Router hacked? How can I avoid this?

Thu, 21 Aug 2008 23:37:32 Z

Background info of incident:

I was trying out windows home server and went to DYNDNS.ORG for their free domain name service.

My internet connection is dynamic so I thought to use that.

The ports on my router that i opened at first were 443,4125 and 80 on tcp.

The router I was using was the BEFSX41 router form linksys.

The router's firmware was not at first updated.

What happened:

I had enabled the ports listed above (80,4125 and 443). At first I had issues with connection over the internet. So I disabled all the firewall options except for the SPI. Then enabled each one by one while checking on another connection to see if I still could connect to the home server (also had UPNP enabled).

It got hacked, I could not chose anything on the gui for changes, my logs were all gone, time zone, date were changed and everything was select to open (it was as if my router was not even there). This was not too long after I had signed on to the DDNS through the router and after I made a free account there. The only way to reset the router was manually.

So I went to linksys's site and saw there was a recent update (pathing a upnp vulnerability.. upgraded the firmware and it took.

So I changed modems around, made a new account with dyndns and watched the connections for a bit the next day using a different connection.

a few hits came (this time I only set up 443 and 4125 and closed 80) in then I looked at the security for firewall and saw 113 was open (it was closed before). Noted the IP and moved on. a few minutes later I checked and it was completely toasted again (the linksys router). Wide OPEN to the internet.

Needless to say I am not sure what to do. I am a engineering major and not a programmer.

I wanted to know what I could do to protect myself from this sort of thing.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 00:31:25 Z

I wanted to know what I could do to protect myself from this sort of thing.

Very strong admin password for the router. And, for the love of God, disable remote admin (AKA WAN admin access.) There is really no reason that you should leave that enabled.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 00:42:52 Z

Turn off remote administration and change the password. Those are the two things you should do immediately. I would also turn off UPnP and configure port forwarding manually.

But in the longer term, someone has figured out that you're vulnerable to attack, and they're trying to set up a mail relay through your router (port 113). Perhaps replacing the router would be a better option. I think highly of DLink (except the DIR-655, which a lot of people here have had problems with) and Netgear. I have a SonicWall myself, but that's a SOHO router, not a consumer/home router.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 03:01:06 Z

Ken Warren wrote:

The remote was off.

2nd time I manually did all of that.

I am thinking someone has an exploit for the router.

The router since has been removed from that service and I no longer have the server up and running.

It's doing fine now. It was jsut getting killed when I was using the DDNS feature on it.

DYNDNS gives a list of routers here:

http://www.dyndns.com/support/clients/hardware/

I would replace the router but seeing how easily that one was taken down, I wonder how hard it would be for whoever that is to hit other home-based routers.

I really could use some good suggestions for safer services that are free or cheap.

I'd love to use windows home server and have been aching to buy it on new3gg.

I am tryng to set it up for study groups at school so we can share files easily and quickly.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 03:06:48 Z

cuppie wrote:

I wanted to know what I could do to protect myself from this sort of thing.

Very strong admin password for the router. And, for the love of God, disable remote admin (AKA WAN admin access.) There is really no reason that you should leave that enabled.

remote was off the 2nd time.

I had updated the firmware as well.

example of complexity and length of passwords I use for the router:

#bxns7479*ncbGs43&jebcns7te3b^dbc43n19t

the actual ones I do use I have memorized.

It didnt help me in this situation... and having long passwords memorized that did nothing for me makes me feel.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 07:40:24 Z

Some routers also have a backdoor which allows telnet entry, in some cases even with some default password thus bypassing your strong password. So close the telnet port, or forward all WAN requests on the telnet port to some fake private IP address, for example if your clients have IP addresses in the 192.168.1.1 range you can forward telnet requests to 192.168.21.25

Also please note that running a (web) server (opening http port) is more or less an invitation for hackers.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 07:40:35 Z

The previous suggestions are all good security measures to take with consumer routers. But, I find building your own upnp router works best when done right with a linux kernel...Way more secure, and very customizable. A lot harder to hack as well.

This may be new to most of you, building your own gigabyte ethernet router. But there are plenty of resources to use from the linux website or you can google for resources. You can download any distro you feel comfortable with and give it a try. If you want to purchase a distro instead, you can get one from ebay website (seller: deepspace6auctions). These days you can download a liveCD version that can be run directly from CD or DVD ROM (no need for a hard drive or anything else that will generate heat), and you certainly don't need a monitor either. You can also run from a floppy disk using coyote linux. The best part, you get to take that old pc from out of the closet or basement to put to use once again.

