Jump to content

Recommended Posts

Hey guys,

I work in IT support and enjoy tinkering with things like Kali Linux, Raspberry PI, ect... My wife recently started seeing some vulger ads on normal websites like CNN, Local News, and others. I started seeing similar things on my laptop very soon after. I did tthe normal checking for malware and things.

I eventually checked the router settings nd found the DNS servers were set to static IPs instead of DHCP from he ISP. I chaged it back to auto, abd the vulger ads and things stoped. I checked the logs to see what happened but all the logs were deleted. After the reboot the logs were showing a DOS attack blocked.

[DOS attack: ACK Scan] attack packets in last 20 sec from ip [], Saturday, Jun 06,2015 01:16:25

[internet connected] IP address:, Saturday, Jun 06,2015 01:16:22
[internet disconnected] Saturday, Jun 06,2015 01:16:22
[initialized, firmware version: V1.0.45_1.0.45NA] Saturday, Jun 06,2015 01:16:21

I think this was something like a man in the middle attack or something simlar. I'd like to know how they were able to get into my router and change the DNS servers and delete the logs.

I've alredy did the basics post-attack steps like change passwords and things.

Thanks guys!

Link to comment
Share on other sites

It's more likely to be a case of cross-site request forgery (CSRF) whereby javascript was run by your (wife's) browser that made it execute requests against your router because it's on a default location on your network, uses default credentials if at all, that sort of thing.

Lock down the admin page to your router as much as you can, put it on a non-default IP... the simple stuff. Maybe update the firmware every once in a while since they're likely to have solved this glaring mistake by now and if not, go scream at a tech support person for providing you with a piece of shit router.

Edited by Cooper
Link to comment
Share on other sites

Also check to make sure your admin interface isn't externally accessible, some routers come configured that way.

The best way to tell is to find your external IP address ( http://ipchicken.com ) then browse to that from a device that isn't on your network, either your phone (off wifi) or a friends PC. If you are any good with nmap then do a full port scan of the IP from outside to see if anything is open. Check common UDP as well as you might have uPNP or SNMP open.

The DOS is maybe a red herring and was just a fast port scan that looked like one, they happen all the time with people looking for open ports on home IP ranges.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...