1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Story time?=Debricking defeated the HACKER's control=

Discussion in 'General Discussion' started by SAPo57, May 16, 2006.

  1. SAPo57

    SAPo57 Network Guru Member

    Well, about a month ago in april, one of my 7 computer's had a spyware problem along with an internet connection problem, so I went on the PC first and fixed its connection to the internet. I had to get into my password protected WRT54GS router, which had the DD-WRT v.23 flash image already installed.

    After that, I ran a spyware scan using the latest anti-spyware program called "SPYSWEEPER". Only one spyware was found, something that was called a "System Monitor" or something, but I didn't really care. I eliminated it off the machine.

    A month later, until 5/14/06, which was yesterday, I got bored and went online to look up what the hell was a "System Monitor" spyware and what I learned was that it's a program that gets installed on a remote PC and records everything the user does(typing words,phrases, entering accounts, and plugging in login info. & passwords,etc.) and then creates a log to send back to the hacker, basicly like what a keylogger does.

    Then I started thinking to myself, "So what, I got rid of it. But, what if the hacker already got some info. from the infected PC. Also, he may have seen what I've typed in the login account for my router, like the password.", and soon I became alert of the possible situation.

    Quickly I went to the PC that was infected before(which was a month ago, now supposibly it's clean) with that spyware and installed Norton Internet Security to find that unknown intrusions and port scans attacks were continously happennig. A hacker had gained control of some programs in the PC that used password protected accounts to login.

    Immediately I went to my router to open its General User Interface to find that someone had changed almost all the settings and installed an illegal flash image into the router that he probably constructed himself. It was nothing like the DD-WRT GUI webpage and on the UPnP TAB strange port numbers and application names like "svchost" was applied to specifically selected computers. The names could not be deleted, if you scrolled through the entire name left to right some sort of binary code mixed with Hexadecimal characters would go on forever.

    The final solution, reset to factory settings and hold down reset button for 30 seconds. Well, it was a good try. Now when I tried to access the routers webpage it woulld say "NVRAM has become corrupted....." Only one last possible solution came to my mind, it was to debrick the router like if it had actually been flashed wrong.

    I followed the steps to that "REVIVAL GUIDE" or whatever you call it in wikipedia. Since my WRT54GS was a version 4 it took me a bit longer to find the flash chip and the correct pins to touch together with the screwdriver. Everything was successfull, but instead of having to use tftp to install a new image on the router it already had ressetted to the DD-WRT v.23 image.

    Everthing was back to normal and now I'll need to be more carefull when I get on a PC that Im not familiar with, and also I'm going to need tougher security (I might buy one of those Cisco series routers to create some ACLs).

    They don't name it "Spyware" for nothing.
     
  2. sufrano63

    sufrano63 Network Guru Member

    scary... 8O How did they get into your network? Were your network unprotected?
     
  3. SAPo57

    SAPo57 Network Guru Member

    No, I have a really protected network, but from a lousy mistake by working on a pc with a system monitor spyware the hacker recorded everything and found my password to my router, ip address, and other accounts for other programs. It had to be one of the few hackers who really put their best effort to gain access to my router, because even if they had the password I still had 3 subnets one router in each, each router with a custom ip address and a dhcp range unrelated to its local ip address such as DHCP=192.168.1.133~147 and ROUTER IP= 192.168.1.191.

    Also, firewalls and many filters enabled, no UPnP only game ports for devices that connect statically and are only enabled manually to connect, no remote management and my password contained 57 characters of numbers and letters, capitalized and lower case.


    I had to debrick the router 5 times. 3 times because it failed to properly load its earliest image version I downloaded(DD-WRT v.23 mini) and twice because everytime I would reset to factory setting to upgrade the firmware, the routers' lights would just keep blinking and not load its GUI.

    After a successful upgrade, I then upgraded to the DD-WRT v.23 SP1 firmware.
     
  4. sufrano63

    sufrano63 Network Guru Member

    My network sounds almost as secure as your with WPA2, long password, desktop firewall, anti-virus, etc... Except I have one client using utorrent. seeing how you're network being hacked, I'm debating about allowing utorrent traffic.


    Thanks for sharing
     

Share This Page