If you wish to attempt this, please note that a fast computer is not required. I am using an old 486 intel 266MHZ system, with 512MB memory module. I use a kernel from http://www.gibraltar.at/. and it works fine. If you want wifi router instead, try the kernel from http://www.wifislax.com/descargas.php, works best with wifi tech.

If you're squimish about linux or you want to use an old Windows system as a router, I would suggest you go hear instead http://www.mikrotik.com/index.html, this is a Windows Router OS, and easy to install and administer.

Hardware is cheaper these days as well, but some of you may already have spare hardware lying around, if not, get this "Sabrent PCI-G802 PCI Wireless Card - 54Mbps, 802.11g, Windows/Mac/Linux Compatible". This is very compatable with linux OS and under $20US.

If you are not technically incline like most people, then I suggest getting this router instead "Linksys WRT54GL Wireless Router - 54Mbps, 802.11g, 4-Port, Open Source Linux Version", for more on this wrt router please visit http://www.wrtrouters.com/router/wrt54gl/. The good thing about this router, you can setup a hotspot area in your home for a radious of 300m, cool right?! Visit http://www.hotspotsystem.com/en/hotspot/wifi_hotspot.html, for more information on hotspot project.

Goodluck to everyone who will attempt this project on their own. Please post back if you have any question, or just google it if you want an answer immediately.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 08:04:37 Z

Sketchah wrote:

Ken Warren wrote:

The remote was off.

2nd time I manually did all of that.

I am thinking someone has an exploit for the router.

The router since has been removed from that service and I no longer have the server up and running.

It's doing fine now. It was jsut getting killed when I was using the DDNS feature on it.

DYNDNS gives a list of routers here:

http://www.dyndns.com/support/clients/hardware/

I would replace the router but seeing how easily that one was taken down, I wonder how hard it would be for whoever that is to hit other home-based routers.

I really could use some good suggestions for safer services that are free or cheap.

I'd love to use windows home server and have been aching to buy it on new3gg.

I am tryng to set it up for study groups at school so we can share files easily and quickly.

If you are willing to try a linux kernel, then try this fw router instead http://www.smoothwall.org/, download a copy of this distro. and install it on an old 386 pc if you have any, you can get a cheap pc for about $50US, just and an extra wifi adapter to make it wireless, or a regular wired adapter works better with protecting your router, plus, it helps if your router credential is not the same or close to your dynamic services' credentials.

Goodluck.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 08:07:56 Z

Could be something like this:

http://www.juniper.net/security/auto/vulnerabilities/vuln6201.html

"Linksys Router Unauthorized Management Access Vulnerability"

Best greetings from Germany

Olaf

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 08:28:05 Z

Yes, that is why a hacker is able to access the linksys router. Which is why I suggest getting the WRT router from linksys instead, the WRT I suggested can be updated with a linux firmware to prevent such hacks. If you're not a (Linux) power user there's little point in enduring the cost of this version over the standard ''G'' model. However, if you're like me, you bought it for the modded firmware and the features that come along with it. I've added an SD slot to mine, with a 1GB SD card supporting web and ftp servers in a DMZ, and also run the VoIP mods. Performance for me has been awesome! It's been 6 months in service with no issues thus far. This router is the bomb - if for no other reason than the ability to bump the radio power! I get far better signal in the top portion of my house than I ever did with my prior D-Link. For info, see Google, and start here: http://www.wrtrouters.com/router/wrt54gl/. If there's a fault to find with this router it may be that it can do _too much_. Plus the option to setup a wifi hotspot in your home is a bonus.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 14:45:39 Z

hughojar wrote:

Goodluck to everyone who will attempt this project on their own. Please post back if you have any question, or just google it if you want an answer immediately.

hughojar wrote:

Thanks for your help, I have 3 distros of linux here that I have been looking into. I have played with ubuntu from 6.06 to 8.04 thus far. I even bought a book "Hacking Ubuntu" published by extremetech. I do have several old computers and spare parts + a few other network cards.

I am pretty interested ino running a machine as a router and if this wold give me better security I am all for it.

My level of experience= n00b when it comes to linux. I had also looked at the WRT firmwares before posting on here.

I saw the one router I had was not listed as supported (I understand which model you are talkign about as to it is one of the most popular ones.)

Also, how hard would it be to set up WHS through multile routers and would that only be a speed bump (and not a wall) to a bot with exploits?

Also I would like to thank the poster who talked about the backdoor through telnet. I had not thought about that and had done something like that before to a router to send requests to an invalid IP.

