Internet Security Advisory - Unauthorized Router DNS Edits

[RichCor]

This is a request to all ThaiVisa members.

Recently a few members have noticed the Primary DNS entry on their home Router has been changed without their knowledge or consent.

I'm requesting everyone take a look at what DNS is being served to your Internet Connected Equipment.

If the DNS is EITHER of the one's listed here, please reply to this topic

128.199.201.187

188.42.254.62

The easiest method to check on a Windows 7 PC is to

Open Network and Sharing Center, click the link listing your active Network Connection,

in the Network Connection Status popup window select (Details...)

look for IPv4 DNS Server entries. Check the listed numbers to the one's given above.

(see example image below)

For those that know how to enter their Router's WebConfig, I'm asking they check the DNS entries under DHCP SERVER (these are the DNS entries delivered to equipment/devices that want to connect to your Internet Connection via an Ethernet Cable or WiFi. Again, if the above numbers are used on your Router, please reply to this topic.

As many of you may know, DNS is responsible for converting/resolving url Domain Names such as www.thaivisa.com into their assigned numerical IP Address, ie:175.41.131.133. Similar to how a pre-digital age printed phonebook was used to convert People's Names into Phone Numbers for dialing.

The issue here is that *someone* may have connected to your home Router and edited the DNS entry so all outgoing requests that need domain name to IP 'resolved' are first redirected to these possibly unofficial servers. Someone running a rogue DNS Server could easily watch what sites you're requesting/visiting and redirect your browser requests to whatever IP address they choose, at any time, possibly to a fake website designed to capture login credentials or deliver adware or virus payload.

I'm NOT saying nefarious activity is happening on these IP address that are acting as working DNS Servers ...but someone/something is changing the DNS entries and so far I've located no data authenticating these IP address as legitimate.

I'm also looking for the entry vector, how are they making the changes. Right now I'm suspecting JavaScript as I've changed the password on my TOT Fiber Optic Router twice from the default TOT universally knowable password set when the unit was originally provisioned. This hasn't stopped the router from being changed. I've also now set my web browser to NOT REMEMBER the password for the router. We'll see what happens over the next couple of days.

:: Windows 7 Network Connection Detail with Router DHCP supplied DNS Entry.

[manarak]

You have a TOT router and that means TOT probably has a maintenance access to the router.

My guess is someone broke the TOT access and modifies DNS server info to redirect your requests to websites serving spam.

One way to circumvent this is to manually set DNS servers in your Windows.

But remote access to your router is frightening enough, so I would just buy my own router and stop using TOT's.

BTW, both IP addresses you listed belong to root servers hosted in Singapore by large hosting companies.

Edited July 16, 2015 by manarak

[Chicog]

You can't say I didn't warn you....

http://www.csoonline.com/article/2862378/malware-cybercrime/misfortune-cookie-vulnerability-affects-12-million-routers.html

http://www.securityweek.com/millions-routers-vulnerable-attacks-due-netusb-bug

[manarak]

You can't say I didn't warn you....

http://www.csoonline.com/article/2862378/malware-cybercrime/misfortune-cookie-vulnerability-affects-12-million-routers.html

http://www.securityweek.com/millions-routers-vulnerable-attacks-due-netusb-bug

well spotted Chicog.

I'm lucky my routers aren't on the list.

Edited July 16, 2015 by manarak

[RichCor]

BTW, both IP addresses you listed belong to root servers hosted in Singapore by large hosting companies.

Thanks. I already know this.

128.199.201.187 Digital Ocean AS AP.

188.42.254.62 SERVER.LU - Singapore Branch Webzilla Singapore Pte Ltd

BTW, while there are 7 root servers in Singapore, but only other DNS servers connect to them, not CPE Routers or Internet device clients. These are not root servers. Apparently just regular servers answering DNS requests.

Edited July 16, 2015 by RichCor

[Chicog]

Check those links and see if your router is affected. If it is and there is no firmware to fix it, dump it.

[manarak]

BTW, both IP addresses you listed belong to root servers hosted in Singapore by large hosting companies.

Thanks. I already know this.

128.199.201.187 Digital Ocean AS AP.

188.42.254.62 SERVER.LU - Singapore Branch Webzilla Singapore Pte Ltd

BTW, while there are 7 root servers in Singapore, but only other DNS servers connect to them, not CPE Routers or Internet device clients. These are not root servers. Apparently just regular servers answering DNS requests.

I mean, they are "root servers" in the sense that they are physical or virtual machines with a dedicated IP that are rented to customers. I didn't mean the "big root servers"

[RichCor]

Check those links and see if your router is affected. If it is and there is no firmware to fix it, dump it.

This is an ZTE ZXHN F620 Fiber Optic GPON.

It's not on either of the lists, but that's not to say this ZTE isn't affected by either of these or some other vulnerability.

The ZTE official website only lists this router in EOM/EOS Announcements.

I'll probably just place it into Bridge Mode with a secure Router.

Just trying to see if I can identify the actual change vulnerability/vector.

[Satcommlee]

Easy done when the ISP's leave your routers with default passwords like TOT and 1234, surprised this has not happened sooner!

[RichCor]

Easy done when the ISP's leave your routers with default passwords like TOT and 1234, surprised this has not happened sooner!

Password was changed. Edit was done after password change.

And, yes, I'm surprised someone hasn't taken over the whole of Thailand's deployed routers that are using the default provisioned passwords.

Just think of the ad revenue you could so easily have. Like you, I'm amazed it's not happening on a grand scale.

[Rasseru]

Two numbers appear for me under DNS Server. One is the second of the two you listed. The other is 8.8.8.8.

[Cheesekraft]

Two numbers appear for me under DNS Server. One is the second of the two you listed. The other is 8.8.8.8.

change your malware DNS to 8.8.4.4 , the 8.8.8.8 is google DNS

[RichCor]

Two numbers appear for me under DNS Server. One is the second of the two you listed. The other is 8.8.8.8.

change your malware DNS to 8.8.4.4 , the 8.8.8.8 is google DNS

Rasseru,

Your Router data has been edited.

As Cheesekraft is suggesting, take a look at your Router WebConfig settings and look for setting similar to

DNS Servers Assigned by DHCP Server

In this setting, change the entry to use:

✔ Assign/Use IspDNS (inherit setting direct from ISP), or

DNS IP as recommended on your ISP website, or

Google Public DNS (8.8.8.8, 8.8.4.4), or

OpenDNS (208.67.222.222, 208.67.220.220),

After making the changes, I highly suggest change your Router Admin Password so it isn't using the common one supplied by your ISP.

Also, occasionally check to make sure the Router DNS setting haven't again been edited to use an unknown DNS Server IP.

[IMHO]

Just for kicks, I hooked up my Linksys WRT1900AC as the primary router/DHCP server* - what did I see? DNS being routed via some Mexican IP address**. As with Richcor, the WRT1900AC is not listed as an effected router, and it's firmware was updated prior to the test.

Time to suspect an upstream issue? False alarm? I'm on a TOT connection.

All I can say is, I'm happy I have a Fortigate router I can rely on - and Google's 8.8.8.8 / 8.8.4.4 DNS servers...

* Using pure DHCP for the WAN connection - no forced DNS IP's

** According to Akamai's dig service - i.e. 'dig whoami.akamai.net +short' on Linux/OSX

Edited July 18, 2015 by IMHO

[RichCor]

Testing...

I'm continuing to leave my TOT supplied ZTE ZXHN F620 Fiber Optic GPON in Router Mode.

Last evening I changed the password, set security to HIGH, changed the Router NAT address and entered OpenDNS IPs as Primary and Secondary, and a Google Public DNS IP as Tertiary

Today I again found router edited with the DNS entries showing the rogue DNS as Primary, Google Public as Secondary ...and the Tertiary as blank.

