Weekend_Warrior Posted June 7, 2015 Share Posted June 7, 2015 Hey guys, I work in IT support and enjoy tinkering with things like Kali Linux, Raspberry PI, ect... My wife recently started seeing some vulger ads on normal websites like CNN, Local News, and others. I started seeing similar things on my laptop very soon after. I did tthe normal checking for malware and things. I eventually checked the router settings nd found the DNS servers were set to static IPs instead of DHCP from he ISP. I chaged it back to auto, abd the vulger ads and things stoped. I checked the logs to see what happened but all the logs were deleted. After the reboot the logs were showing a DOS attack blocked. [DOS attack: ACK Scan] attack packets in last 20 sec from ip [208.111.185.178], Saturday, Jun 06,2015 01:16:25 [internet connected] IP address: 0.0.0.0, Saturday, Jun 06,2015 01:16:22 [internet disconnected] Saturday, Jun 06,2015 01:16:22 [initialized, firmware version: V1.0.45_1.0.45NA] Saturday, Jun 06,2015 01:16:21 I think this was something like a man in the middle attack or something simlar. I'd like to know how they were able to get into my router and change the DNS servers and delete the logs. I've alredy did the basics post-attack steps like change passwords and things. Thanks guys! Quote Link to comment Share on other sites More sharing options...
cooper Posted June 7, 2015 Share Posted June 7, 2015 (edited) It's more likely to be a case of cross-site request forgery (CSRF) whereby javascript was run by your (wife's) browser that made it execute requests against your router because it's on a default location on your network, uses default credentials if at all, that sort of thing. Lock down the admin page to your router as much as you can, put it on a non-default IP... the simple stuff. Maybe update the firmware every once in a while since they're likely to have solved this glaring mistake by now and if not, go scream at a tech support person for providing you with a piece of shit router. Edited June 7, 2015 by Cooper Quote Link to comment Share on other sites More sharing options...
digininja Posted June 7, 2015 Share Posted June 7, 2015 Also check to make sure your admin interface isn't externally accessible, some routers come configured that way. The best way to tell is to find your external IP address ( http://ipchicken.com ) then browse to that from a device that isn't on your network, either your phone (off wifi) or a friends PC. If you are any good with nmap then do a full port scan of the IP from outside to see if anything is open. Check common UDP as well as you might have uPNP or SNMP open. The DOS is maybe a red herring and was just a fast port scan that looked like one, they happen all the time with people looking for open ports on home IP ranges. Quote Link to comment Share on other sites More sharing options...
Black-Assassin Posted June 8, 2015 Share Posted June 8, 2015 check this video:- Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.