Router compromised?

[chrisinth]

Hi Guys,

Not sure if it is just my computer but when I go to the new tech site and try to comment, I am diverted to some Russian game sites. The article I was trying to comment on was the Sony hack traced to Bkk hotel. The initial site I was directed to was:

http://vktarget.ru/?ref=162125

My computer is clear with Malwarebytes (Premium) and Norton Internet Security. Cookies and browsing history has been cleared, but still get redirection.

Pretty sure I am clean.

[george]

The server is clean. I think you need to scan your device again.

[chrisinth]

<script type='text/javascript'>window.mod_pagespeed_start = Number(new Date());</script>

The server is clean. I think you need to scan your device again.

K, cheers George, doing that now

[Min Max]

Hi. Your internet modem is hacked. Reset your modem DNS settings and clear browser cache/cookies. Choose more difficult password for your modem. Sorry for my english

[danbradster]

Max is right. The hack is in your router, not your device.

I got it too. Lots of people got infected recently, they seem to be TOT customers.

[BaldPlumber]

Are people with this able to reset their routers DNS entries? I have reset the routers password but cannot save the DNS setttings to my TP-Link device.

[chrisinth]

Hi Guys,

With reference to posts 4 & 5 (Min Max & danbradster) this was my initial thought as well, that the router was compromised. When the initial problem started the ISP was indeed TOT but using a Cisco router and not the one provided by TOT. Checked router setup and DNS (OK) reset password and rebooted.

Laptop running Windows 7 Pro, cleared caches, flushed DNS, cleared favourites (IE) and deleted bookmarks (Chrome), deleted all wireless network connections, hard boot. Still had problems with redirection.

Since then til now (2 weeks) i have used a total of 18 (yes, i counted) different connections through 3 different ISP's (TOT, 3BB & True) and in more than half of these, i have used the cleaning/flushing/scanning methods, not used favourites or bookmarks, and still have the redirection problem. Chrome (default browser) was uninstalled/reinstalled as an added measure.

Conclusion is that i have some nasty little bug residing somewhere on the laptop. Anyone with any suggestions would be greatly appreciated with their comments.

BTW George, i believe it was only coincidental that i was on the new tech site when all this happened..................

[Pomthai]

Your host file might have been compromised.

Have a look here http://www.dslreports.com/faq/10131

[chrisinth]

<script type='text/javascript'>window.mod_pagespeed_start = Number(new Date());</script>

Your host file might have been compromised.

Have a look here http://www.dslreports.com/faq/10131

Nope, thanks for the input but the host file seems ok (Windows 7 Pro):

# Copyright © 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

[thedemon]

Maybe a java exploit?

You could check carefully through Task Manager to see if there are any rogue processes running. If there are you may need to boot Windows in safe mode to stop that process and then delete the source.

[KhunBENQ]

Does this help?

(remove vktarget virsu from your browsers)

http://www.pccaretips.com/blog/best-guide-to-remove-vktarget-ru-pop-up-virus-from-browsers.html

Look for the described symptoms, installed software (add ons).

Makes me wonder, that your antivirus software says all clear though???

Edited December 22, 2014 by KhunBENQ

[thedemon]

Does this help?

(remove vktarget virsu from your browsers)

http://www.pccaretips.com/blog/best-guide-to-remove-vktarget-ru-pop-up-virus-from-browsers.html

Look for the described symptoms, installed software (add ons).

It's a scam site. There are many like it. In the beginning they sound kosher but eventually you're asked to download some utility. Don't do it!

[KhunBENQ]

I agree that I would not use the "automatic" removal.

But the mentioned "Snap.do" and "Sweet Packs" in the manual instructions seems to be a relevant virus/malware to be removed.

I see some trustworthy (well known) sites that describe how to remove.

Edited December 22, 2014 by KhunBENQ

[DaffyDuck]

It's the router. Classic symptoms. Anything else you are barking up the wrong tree.

