1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Has my router been HACKED!

Discussion in 'General Discussion' started by Anonymous, Oct 23, 2005.

  1. Anonymous

    Anonymous Guest

    I've got a bad feeling my linksys WRT54G router ( rev2.2) may have been hacked. Here is what happened.

    One night I left my laptop on downloading a large file via bittorent. This used port forwarding on my router. In the morning the download was dead and my wireless signal was gone. My router still seemed ok, and I could connect to the internet when connected to the router via lan cable. However, on closer inspection I found the gateway address had changed from a private range of 192.168.. to a public ip eg 220... . I tried to connect to the router to reconfigure it by using the gateway address - no good. I then reset the router. Still no change.
    I then tried a firmware upgrade - this didn't work and complained that it could not connect. I also tried the LINKSYS diagnostic tool - this found no problems.

    I found I could Ping the gateway address, but not connect via the configuration web page .

    As I see it - One of two things could have happened: Either 1) some internal software error has caused the router to go bad. or 2) I've suffered a malicious DOS attack. I would find it hard to believe that the router could suddenly suffer a major error that caused a large part of the router software fail, but still be able to allocate Ip addresses and appear to 'work' normally when connected via LAN.

    I'm very concerned that the router seems to now allocate 'public' internet addresses to the internal facing side of the firewall - this seems suspicious!.

    I did set a WEP wireless password, but I don't believe I set the admin password for the router configuration page.

    I am a programmer, but I'm no network or hardware expert - so I have a few questions: Firstly is it possible for an external source to connect and reconfigure a linksys router? Secondly - Is this the most likely explanation? Thirdly can I recover my router ( Its under warranty - So I'm going to try and replace it anyway ). Finally I'd be interested if anyone else has had this happen.

    I've contacted linksys ( and they were ok ) but all they could suggest was 'hard' reset the router ( which I tried)

    Here is my IPCONFIG output - note that I'm now using a different (non wireless router) so the IP's here no longer connect to me :)

    Thanks in advance to anyone who can help

    --------------------- IP output --------------------------

    Windows IP Configuration

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : vic.optushome.com.au
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :

    C:\Documents and Settings\admin2>ipconfig /release

    Windows IP Configuration

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :

    C:\Documents and Settings\admin2>ipconfig /renew

    Windows IP Configuration

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : vic.optushome.com.au
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :

    C:\Documents and Settings\admin2>ping

    Pinging with 32 bytes of data:

    Reply from bytes=32 time=6ms TTL=255
    Reply from bytes=32 time=6ms TTL=255
    Reply from bytes=32 time=6ms TTL=255
    Reply from bytes=32 time=7ms TTL=255

    Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 6ms, Maximum = 7ms, Average = 6ms
  2. Toxic

    Toxic Administrator Staff Member

    the resert you done was to press the reset for 30 seconds yes?

    if so, disconnect Router from the Internet, then reset for 30 Seconds.

    and see if the router has now reset to its original IP address
  3. Anonymous

    Anonymous Guest

    Disconnected router from the internet - did a hard reset - no change - still allocated asthe gateway - which I could ping , but not view via the browser
  4. Toxic

    Toxic Administrator Staff Member

    if it is pingable then try upgrading the firmware perhaps to something different. this does however seem very strange.

    what firmware were you running?
  5. bladesteak

    bladesteak Network Guru Member

    The firmware was v2.2 - I havent changed / upgraded the firmware since I got the unit. I tried to upgrade the firmware using the Linksys tool - but it did not work.

    Linksys are now saying too return the router to the store - so I'm looking for the receipt :thumbdown:
  6. Anonymous

    Anonymous Guest

    Guys at work reckon the router is now acting as a 'bridge' - the gateway address is probably the ISPs gateway ( hence why you can ping it , but not connect to it ) , and the ISP is allocating my IP address. So perhaps the router has just reset itself into 'bridge' mode - and hasn't been hacked after all . Still its odd that the hard reset doesn't work .
  7. jagboy

    jagboy Network Guru Member

    yes some one could have gotten into your router....u said u used the routers wireless function....someone could have borken the wep and gotten in......did u change your password from "admin" when you got the router......
  8. bladesteak

    bladesteak Network Guru Member

    The router had a wireless password - I think using WPA, but it could have been WEP. originally I had an old computer on win200 so I was forced to used WEP. However I upgraded the PC to XP and I believe I changed the security to WEP. However when I did the upgrade, I reset the router ( because I forgot the admin config password :) ) , and I don't think I ever changed it back ( this all happened months back) . I think I would be unlucky to get hit by a wireless attack when there is a totally unsecured wireless connection just two doors away - I mean you could find dozens of unsecured connections just by walking around - why bother attacking a secured one?

    Anyway - I've exchanged the router now - so hopefully I'll be ok.
    However the question remains: Can someone toast your router from a remote location?, Would they have to break your wireless security, or could they do it over the internet. Would having an admin password make any difference to this sort of attack?

    I'm happier now that I've heard the 'bridge' mode explanation - hopefully the router just had an internal problem that caused it to go into a 'limited' functionality mode - however it still odd that the reset didn't work.
  9. 4Access

    4Access Network Guru Member

    "Because you can." Never rely on the fact that other networks around you are unsecured... especially if you've got a WEP secured network which can be cracked in under 30 minutes!

    The router could be admin'd from the internet if you enabled the "Remote Router Access" option on the Administration page. Luckily though the router won't let you enable this option until you've changed the default password... Still, if you set a poor password and enable the remote administration option then it's possible someone could "hack" your router and remotely administer it...

    Actually the stock firmware that comes on the router does not support a bridged mode so I'd consider it very unlikely that it had an "internal problem" that caused it to start bridging traffic... There's no chance someone was playing with the wires and accidently connected the cable from the modem to one of the LAN ports on the router is there?? That could explain the symptoms. Another possibility is that someone did locally manage to crack your wireless security and then uploaded some custom firmware onto the router. (Although personally I'd consider that less likely...)

    Regardless of what happened in the past I'd recommend two things for the future:
    1. Set a complex admin password for the router
    2. Enable WPA security using another complex password

    Good Passwords should:
    - Be at least 8 characters (More for the WPA key)
    - Not be a dictionary word (Even two dictionary words strung together isn't recommended)
    - Not be personally identifiable info (Phone #, Family/Friend's/Pet's names, Birth Dates, Anniversaries, Addresses, SSN, ATM Pins!, etc, etc)
    - Not be a password you use for other things
    - Contain a mix of upper & lower case letters, numbers, and symbols

    Try taking a phrase you can remember and using the first letter of each word. For example: "The Quick Brown Fox Jumps Over The Lazy Dog" becomes "tqbfjotld" then add some numbers or symbols for good measure. Or string a few random words together and substitute certain letters for numbers or symbols:
    A becomes @
    E becomes 3
    I becomes 7 or | (pipe)
    O becomes @ or 0 (zero)
    S becomes $

    etc etc. :thumb:

Share This Page