[FALSE POSITIVE] DNSChanger malware on my router?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
bonezone
DD-WRT Novice


Joined: 03 Jun 2022
Posts: 3

PostPosted: Fri Jun 03, 2022 6:27    Post subject: [FALSE POSITIVE] DNSChanger malware on my router? Reply with quote
Router: Netgear R7000P
Firmware: r48996

I noticed an extra password I never saved for my router in my password manager (d6nw5v1x2pc7st9m). I googled the password and it took me to this blog which says they had the same password appear in a password manager for their router one day. They say the following:


    • Rightardia reported earlier that both the Linksys and Netgear routers can be infected with malware that is called DNSChanger and is supposedly a variant of Zlob malware

    • it affects DD-WRT routers

    • it is possible that hackers have developed a technique to piggy back of of existing passwords with a secondary password.

    • This malware MO suggests the router malware is used to create a botnet.


Every time I reset my router the browser asks if I want to save the password, if I agree it saves the bogus password from above. I have followed their instructions for clearing the malware without any luck. I deleted the saved password as they recommend and changed my routers IP address. They say to disable web GUI management and set the router to HTTPS only but I can’t access my router then. What I also tried that they don’t mention is resetting the router and putting in my settings again. That seemed to stop my computer from asking to save the password on reset but my phone still asks to save the bogus password. I’ve run malware removal across all devices and haven’t found anything.

Any help in removing the malware would be greatly appreciated.
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Fri Jun 03, 2022 7:09    Post subject: Reply with quote
when i access my router GUI
-do not use any browser extensions
-use pale-moon (non chrome based browser) to access router only
-do not save passwords in browser, save them to txt file
-use browser in private mode
-use long and complex password 20 symbols
-i do have firewall restrictions to permit only known users to users to access GUI (via iptables rules)
-use only https to access GUI you have to accept the self signed certificate and click on proceed (its safe)

reset the router, unplug the WAN cable, set password and all those from above...than plug back the WAN cable and reboot and proceed with the rest of the settings...

in all my DDWRT use ive never had any trojans, viruses or DNSchangers ...but yes they do exist in the wild..
in general DDWRT OS system is read only and cannot be infected...so the infection comes from somewhere else....very likely browser as DNS via browser level overrides the router DNS so, very likely you have infected browser...

to repeat... in general DDWRT is read only system and the only writable place is its temp directory that is build when router boots...and is used for its operation, so whatever comes it comes from a anywhere else and it goes there and on reboot its reset...but its not an easy to get to there if you have a decent password...

last thing its not bad to update to the last build 49049 (but new is coming today as 49059 was pulled out) and reset and rebuild you settings manually...the way i suggested above..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Jun 03, 2022 7:12    Post subject: Reply with quote
https://github.com/mirror/dd-wrt/search?q=d6nw5v1x2pc7st9m

This is the default value that is displayed in the fields with asterisks.

So do not worry, has nothing to do with malware.

Chrome also spits out a message every time I restart the router.

"insecure password" Rolling Eyes

But congratulations, your first post in the forum and then immediately bullshite



7945649999.jpg
 Description:
 Filesize:  74.08 KB
 Viewed:  1552 Time(s)

7945649999.jpg


bonezone
DD-WRT Novice


Joined: 03 Jun 2022
Posts: 3

PostPosted: Fri Jun 03, 2022 7:41    Post subject: Reply with quote
ho1Aetoo wrote:
https://github.com/mirror/dd-wrt/search?q=d6nw5v1x2pc7st9m

This is the default value that is displayed in the fields with asterisks.

So do not worry, has nothing to do with malware.

Chrome also spits out a message every time I restart the router.

"insecure password" Rolling Eyes

But congratulations, your first post in the forum and then immediately bullshite


Good to know, no need to be mean about it Laughing


Last edited by bonezone on Fri Jun 03, 2022 7:45; edited 3 times in total
bonezone
DD-WRT Novice


Joined: 03 Jun 2022
Posts: 3

PostPosted: Fri Jun 03, 2022 7:44    Post subject: Reply with quote
Alozaros wrote:
when i access my router GUI
-do not use any browser extensions
-use pale-moon (non chrome based browser) to access router only
-do not save passwords in browser, save them to txt file
-use browser in private mode
-use long and complex password 20 symbols
-i do have firewall restrictions to permit only known users to users to access GUI (via iptables rules)
-use only https to access GUI you have to accept the self signed certificate and click on proceed (its safe)

reset the router, unplug the WAN cable, set password and all those from above...than plug back the WAN cable and reboot and proceed with the rest of the settings...

in all my DDWRT use ive never had any trojans, viruses or DNSchangers ...but yes they do exist in the wild..
in general DDWRT OS system is read only and cannot be infected...so the infection comes from somewhere else....very likely browser as DNS via browser level overrides the router DNS so, very likely you have infected browser...

to repeat... in general DDWRT is read only system and the only writable place is its temp directory that is build when router boots...and is used for its operation, so whatever comes it comes from a anywhere else and it goes there and on reboot its reset...but its not an easy to get to there if you have a decent password...

last thing its not bad to update to the last build 49049 (but new is coming today as 49059 was pulled out) and reset and rebuild you settings manually...the way i suggested above..


Thanks for the help! That puts my mind at ease.
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Fri Jun 03, 2022 9:38    Post subject: Reply with quote
So marking this as solved.... Nice False positive.

For future reference, know that only the very latest DD-WRT builds include known exploit patches, for instance the build you are running has a security flaw in one of its components, OpenSSL to be exact.

Current DD-WRT builds patch kernels. libraries and other components for known security issues, but that doesn't mean there are no unknown exploits unpatched. And Since DD-WRT uses many 3rd party libraries and components that are maintained by separate developers, its unrealistic to maintain every aspect of a large project, but considerable efforts are made by Brainslayer to update all relevant areas asap.

While I appreciate some random blog post may in part be blaming DD-WRT, I think its a unreasonable claim and dismisses user culpability and has unreasonable expectations of any userland anything.

An to end this as I mean to go on, there is NO firmware or Software or Hardware or Operative system that is exploit free, Everything done by people can be equally undone (not necessarily easily undone but undone it can be).

SO good luck with believing unicorns exist.

But was fun to read, this FALSE positive report. Goes to show, you weren't paying attention to what the Router was telling you.

By the way, Stock firmwares for the most part (some do most dont), dont warn you that you must setup a secure password and change defaults. So change both default WEB UI user and passwords to uncommon ones, never Admin or variant user names, and long ass passwords, mine is 41 random character long and changed regularly.

So you know stock firmwares for many main brands have had one serious unpatched exploit recently that allowed permanent and persistent malware to be installed into router, and no reset would get rid of it (only solution if affected is to buy a new router). DD-WRT was unaffected.

Do you think these companies are giving free routers to their users since they are responsible for knowingly use outdated kernels, libraries and components from day 1?

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)


Last edited by the-joker on Fri Jun 03, 2022 9:43; edited 1 time in total
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Fri Jun 03, 2022 9:41    Post subject: Reply with quote
ho1Aetoo wrote:
https://github.com/mirror/dd-wrt/search?q=d6nw5v1x2pc7st9m

This is the default value that is displayed in the fields with asterisks.

So do not worry, has nothing to do with malware.

Chrome also spits out a message every time I restart the router.

"insecure password" Rolling Eyes

But congratulations, your first post in the forum and then immediately bullshite


this is indeed a placeholder. if this value is set, no password will be saved and it shows a nice amount of asterisk stars in the input field instead of a empty one. the reason for going this is that its masking the real password. so the real password will never be shown in the html code. this is also impossible for another reason. the passwords are only stored as seeded hash. same for the username. there is no cleartext password saved within the router.
in addition. if you never set a password, you cannot login into the router with telnet or ssh. it boots up and once you connect to the gui you are forced to set your own password. you cannot even configure the router without setting a own password. if you set a weak one. okay your choice. i do not prevent this

_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Jun 03, 2022 11:29    Post subject: Reply with quote
The value "d6nw5v1x2pc7st9m" is in some password database

see https://haveibeenpwned.com/Passwords

i don't know exactly what database chrome uses but chrome also recognizes the "placeholder" as "fals positive"
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Fri Jun 03, 2022 13:04    Post subject: Reply with quote
bonezone wrote:
ho1Aetoo wrote:
But congratulations, your first post in the forum and then immediately bullshite


Good to know, no need to be mean about it Laughing



_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
strange
DD-WRT User


Joined: 18 Jun 2006
Posts: 229

PostPosted: Fri Jun 03, 2022 14:46    Post subject: Reply with quote
Surprised Laughing Razz Family
_________________
Netgear XR500 - Gateway
R6700 v3 - Station Bridge
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum