Cleaning a compromised Router?

Check DNS settings on the router, modem and other devices. Also consider a factory reset, rather than just a reboot - the reset will completely clear all settings.

If you are using default (ISP-assigned) DNS servers, consider changing them to an alternative, such as Google's 8.8.8.8 - if you observe this behaviour stopping, consider checking with other users of this ISP, or reporting the issue to them. It's possible (though unlikely) that your ISP was compromised. There's also the possibility that malware on your computer itself was designed to attempt common passwords on consumer routers and make this change, though that is unlikely.

Another potential attack vector is a vulnerability in the router software itself. Unfortunately, it's not easy to detect such an attack - probably the simplest thing to do is look up the model number and see if there are any known vulnerabilities. If any exist, then you should either update the firmware (if possible) or replace it with a different device.

Bob

Posted 2014-12-20T16:17:39.270

Reputation: 51 526

The router password is non-default and relatively complex. DNS and factory reset are good ideas. I'll try that. It is the same ISP I use at home, and I dont see the behavior at home. – Jim McKeeth – 2014-12-20T16:23:39.857

1If you’re positive the password wasn’t compromised, the router might well have at least one security hole. – Daniel B – 2014-12-20T16:26:34.977

2@JimMcKeeth If you save the password, or even just type it while malware is active, that's a possibility. Some routers also have vulnerabilities allowing their web configuration utilities to be accessed by remote hosts without a password - you can check if your model has a known vuln. These are all somewhat unlikely, but certainly possible. – Bob – 2014-12-20T16:27:12.303

Just found this, which seems like a candidate http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/

– Jim McKeeth – 2014-12-20T16:46:11.963

From the cite: "Check Point has uncovered no evidence the vulnerability has been actively exploited..." Seems highly unlikely, and far more likely that the infection (if it is one) spread by open shares or other inadequate security between devices. Also, was Java recently updated? Check to see if the Ask toolbar was installed with a Java update. I have the sad feeling that your office computers have no security software installed, so you could have been hacked in a thousand ways (with the router being by far the least likely.) – Debra – 2014-12-21T16:55:30.850

By the way, if you really want to believe the router is compromised: save the configuration to a file on a computer, reset the router to default, reload the firmware, and then restore the configuration. That would wipe out any code change. – Debra – 2014-12-21T16:57:49.270

@Debra I recommend not doing this. It will restore any malicious configuration changes, like DNS servers. Even worse, it absolutely won’t do anything about the flash ROM contents. – Daniel B – 2014-12-21T20:04:22.053

DNS server information is completely visible in the router setup; it's easy enough to check, esp. as most get the DNS settings from the ISP. And you seem to completely miss the point about the firmware; the whole idea in reloading is that any changes to the firmware will be wiped out by doing so. I'm not sure why you believe that changes to the firmware could somehow survive reloading the firmware. As for the "factory reset" you suggest - it's near-useless if you really believe the firmware was exploited. – Debra – 2014-12-23T00:52:42.727

Cleaning a compromised Router?

Answers