Friend's Router infected - how serious?

[jko]

Staying the weekend with an elderly friend, and using the router at his home. An Avast scan I did just now came up with following warning:

 

"Your router has been hacked and its DNS settings have been modified to serve malicious contents. DNS records on your wireless router are hijacked. While you browse the web, hackers can freely redirect you from an authentic site to a fake one. Sensitive information such as user names, passwords, and credit card details can be acquired. Your personal data is at risk, and so is the security of all devices connected to this network. The manual solution is to change the DNS records on your router through its admin interface. Alternatively, you can use ourSecureDNS feature to shield yourself from the hijacked DNS servers.

 

I told him about this, but he says he doesn't use internet banking, doesn't have any confidential stuff, etc., and he is not bothered.

 

So how concerned should he be?

[lostinisaan]

 Please see : https://help.avast.com/en/ws_android/1/alert_dns_hijack.html

[mtls2005]

Did you notice if any of your web requests were getting redirected?

 

When I see a ransom-like note in a warning, a red flag goes up:

 

Alternatively, you can use ourSecureDNS feature to shield yourself from the hijacked DNS servers.

 

So a lot of these programs flag 47 potential problems, all of which a paid subscription can correct.

 

The fix is quite simple, taking like 30 seconds, assuming you know the router's admin credentials. You can always set you own DNS in your client.

 

 

[KhunBENQ]

Quote

ssuming you know the router's admin credentials

And also know the credentials/settings for your ISP:

Factory reset, connect via LAN cable and setup newly.

And then setup a proper router password!

 

Router's admin pasword:

such sh.. happens most likely to laymen who are not aware that their Thai ISP leaves the routers in some silly default like:

 

admin/admin

admin/password

 

or similar. Crazy but true.

 

 

Edited August 21, 2016 by KhunBENQ

[Chicog]

Unfortunately many routers are still exposed to various flaws. The DNS being rerouted could be the tip of the iceberg.

 

The most important thing is to factory reset the router (the easiest way for the novice) and then upgrade to the latest firmware.

 

And assume that everything on the PC has been compromised. If an attacker has properly got hold of the router he can sniff anything with MITM attacks and could have got the login password, etc.

 

If you can find out what make and model of router it is,  I can elaborate.

 

 

Edited August 21, 2016 by Chicog

[Chicog]

2 hours ago, KhunBENQ said:

And also know the credentials/settings for your ISP:

Factory reset, connect via LAN cable and setup newly.

And then setup a proper router password!

 

Router's admin pasword:

such sh.. happens most likely to laymen who are not aware that their Thai ISP leaves the routers in some silly default like:

 

admin/admin

admin/password

 

or similar. Crazy but true.

 

 

 

Unfortunately that's often not enough.

You have to make sure you are running the very latest firmware from your vendor, and even then sometimes they don't even bother to fix it.

A malformed URL sent from outside to the Router can be enough to give them control if it has the right flaw.

 

E.g:

http://www.networkworld.com/article/3039172/new-firmware-analysis-framework-finds-serious-flaws-in-netgear-and-d-link-devices.html

[jko]

1 hour ago, Chicog said:

Unfortunately many routers are still exposed to various flaws. The DNS being rerouted could be the tip of the iceberg.

 

The most important thing is to factory reset the router (the easiest way for the novice) and then upgrade to the latest firmware.

 

And assume that everything on the PC has been compromised. If an attacker has properly got hold of the router he can sniff anything with MITM attacks and could have got the login password, etc.

 

If you can find out what make and model of router it is,  I can elaborate.

 

 

Thanks very much Chicog, and to the others for their input and advice.
Much appreciated on behalf of the owner!

 

Modem make is: BILLION

Model: BIPAC 5200G R4

[mtls2005]

Which ISP?

 

A guess might be 3BB?

 

If you do a factory reset, and upgrade the firmware, you'll also need the original ISP credentials, for 3BB the username is xxxxxxxxxx@3BBnex password is 8 letters. These may be with the original work order documents. 

 

The default username on that model may be admin , and the password TTT  192.168.1.1

 

Or you can just buy a new. modern ADSL modem/router/wifi box for 1,200 THB.

 

 

 

 

Edited August 21, 2016 by mtls2005

[Peterw42]

The admin page on a router is an internal ip address 192 etc.

How is someone from outside getting into the router ????

Sounds suspect to me

[Chicog]

5 minutes ago, Peterw42 said:

The admin page on a router is an internal ip address 192 etc.

How is someone from outside getting into the router ????

Sounds suspect to me

 

Because your router is connected to the outside world and many routers have flaws that can be exploited remotely.

 

[Chicog]

41 minutes ago, jko said:

Thanks very much Chicog, and to the others for their input and advice.
Much appreciated on behalf of the owner!

 

Modem make is: BILLION

Model: BIPAC 5200G R4

I see a Billion 5200S that has the Misfortune Cookie flaw so it may well be vulnerable also.
 

A quick look at their site seems to indicate that they haven't bothered with this router for a long time (and by that I mean since 2009!).

http://au.billion.com/products/adsl/firmware/bipac5200.html

 

I would replace it with something new, and something that has had a firmware update since March of this year.

 

Added: And don't buy something cheap and Chinese!

 

Quote

The BHU WiFi uRouter, manufactured and sold in China, looks great – and it contains multiple critical vulnerabilities. An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges. In addition, the uRouter ships with hidden users, SSH enabled by default and a hardcoded root password…and injects a third-party JavaScript file into all users’ HTTP traffic.

http://blog.ioactive.com/2016/08/multiple-vulnerabilities-in-bhu-wifi.html

 

 

 

Edited August 21, 2016 by Chicog

[Peterw42]

 "Your router has been hacked" message because the router DNS is set to the ISP's DHCP delivered DNS setting and not Google's DNS? This smells like a scare tactic to sell Avast SecureDNS feature.

 

 

[mtls2005]

We've been running Asus ADSL modem/router/wifi units on 3BB DSL installs. Fine product. Syncs really well on 3BB.

 

https://www.asus.com/Networking/DSL-N12HP/

 

https://www.asus.com/Networking/DSLN12U_C1/

 

Admittedly budget units but should be fine for the OP's  friends application.

Edited August 21, 2016 by mtls2005

[eTiMaGo]

Some 3BB fiber routers also happen to have a "master" username and password that can't be changed...

[Chicog]

2 hours ago, Peterw42 said:

 "Your router has been hacked" message because the router DNS is set to the ISP's DHCP delivered DNS setting and not Google's DNS? This smells like a scare tactic to sell Avast SecureDNS feature.

 

 

 

No, I've actually seen a router here in the sandpit where the DNS had remotely been rerouted to Ukraine.

 

It was about the time that Misfortune cookie hit the headlines and the particular router was on the list, too.