Joined: Thu Apr 11, 2013 10:16 am
Re: Router compromised
is something reinfecting the router ?
or form the router it self ?
how do i fix this ?
or form the router it self ?
how do i fix this ?
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Router compromised
We can't know unless you post some logs.
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
-
- Newbie
- Posts: 8
- Joined: Thu Apr 11, 2013 10:16 am
Re: Router compromised
well according to google search
i found a lot of topics on router botnet and router getting hacked
exactly a Dlink routers by sans blog post (maybe this is the same one ??)
also according to a post on other forum i read that it's possible for the malware
to add it self to the new firmware image when you trying to flash it because it's handeld by code
anyway how do i get the logs ?
i found a lot of topics on router botnet and router getting hacked
exactly a Dlink routers by sans blog post (maybe this is the same one ??)
also according to a post on other forum i read that it's possible for the malware
to add it self to the new firmware image when you trying to flash it because it's handeld by code
anyway how do i get the logs ?
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Router compromised
It should be available as one of the menu items in the firmware's web interface. If it isn't, then I have nothing else to suggest.mastershake wrote:anyway how do i get the logs ?
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
-
- Newbie
- Posts: 8
- Joined: Thu Apr 11, 2013 10:16 am
Re: Router compromised
oh well you mean the router system logs
well i will check on this router and report back
anyway on the old router i remember the log stated :
3 introsin detected with a russion ip number
anyway i will get a better logs from the new router and report back
well i will check on this router and report back
anyway on the old router i remember the log stated :
3 introsin detected with a russion ip number
anyway i will get a better logs from the new router and report back
-
- Newbie
- Posts: 8
- Joined: Thu Apr 11, 2013 10:16 am
Re: Router compromised
there was a tone of option to choose
anyway here is two logs directly after router being reseted
http://pastebin.com/cpn3u0cm
http://pastebin.com/ecg1bmex
anyway here is two logs directly after router being reseted
http://pastebin.com/cpn3u0cm
http://pastebin.com/ecg1bmex
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Router compromised
I don't see anything in the logs that looks suspicious, except possibly the frequent occurrence of "spi_flash_sector_erase_int". I have no idea what it means in practical terms.
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
-
- Newbie
- Posts: 8
- Joined: Thu Apr 11, 2013 10:16 am
Re: Router compromised
that's probably the backdoor or something
anyway those logs are after a Reset so i think some info is missing
i will try to get another logs after a period of running the router
because if it's not the router what is it ?!!? where is this hidden backdoor ?
anyway those logs are after a Reset so i think some info is missing
i will try to get another logs after a period of running the router
because if it's not the router what is it ?!!? where is this hidden backdoor ?