[thedemon]

It's the router. Classic symptoms. Anything else you are barking up the wrong tree.

The op says that the problem persists even when using different connections and ISP's which presumably are not made through the same router.

[KhunBENQ]

Router or not router?

Do as follows:

open "cmd" prompt and enter:

ping tech.thaivisa.com

I get a response like this (sorry for the German language "frame"):

Ping wird ausgeführt für pagespeed.googlehosted.com [74.125.200.121] mit 32 Bytes Daten:
Antwort von 74.125.200.121: Bytes=32 Zeit=48ms TTL=44

googlehosted.com

IP starts with "74.125"

Time ("Zeit") is about 40 ms (for users in Thailand).

If your response looks similar, than nothing is wrong with the router!

A ping to that Russian site would give a result like this:

46.4.100.52: Bytes=32 Zeit=305ms

Edited December 22, 2014 by KhunBENQ

[DaffyDuck]

Sounds like the OP has more than a single router in play - most likely his DSL modem is the compromised part.

[Chicog]

http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/

[roly]

Max is right. The hack is in your router, not your device.

I got it too. Lots of people got infected recently, they seem to be TOT customers.

Well today I'm also seeing these redirects on a Mac and a PC browser to the adult site. I've scanned both machines (and both OK), so I guess it's the TOT modem. Trouble is I don't have the access password, so not sure how I can actually sort it out, maybe going to TOT office would be ok, though I also do have a Cisco router, if I can get all the user account details I could use that instead.

Hmm, annoying...

[DaffyDuck]

Duh. Exactly what I have been saying from the beginning.

There are two routers, one being the modem, and the modem is the one compromised.

Go and buy a new modem. The TOT hardware will just get compromised again. Either buy something newer, or a modem/router based on the 'DD-WRT' firmware. You then just need your DSL access name and password to configure it to properly connect to your TOT account.

[roly]

Duh. Exactly what I have been saying from the beginning.

There are two routers, one being the modem, and the modem is the one compromised.

Go and buy a new modem. The TOT hardware will just get compromised again. Either buy something newer, or a modem/router based on the 'DD-WRT' firmware. You then just need your DSL access name and password to configure it to properly connect to your TOT account.

Well I only just saw this thread today. Anyway I discovered that since I got the modem/router a few weeks ago, the user/password was set to admin/admin, and since this morning I've upgraded the firmware, reset to factory settings, re-entered the settings and changed the user name / password, and hey presto there's no issue now.

But, yes I'll probably just buy a different modem that has better and more up to date firmware in the next few days.

[DaffyDuck]

Or, check if your modem/router can be flashed with dd-wrt firmware.

[thedemon]

Or, check if your modem/router can be flashed with dd-wrt firmware.

Agree that a DD-WRT flashed router has a lot to offer but DD-WRT doesn't support any routers with ADSL built in. But the present ADSL modem could be put into bridge mode and teamed up with a DD-WRT router.

[DaffyDuck]

Actually, what you'd want is to have the modem set up in a static manner, hard-set the DNS in the modem (i.e. do not have it assigned by the provider), assign ONE address to your local router, again hard-code the Name Servers in the router (i.e. do not get the NS assigned from the modem or your ISP), and then use that router to manage your network.

This way, you seriously minimize the chance of another compromise.

or, pick up a Buffalo WBMR-HP-G300H router with integrated ADSL+ modem

http://www.dd-wrt.com/site/content/first-adsl-router-with-dd-wrt-support

[danbradster]

Hi Guys,

With reference to posts 4 & 5 (Min Max & danbradster) this was my initial thought as well, that the router was compromised. When the initial problem started the ISP was indeed TOT but using a Cisco router and not the one provided by TOT. Checked router setup and DNS (OK) reset password and rebooted.

