Router hacked, joined botnet, sent 4TB over a few days

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
xichael
DD-WRT Novice


Joined: 21 Jun 2007
Posts: 21

PostPosted: Fri Mar 24, 2017 7:09    Post subject: Router hacked, joined botnet, sent 4TB over a few days Reply with quote
At least that's what seems to have happened. I've since reset it and got a very secure password. I regret not getting a backup of the config beforehand to see what could be gleaned. But now I have YAMon keeping an eye on things, and after the reset, data flow has been normal.

Which leads me to conclude that it was the router, as opposed to a device on my network. I haven't changed the wifi password, and all connected devices are accounted for, all traffic, normal.

The days while it was happening, I'd noticed a sluggish connection, and rebooted a couple times thinking that was all it needed. But after this eerily similar story poped up in my feed, I had a look at my ISP's usage meter (which was normal when I'd checked a week earlier) only to see this:



So, I suppose, it's not just stock firmware coming under attack these days. I had never enabled Remote Access, so the Web-GUI and Telnet shouldn't have been accessible from outside the LAN.

Anyone have any ideas how this hack could've happened? Are there any known vulnerabilities with this v3.0-r31205M Kong release? Anything I can do to make sure it doesn't happen again?
Sponsor
thekk
DD-WRT User


Joined: 09 May 2016
Posts: 58

PostPosted: Fri Mar 24, 2017 11:57    Post subject: Reply with quote
Ofcourse not just stock firmware being hacked.
On custom firmwares that open all possible functions, hackers have more possibilities to act, too.
And a "hack" is often not what most peoples think like scenes in the movie Firewall where a hack is just hitting buttons as fast as you can an you're "in".

Too bad that you reset your router. It would have been better if you overwatch your router, saving proofs and footsteps like running processes, open connections, logs etc.

In the current situation, you will not find out what was happened.

In your case, and this is the caes in most cases, i guess that one of your computers are infected with a trojan because that's the simplest way to get in a network and get a router password.

Maybe the router wasn't infected and one of your computers is the member of a botnet IF it was the result of a botnet. Some programs, like torrent clients or other filesharing tools act in the background.

My last word applies to the statistik that you posted. An upload of 400 to 600 gigabytes per months are realy much for an user. It is even much for maybe 5 users.
Either you upload files regulary or you posted the wrong statistic.

If I had botnet and would infect a custom router with dd-wrt or openwrt, I would install a vlan interface that doesn't affect the traffic counter. Thats not so hard and the signs for regulary user aren't so bright.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6990
Location: Netherlands

PostPosted: Fri Mar 24, 2017 12:40    Post subject: Reply with quote
Things you can do to slow down an attack on your router:

1.Use a nodescript username and a long (12 characters or more) nondescript password

2. Disable "Enable info Site" on Administration/Management/Web Access

3.On the Security tab check every item on "Impede WAN DoS/Bruteforce"

4. There are of course known vulnerabilities on older builds (heartbleed etc) so use a recent build

5. Do not use "Remote Access" on Administration/Management tab

If you stick to these settings it is highly unlikely that your router can be hacked (but not impossible Sad )

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
xichael
DD-WRT Novice


Joined: 21 Jun 2007
Posts: 21

PostPosted: Fri Mar 24, 2017 19:10    Post subject: Reply with quote
Ok, I just disabled the Info Site and ticked all the boxes under the Bruteforce area and now I can't login.

It won't login to the web interface or telnet. Is there some obvious reason why?

Wish I had backed up before doing that...
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6990
Location: Netherlands

PostPosted: Fri Mar 24, 2017 20:21    Post subject: Reply with quote
Hmm, that is really odd, I have no problem login in or telnetting or SSH to my routers and have all the boxes on the Impede WAN DoS/Bruteforce ticked.

You did not change anything else?

You are connecting from the LAN or WLAN?

What build are you using?

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
xichael
DD-WRT Novice


Joined: 21 Jun 2007
Posts: 21

PostPosted: Sun Mar 26, 2017 6:20    Post subject: Reply with quote
It must be a bug then. After I reset, I'll narrow down the cause and make a report (where does one do that, by the way)?

v3.0-r31205M (Kong), just changed those 2 settings and became locked out, with wrong pass on both web and telnet.

Nothing a reset can't fix, though not looking forward to reconfiguring YAMon. I had painstakingly named all the devices. Not sure I can export those now that it's not running (and can't be started without telnet, afaik).

Ho hum.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6990
Location: Netherlands

PostPosted: Sun Mar 26, 2017 11:06    Post subject: Reply with quote
bug reports can be filed here: http://svn.dd-wrt.com/
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Sun Mar 26, 2017 11:17    Post subject: Re: Router hacked, joined botnet, sent 4TB over a few days Reply with quote
xichael wrote:


So, I suppose, it's not just stock firmware coming under attack these days. I had never enabled Remote Access, so the Web-GUI and Telnet shouldn't have been accessible from outside the LAN.

Anyone have any ideas how this hack could've happened? Are there any known vulnerabilities with this v3.0-r31205M Kong release? Anything I can do to make sure it doesn't happen again?


No known issues and I do extensive security tests and have tools that find potential security issues in the code.

From your comment it sounds like you did not have a good password set before this happened. Let me tell you it is much easier to be hit by a drive by attack from inside your lan, than for someone to hack into the router from wan side, which is nearly impossible, especially if you have not exposed any services to the wan side.

The way this happens: you go to a bad website and that website comes with code that tries to open a connection to your router from your client that has the browser open from the lan side. If you have set an obvious password then this is easy and the attacker can run commands on the router pull in additional software etc.

Thus make sure to always set proper passwords, to use isolated guest networks for computers you do not trust as much etc., this way they cannot contact your router or lan from the inside.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
xichael
DD-WRT Novice


Joined: 21 Jun 2007
Posts: 21

PostPosted: Mon Mar 27, 2017 6:43    Post subject: Reply with quote
Very weird stuff here. I was finally able to log in when I tried the old password on a whim. Pretty sure this was the pre-reset pass, so I'm having trouble understanding how it could still be around, or how switching those settings could've caused it to revert. I had been logging in with the new password up till then.

Anyway, I've set an extra-super-secure password now. Hopefully this is the end of the weirdness.

Thanks for the insight, Kong. It does sound more likely that it came from within the LAN. We have almost 20 devices regularly connecting here, not counting guests (who I should really put on a guest network). As long as it was just a one-time drive-by thing and not an ongoing compromised system, I'll be tentatively happy.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4110
Location: UK, London, just across the river..

PostPosted: Mon Mar 27, 2017 8:12    Post subject: Reply with quote
if you are not running pppoe ISP connection, you can limit
access to the router GUI (port 80) via IP tables and specify only particular MAC address to access only...


iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

before apply make sure: you save all your current settings in a file, you do have telnet/shh access to the router, reset button enabled, and mac address spelled correctly (capital letters), otherwise you can lock yourself out Smile

p.s. you have to save those lines in Administration>Commands>paste and save in firewall script Wink

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 45229 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 45493 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 45563 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 45563 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
cassie123eee
DD-WRT Novice


Joined: 27 Mar 2017
Posts: 1

PostPosted: Mon Mar 27, 2017 8:19    Post subject: password protection Reply with quote
Try Password Manager,it can help to give you a solution to your password,work out with iOS,windows,and Android password and files manager.It is free and awsome!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum