-1

ISP sent a message telling that they've detected some bot network characteristic traffic from a router's IP address. Recommended countermeasures have already been taken, i. e. connected laptop's malware scan, router factory reset, router's admin credentials changed (from default) and router firmware updated.

I want to further understand how could the router have been compromised. I thought changing the default admin credentials doesn't matter as long as the network security key remains a secret since you can't connect to the network and therefore access the admin login page without the security key. Apparently, this is incorrect.

Here's what I assume happened: The router in question is plugged into a wall, connecting it via an ethernet cable to some wider area network. In this wider network there is some other machine running malware that scans connected routers, can access their admin login panels without network security key (because it's physically connected), and then try default credentials admin:admin at any router. After finding a fresh router whose owner didn't bother changing the default credentials after falsely assuming that network security key would be sufficient protection, the malware somehow establishes this detected "bot network characteristic traffic" from the router's address.

Am I on the right path? If not, what else likely could have happened? What did I get wrong?

Soufiane Tahiri
  • 2,667
  • 12
  • 27
jka
  • 3
  • 1
  • 1
    Difficult to say without doing computer forensics on the network, however a default credential vulnerability can be the right path, but there are some possibilities like vulnerable services on the router. – init_first Jan 27 '21 at 14:57
  • This question is asking for a list of the possible ways a router could get compromised or for an opinion of likely issues. We could provide a hundred answers and they might all be valid. And that makes this question not a good fit on a Q&A site. – schroeder Jan 27 '21 at 15:41
  • 1
    You appear to be assuming that the router is the bot. An infected machine on your network could be the bot. The bot traffic would get your router's IP. – schroeder Jan 27 '21 at 15:46
  • @schroeder yes, I'm asking for a list of the possible ways a router could get compromised or for an opinion of likely issues given what I've been told by the ISP. What would be a better forum for this kind of question if this is not? This is my first time here and I genuinely thought it would fit. Regarding me assuming the router being the bot; this is not what I intended to say. What I meant is that any infected machine on some network to which the router is connected could be the cause of the traffic. – jka Jan 27 '21 at 16:03
  • 1
    As a Q&A site, we're a little different. There has to be a hope for a single acceptable answer. You are looking for open discussion. Forums are your better bet for that. If you are already assuming that the source could be a device on the network, why are you focusing on the router at all? The most likely scenario is that you have an infected machine, not the router. And if you are including wanting to know how *devices* could get infected, then we're lokoing at thousands of possible answers... – schroeder Jan 27 '21 at 16:06
  • I'm focusing on the router because that's where I could guess one vulnerability existed in the form of default credentials, and because with my limited knowledge I can't put the problem into better words. I was hoping to learn more by asking this question, and perhaps be able to ask better questions in the future once I know more. Now I'm aware of many more aspects of this issue than I was prior to asking which serves the purpose. – jka Jan 27 '21 at 16:16

1 Answers1

-1

These are few attack vectors:

  1. Firmware vulnerabilities leading to remote code execution.
  2. If additional ports are made open in the router, and a vulnerable service running behind it, it may have been compromised.
  3. Router misconfigurations such as easily guessable username/password, outdated crypto schemes, etc.
  4. Usually (most likely), one of the internal PC might have been infected with malware (accidental or otherwise). All of its (and possibly other infected nodes) traffic would have your router's public IP address as source address after leaving the router (due to NAT).

In addition to what you've done,

  • Do an anti-virus scan all of the PCs/nodes that have been connected via your router.
  • Do a port scan on your router from the Internet, and determine no additional ports are open.
schroeder
  • 123,438
  • 55
  • 284
  • 319
Deepak Devanand
  • 64
  • 5
  • Your points 1 and 2 are essentially the same point. The OP said, explicitly, that it had default credentials. And your point #4 doesn't seem relevant. Public IPs are public. How would knowing it be an attack vector? Unless you are not trying to say that it is an attack vector but rather that the bot is an internal device? – schroeder Jan 27 '21 at 15:44
  • In point #2, I was thinking maybe a vulnerable service in an internal PC, being accessible via port forwarding in the router. – Deepak Devanand Jan 28 '21 at 03:36