Laptop running Windows 7 Pro, cleared caches, flushed DNS, cleared favourites (IE) and deleted bookmarks (Chrome), deleted all wireless network connections, hard boot. Still had problems with redirection.

Since then til now (2 weeks) i have used a total of 18 (yes, i counted) different connections through 3 different ISP's (TOT, 3BB & True) and in more than half of these, i have used the cleaning/flushing/scanning methods, not used favourites or bookmarks, and still have the redirection problem. Chrome (default browser) was uninstalled/reinstalled as an added measure.

Conclusion is that i have some nasty little bug residing somewhere on the laptop. Anyone with any suggestions would be greatly appreciated with their comments.

BTW George, i believe it was only coincidental that i was on the new tech site when all this happened..................

My computer has the problem, my tablet does, and my wife's brand new smartphone does too.

It must be either the ISP or the router. It can't be the devices.

[CALSinCM]

Hi Guys,

With reference to posts 4 & 5 (Min Max & danbradster) this was my initial thought as well, that the router was compromised. When the initial problem started the ISP was indeed TOT but using a Cisco router and not the one provided by TOT. Checked router setup and DNS (OK) reset password and rebooted.

Laptop running Windows 7 Pro, cleared caches, flushed DNS, cleared favourites (IE) and deleted bookmarks (Chrome), deleted all wireless network connections, hard boot. Still had problems with redirection.

Since then til now (2 weeks) i have used a total of 18 (yes, i counted) different connections through 3 different ISP's (TOT, 3BB & True) and in more than half of these, i have used the cleaning/flushing/scanning methods, not used favourites or bookmarks, and still have the redirection problem. Chrome (default browser) was uninstalled/reinstalled as an added measure.

Conclusion is that i have some nasty little bug residing somewhere on the laptop. Anyone with any suggestions would be greatly appreciated with their comments.

BTW George, i believe it was only coincidental that i was on the new tech site when all this happened..................

Reinstall the OS. Yeah, it takes a couple of hours but it's worth it. Set up the system with the basic software and patches you need to be current. Then make a disk image of your system. If you ever think your compromised, go back to your original disk image, upgrade it, test it, and reimage. Rinse and repeat.

Another suggestion. Use a non-installed, 'live' Linux configuration (bootable Linux USB, KNOPPIX, etc). See if you can replicate the problem. At least you'll know if it's an OS based issue or not as you're eliminating your installed version of Win7 and its associated drivers as the primary problem.

Edited December 28, 2014 by CALSinCM

[phazey]

I don't want to throw the cat amongst the fish here, BUT.

Multiple AV and Malware missed this. (This is not right).

Multiple ISP's involved...

Multiple Operating systems being used...

I personally know how one of the products operate above, and something like this does not get missed or bypassed. This is what peaked my ears.

Two things concern me a little.

1) default username and passwords on DSL devices - Maybe there's a script that can scan, log in and change settings silently for DNS ?

(upreading has now dismissed this...sorry)

The more worrying one... and this DOES worry me....

2) With the new "Internet controls" that have been placed within the last few months. I don't know i'm throwing kittens at fans here, if they were compromised then that would be bad - That or one compromised user has cached something that everyone now gets served.

[RichCor]

I just answered a question about ROM-0 exploit in another thread. Seems pretty easy to gain access to TP-Link and Zyxel router's upgrade/backup page and download the settings and discover the password, then log into the web-interface and simply change the DNS settings so they point to a specially compromised server ... or UPDATE THE ENTIRE ROM the device is permanently compromised.

Though, why bother. Most users just leave the default ISP or OEM passwords in place, meaning there might as well be no password at all.

[NE1]

I have been getting the adult web site popping up unexpectedly , I have been reading through the posts and I cannot make head nor tail out of some of the answers ( I am a bit computer thick )

Is there an answer to solve the problem in laymans terms ?

[DaffyDuck]

Can't help you without more details from your end. What internet provider? What router (brand, model)? What computer are you using that sees the pop-ups?