Earlier Today, I edited the Router settings to use google 8.8.8.8 and 8.8.4.4, then set the "Assign IspDNS" (disabling the ability to enter custom DNS IP addresses

...and around 1pm found the Router had been edited again to DISABLE the "Assign IspDNS" and edited to use the rogue DNS as Primary and Google Public as Secondary.

Supposedly you can use this website to check your router for a security vulnerability called Misfortune Cookie (CVE-2014-9223) in the RomPager HTTP server, and older RomPager vulnerabilities (CVE-2013-6786, CVE-2000-0470).

I ran it, but it didn't report any issue for my IP address. (So no idea if the test actually works).

rompager.hboeck.de

Edited July 18, 2015 by RichCor

[Rasseru]

Thanks to you both, Cheesekraft and Richcor, for your advice. Having now reached about a year's worth of problems that I believe are router and/or ISP service-related -- pop-ups and redirects, mostly -- and that have been very poorly addressed, which is to say not addressed at all, by TOT despite repeated pleas from me, I am in the middle of switching from TOT to 3BB. 3BB will provide a new router. For ADSL service, 3BB tell me that one may use one's own router, but for VSL service, which I plan to get, one must use a 3BB provided Huawei router. I plan to set it in bridge mode, by which, as I understand it, it will function solely as a modem, and use with it an Airport Extreme device, just purchased, for the in-home router and wifi functions. I'll keep an eye on the DNS issue.

[innerspace]

Reports seem to lean towards tot... not witnesed any similar results but mainly using 3bb and use provided routers in bridge to tomato and static dns on individual machines.

[RichCor]

Well, found the issue with my Router yesterday. CVE-2014-2321

Knowable terminal name/password open to WAN side lets you play:

Mother, may I see the webconfig login name and password of this router. Sure, here they are, clear text!

Mother, may I set the admin password to something else, or disable it entirely. yep!

Mother, may I set the DNS Server to these rouge IP addresses. Done!

Trying to find a way to change the default terminal password now.

[Crossy]

I'm seeing similar behaviour with my forth GPO-5900W router, again TOT provided.

[reflectionx]

Why are people running stock firmware? Get some linux based flash like openwrt...

[RichCor]

I'm seeing similar behaviour with my forth GPO-5900W router, again TOT provided.

I'm amazed how many vulnerabilities continue to get 'baked in' by router manufacturers, usually because they're too cheap to pay for updated sub-module code so instead use outdated sample code when compiling their firmware.

While someone may be using a known exploit or vulnerability to make their own edits to your router (I didn't find any mentioned vulnerabilities for that model), the vulnerability could be due to a simple WebConfig setting left enabled.

On your model router, I noticed there are two setting enabled by default:

Setup --> Internet Access [Access Control]

✔ Enable uPNP

✔ Enable WebServer Access and Telnet on WAN

With these left enabled someone could either indirectly or directly gain easy access to the router configuration settings.

Unless you run P2P, Torrents apps, or Internet Security Cameras that rely on UPnP service to insecurely auto-config open port forwards on your router, or need remote router management, these two services (enabled by default) should really be DISABLED.

Also, suggest you use the port scanner service at www.grc.com to see if the device has any open ports you're unaware of:

Services --> Shields Up

select (Proceed)

Shields Up!! Services, select (Common Ports)

If an outside entity wants to be persistent in changing your router DNS entries, and you can't identify and shut down the entry vector, you may need to have TOT reconfigure your Forth to BRIDGE MODE and then supply your own device to provide more secure Router/Firewall/NAT/WiFi services.

[Crossy]

Thanks Rich, turned off uPNP and Telnet access, Shields up still fails as port 443 responds as closed and the router replied to a ping, but at least nobody should be mucking about with the DNS any more.

EDIT Disabled Ping on WAN so that door is now closed too.

[cmth]

Does anyone know if TOT rolled out a password change on the ZTE 620 routers? I can no longer access my box with the default admin password. I called TOT to try and get the new password but all they would give me is the user account password, which will not let you change anything. I have to keep my wireless router in the DMZ but now I cannot change that setting. I told them to send a tech out to fix the problem. We will see if that happens. In the mean time, I am locked down to web browsing only.

[RichCor]

TOT doesn't normally ever change their set passwords.

It's more probably that *someone* used a remote access port and disabled your primary Admin Password. (If you PM me your Public IP Address I can see if your Admin Password has been disabled)

Why would you have to keep your external Wireless WiFi Router in a DMZ, are you trying to do fake Bridging?

[cmth]

Why would you have to keep your external Wireless WiFi Router in a DMZ, are you trying to do fake Bridging?

For my setup the easiest way to open ports is put the WiFi in the DMZ. I can then control everything from one place. The WiFi router. Without using the DMZ I have to open ports on both routers. Now that I have lost admin on the ZTE, I can't get anything to work. The ports are open in the WiFi router but are being blocked by the ZTE.

[RichCor]

That's what I would call fake bridging. Basically your network is Double NATed, you have both the ZTE-F620 running as a Gateway NAT, and the second router running as a Gateway NAT.

By using the DMZ option the ZTE-F620 is automatically forwarding (and address translating) all packets, so NAT is still in play.

If your current setup works for you, then great.

TOT, when possible, would have disabled features on the second router so it would only act as a Ethernet multi-port 'Switch' and WiFi Access Point, with all traffic flowing directly to the ZTE-F620 running as the only Gateway/Router.

[cmboy]

Does anyone know if TOT rolled out a password change on the ZTE 620 routers? I can no longer access my box with the default admin password. I called TOT to try and get the new password but all they would give me is the user account password, which will not let you change anything. I have to keep my wireless router in the DMZ but now I cannot change that setting. I told them to send a tech out to fix the problem. We will see if that happens. In the mean time, I am locked down to web browsing only.

I just realized same problem. I can't log in as admin anymore. Would be nice to know if you get your admin access back and how.

[RichCor]

One 'method' would be to contact your ISP and tell them you've been locked out of your router administration and ask them for help.

Since one poster believed their ISP is locking-down the routers to prevent hacking attacks, they should be your first contact. If an unauthorized third-party is responsible for you losing admin login the ISP would be in the best position to tell you that (eg, "it wasn't us"), and to complete a factory reset.

If you have a ZTE brand Router, there is an issue where remote administrative access process has been posted to the net, allowing unauthorized anybodies to gain remote access to your ZTE Router via Telnet and make any changes they want, including disabling the Administrative WebConfig account.

If you have a ZTE brand router, and it's getting hacked remotely, I would ask your ISP technical service people to please CHANGE your router's Telnet Password to prevent the constant hacking (If that is actually what's happening).

[jabis]

Tracing route to google.com [146.88.60.44]
over a maximum of 30 hops:


  1     3 ms     3 ms     1 ms  [local gw]
  2    22 ms    21 ms    22 ms  100.64.0.1
  3    22 ms    21 ms    21 ms  10.64.222.1
  4    22 ms    21 ms    21 ms  100.100.0.2
  5    22 ms    21 ms    22 ms  146.88.63.177
  6    20 ms    21 ms    21 ms  xe_0_2_0_ipt_symc_bkk.violin.co.th [103.14.11.9]
  7    20 ms    22 ms    22 ms  103.14.11.18
  8    22 ms    23 ms    21 ms  cache.google.com [146.88.60.44]


Trace complete.

Doesn't seem compromised, but too lazy tonight to check the IP's

[cmth]

I can confirm that at least one ISP that uses the ZTE has changed from the default passwords for both telnet and web admin. With that being said, RichCor is correct. The first place to go is your ISP. They are the ones that can assist you with restoring access to your router.