Posted: Fri Mar 24, 2017 7:09 Post subject: Router hacked, joined botnet, sent 4TB over a few days
At least that's what seems to have happened. I've since reset it and got a very secure password. I regret not getting a backup of the config beforehand to see what could be gleaned. But now I have YAMon keeping an eye on things, and after the reset, data flow has been normal.
Which leads me to conclude that it was the router, as opposed to a device on my network. I haven't changed the wifi password, and all connected devices are accounted for, all traffic, normal.
The days while it was happening, I'd noticed a sluggish connection, and rebooted a couple times thinking that was all it needed. But after this eerily similar story poped up in my feed, I had a look at my ISP's usage meter (which was normal when I'd checked a week earlier) only to see this:
So, I suppose, it's not just stock firmware coming under attack these days. I had never enabled Remote Access, so the Web-GUI and Telnet shouldn't have been accessible from outside the LAN.
Anyone have any ideas how this hack could've happened? Are there any known vulnerabilities with this v3.0-r31205M Kong release? Anything I can do to make sure it doesn't happen again?
Ofcourse not just stock firmware being hacked.
On custom firmwares that open all possible functions, hackers have more possibilities to act, too.
And a "hack" is often not what most peoples think like scenes in the movie Firewall where a hack is just hitting buttons as fast as you can an you're "in".
Too bad that you reset your router. It would have been better if you overwatch your router, saving proofs and footsteps like running processes, open connections, logs etc.
In the current situation, you will not find out what was happened.
In your case, and this is the caes in most cases, i guess that one of your computers are infected with a trojan because that's the simplest way to get in a network and get a router password.
Maybe the router wasn't infected and one of your computers is the member of a botnet IF it was the result of a botnet. Some programs, like torrent clients or other filesharing tools act in the background.
My last word applies to the statistik that you posted. An upload of 400 to 600 gigabytes per months are realy much for an user. It is even much for maybe 5 users.
Either you upload files regulary or you posted the wrong statistic.
If I had botnet and would infect a custom router with dd-wrt or openwrt, I would install a vlan interface that doesn't affect the traffic counter. Thats not so hard and the signs for regulary user aren't so bright.
It must be a bug then. After I reset, I'll narrow down the cause and make a report (where does one do that, by the way)?
v3.0-r31205M (Kong), just changed those 2 settings and became locked out, with wrong pass on both web and telnet.
Nothing a reset can't fix, though not looking forward to reconfiguring YAMon. I had painstakingly named all the devices. Not sure I can export those now that it's not running (and can't be started without telnet, afaik).
Posted: Sun Mar 26, 2017 11:17 Post subject: Re: Router hacked, joined botnet, sent 4TB over a few days
xichael wrote:
So, I suppose, it's not just stock firmware coming under attack these days. I had never enabled Remote Access, so the Web-GUI and Telnet shouldn't have been accessible from outside the LAN.
Anyone have any ideas how this hack could've happened? Are there any known vulnerabilities with this v3.0-r31205M Kong release? Anything I can do to make sure it doesn't happen again?
No known issues and I do extensive security tests and have tools that find potential security issues in the code.
From your comment it sounds like you did not have a good password set before this happened. Let me tell you it is much easier to be hit by a drive by attack from inside your lan, than for someone to hack into the router from wan side, which is nearly impossible, especially if you have not exposed any services to the wan side.
The way this happens: you go to a bad website and that website comes with code that tries to open a connection to your router from your client that has the browser open from the lan side. If you have set an obvious password then this is easy and the attacker can run commands on the router pull in additional software etc.
Thus make sure to always set proper passwords, to use isolated guest networks for computers you do not trust as much etc., this way they cannot contact your router or lan from the inside. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Very weird stuff here. I was finally able to log in when I tried the old password on a whim. Pretty sure this was the pre-reset pass, so I'm having trouble understanding how it could still be around, or how switching those settings could've caused it to revert. I had been logging in with the new password up till then.
Anyway, I've set an extra-super-secure password now. Hopefully this is the end of the weirdness.
Thanks for the insight, Kong. It does sound more likely that it came from within the LAN. We have almost 20 devices regularly connecting here, not counting guests (who I should really put on a guest network). As long as it was just a one-time drive-by thing and not an ongoing compromised system, I'll be tentatively happy.
Joined: 16 Nov 2015 Posts: 6445 Location: UK, London, just across the river..
Posted: Mon Mar 27, 2017 8:12 Post subject:
if you are not running pppoe ISP connection, you can limit
access to the router GUI (port 80) via IP tables and specify only particular MAC address to access only...
before apply make sure: you save all your current settings in a file, you do have telnet/shh access to the router, reset button enabled, and mac address spelled correctly (capital letters), otherwise you can lock yourself out
p.s. you have to save those lines in Administration>Commands>paste and save in firewall script _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Posted: Mon Mar 27, 2017 8:19 Post subject: password protection
Try Password Manager,it can help to give you a solution to your password,work out with iOS,windows,and Android password and files manager.It is free and awsome!