I found this last night concerning my router (I do see it says 2004)

Linksys routers may be open to remote sniffing
Posted by L33tdawg on Friday, June 04, 2004 - 06:32 PM (Reads: 4559)

Source: The Inquirer

FOLKS AT security portal SecuriTeam published on May 17 an exploit that could allow hackers and other nasty people to remotely sniff traffic passing through the router, and also crash the device. The article says it all comes down to a "memory leak", causing a flaw in the way the Linksys routers' DHCP server returns BOOTP protocol packets. This exploit is currently listed at position #3 in the SecuriTeam.com front page, so expect lots of script kiddies to be playing with it as we write (and you read) this. The site says: "Instead of returning legitimate BOOTP responses, (the linksys units) return BOOTP responses with the BOOTP fields filled in with portions of memory. This allows you to do cool things like the equivalent of sniffing all the traffic to/from the device". It continues: "I have successfully used this technique to steal the admin username and password from an innocent third party who recently configured the device, and I watched someone's traffic as they browsed ebay for a new Ti-Book". The exploit code indicates the vulnerability has been tested "on a fully updated Linksys BEFSR41 and BEFW11S4" but the author of this exploit, who signs his code under the name Jon Hart, hints that all other Linksys routers which have a dhcp server could be vulnerable "Currently, this looks to include at least the BEFN2PS4, BEFSR41, BEFSR81, BEFSX41, RV082, BEFCMU10, BEFSR11, BEFSR41W, BEFSRU31, BEFVP41, WRT55AG, WRV54G, WRT51AB", he writes.

^^^ that was a bit troubling^^^ I am begining to think my BEFSX41 and my DI-604 are only good for in-house use for gaming.

I am going to give this another shot though w/ school starting moday I am anxious to get this working.

Thank you all and I will keep reading this thread. I will try out these suggestions and test them.

I wish I knew where the exploit was because I would try and reproduce the problem to find the best fix.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 14:51:37 Z

Just to note to the OP: There is no reason to use DynDNS for WHS. If you take advantage of the homeserver domain and certificate, you automatically get re-direction for your dynamic IP.

I believe that the HP unit also has the option of using TZO, which also has the same facility.

Also, just to note that I now have about 18 customers all using the D-Link DIR-655, which are all pleased with.

Colin

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 17:13:06 Z

I found out today this exploit was used on my linksys router. I logged into it and its an open hole with a crippled interface.

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 19:34:11 Z

Colin Hodgson wrote:

Just to note to the OP: There is no reason to use DynDNS for WHS.

Note to Colin:

Sometimes in the real world it happens, that the domain homeserver.com points to the wrong (old, whatever) IP address. (Maybe if the router lost the connection to ISP for a short time or whatever the reasons are.)

Of course always, if you need the connection urgently.

In such situations a second way in via dyndns.org is for sure helpful.

Best greetings from Germany

Olaf

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 20:38:01 Z

One major way of securing my network, is to put my linksys router behind my linux firewall. This is the setup I am currently using for my WRT model.

linksys setup:

Linux firewall with DMZ ported directly to my linksys WRT router (router setup is disabled for DHCP, instead I use one of my server to create and supply NAT,
DNS and DHCP addresses) to my DMZ network.
Routing is also disabled on router, it is only supplying basic connectivity for DMZ network.
Remote access is disabled. You get the idea.

As for my linux fw router:

The basic is connectivity for upnp and direct port to and from my internal network, with port forwarding to and from the net. SSH and remote access is disabled.
dhcp is disabled on linux router (internal DNS, DHCP, and WEB is supplied from inside my network).

If any of you ever checked the connection map of your adapter, a basic setup from your ISP is like this:

from external net:

ISP dhcp enabled
ip address from ISP = 1.1.1.2, with submask

ISP network setup:

ISP gateway = 1.1.1.1 (this is on the same network as your external ip address)
ISP DHCp = 1.1.1.1 ( this is same as isp gateway)
DNS = 2.2.2.2 for primary, and 5.5.5.5 for secondary (this setup is to further protect the internal network from the outside, by supplying dns and nat from two different network)

However, you can further protect the network by turning off DHCP, DNS, and ROUTING on the fw router facing the wan. It is safer to provide these service from your internal network behind the firewall, or even the DMZ itself.

I hope this helps. Good luck.

Hugh

Router hacked? How can I avoid this?

Fri, 22 Aug 2008 23:29:27 Z

Thx I will give this a few go arounds.