Posted: Sat Aug 03, 2019 13:56 Post subject: Router was hacked
Hi...
I own a E4200 router and found my router was hacked. I had *stock* firmware from linksys on there and went to log in and found DD-WRT installed.
A helpful person on another forum suggested there are some BotNets out there and that may be my issue.
The default password does not work. I assume it is admin/password. So someone installed and changed the password.
Oddly enough I can get to the admin page remotely, but cannot on the local network.
Does anyone have any experience with this?
The short of it is I would like to put the stock firmware back on to make sure I erased the malware image and then maybe install a clean DD-WRT install. How do I go about this especially since I cannot log in?
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Sat Aug 03, 2019 15:33 Post subject:
Reset button. Do a hard reset and reboot and re-configure or re-flash locally. And never, ever open remote management without locking it down properly.
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Sat Aug 03, 2019 20:00 Post subject:
Only need for JTAG is is CFE got blown out. Serial / TFTP recovery is probably easiest, if you have to go that far because a 30/30/30 doesn't reset it.
I would reflash the thing after you get it reset. No telling if the firmware was modified and is compromised in some way. If they did mod it, it is also possible that the default password has been changed that a factory reset will not reset it. You might be dealing with an essentially "bricked" router unless you can TFTP or JTAG flash it.
out of the box, ddwrt has no "default" password. It prompts you to create a new user/password the 1st time you open the web ui.
That was my thought. I dont trust the build for obvious reasons. I had trouble using chrome of all things to do the re-flash. I put dd-wrt.v24-30880_NEWD-2_K3.x_mega-e4200.bin on it and was able to do a 30/30/30 reset. I wanted to just get something else running on the router.
It did indeed prompt me for a new password and think I am good to go.
Re kernel-panic69, I thought I had it locked down properly but evidently I did not. I would be curious whether the stock firmware has another vulnerability or whether this was re-imaged through remote management.
Loaded question. Now that I have this 'bad' image off, what image should I be running? Now that I am taking a fresh look at this curious whether I should be running K3.x or K2.x or stock. I saw a blog posting Steve Jenkins did and saw that the stock image performed better, but was curious if anyone has any experience with this.
I can post on another thread since it is a little out of scope of my original posting.
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Sun Aug 04, 2019 17:29 Post subject:
I just got done flashing today's build DD-WRT v3.0-r40527 mega (08/04/19), so far, so good. I still have some configurations to check and test, but otherwise, all good. If you stuck at 30880, you'd want the K2.6 build (the one he recommended in that blog), but otherwise, a much newer K3.x would be ideal. There have been so many patches since that old build. I wouldn't recommend a K2.6 build after 35531, though, especially if you run scripts via commands tab.