UBCD4Win Forums: Is This Possible? - UBCD4Win Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Is This Possible? Router Hacked?

#1 User is offline   JamesIEvans Icon

  • Regular Member
  • PipPipPip
    • Group: BETA Tester
    • Posts: 169
    • Joined: 03-June 05
    • Location:Ohio

    Posted 31 July 2008 - 11:27 AM

    I have spent some cleaning someone's notebook, which only had XP Home with SP1 and very few other updates. Using UBCD4Win, I cleaned off the multiple trojans. AutoPatcher was used to get the missing updates on. I installed ZoneAlarm Suite, which the client had already downloaded and paid for. The suite is both a firewall and anti-virus.

    On my home wireless network, the notebook was fine. No pop-ups when accessing the internet. Within five minutes of being back on the client's wireless network, pop-ups started appearing. He connects to the internet via AT&T DSL and the 2Wire router they supplied.

    Is it possible that router may have been hacked by the trojans to feed him pop-ups? When I go into the router, what should I look for?

    Thanks.
    0

    #2 User is offline   masterchi Icon

    • Regular Member
    • PipPipPip
      • Group: Members
      • Posts: 199
      • Joined: 08-April 07

      Posted 31 July 2008 - 06:19 PM

      Router hacked to deliver popups? Slight possibility. Is he wireless or plugged directly into router? If its wireless he might be connecting to someone else's wireless router and in that case they could have configured it as a Public Wifi where on first logon/connection it will default to a site such as Panera Bread or Starbucks does. You connect wirelessly to Panera Bread and then double click a link to google.com but first you get sent to Panera's page about accepting there agreement and then you can browse out. Same thing might be happening but this user who opened his wireless might of done it maliciously where he might have needed it open access but split it so his devices (MAC's on acceptable list) get the good internet while everything else gets sent to such and such website that is a spam site or a known spyware site so when he opens IE and gets defaulted to that page spyware gets downloaded.

      If he is running wireless then clean it fully and disable the wireless and then plug directly into the router and see if the issue reappears....if not then go to 192.168.1.1 (or whatever the gateway IP is) and log into his router and look around......very slim possibility that maybe his son or malicious but smart neighbor could have even hacked his router to do as described above. Once you verify all is well with his router and with being plugged directly in then disconnect from wire and enable the wireless and if issue arises you know the culprit. Also while inside the router verify the wireless SSID and encryption key to ensure you are connecting to the correct SSID at his location and not a neighbors.

      **EDIT** also slight possiblity of another computer on the same network at his house/office that is infected and that trojan/virus/spyware is just traversing through the network when he plugs back in which could explain why it took 5 minutes or so for it to reappear. Turn OFF or unplug all devices from the router if you can and just leave his connected and see if issue disappears.

      This post has been edited by masterchi: 31 July 2008 - 06:21 PM

      0

      #3 User is offline   rdsok Icon

      • rdsok
      • PipPipPipPipPipPipPipPip
        • Group: Admin
        • Posts: 6,041
        • Joined: 02-October 05
        • Gender:Male
        • Location:Norman, Ok. USA

        Posted 31 July 2008 - 07:33 PM

        As masterchi mentioned... it may be possible but I believe that is unlikely.

        It is more likely that the user had visited a website that re-infected them or had re-installed a spyware infected program that they had downloaded or had previously saved. The first ( an infected website ) is the more likely.

        Just call me a skeptic unless you actually saw it happen...
        Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
        0

        #4 User is offline   pcuser Icon

        • Project Programmer
        • PipPipPipPipPipPipPip
          • Group: Moderator & Development
          • Posts: 3,889
          • Joined: 20-November 04
          • Gender:Male
          • Location:Kneebrasskee

          Posted 31 July 2008 - 07:54 PM

          Quote

          also slight possiblity of another computer on the same network at his house/office that is infected and that trojan/virus/spyware is just traversing through the network when he plugs back in which could explain why it took 5 minutes or so for it to reappear.


          Unfortunatelly, this isn't unheard of... I cleaned up a computer a while back only to have it infected and back in the next day so I cleaned it up again, only to have it back in the next day again! Needless to say, I decided to deliver it in person the third time so I could see what was going on. Before I plugged it into the network I used Ettercap on my Linux based laptop to poison the arp cache so I could intercept all network traffic and it didn't take long to see that there was a worm bouncing around the network, hmm...

          The same principal stands true for wireless networks so don't leave your wireless network open and make sure that you're using a strong encryption key.

          Moral of the story... Don't trust your neighbors!!! :P

          Another thing to think about is what they do on the internet. If they only use the computer for downloading music from the filesharing networks, playing poker online and looking for singles in their area then you can most likely forget about the hacked router theory. Most people won't tell you this information and many don't even know what happens on their computer when they're not around and I got tired of being taken advantage of because of this so I took the liberty of writing a program that reads the timestamps from registry keys then compares it with timestamps on files (including cookies and history) which gives a pretty clear timeline of what went on prior to infection. Sometimes it's not easy telling grandma how it got reinfected just after she went to bed when the grandkids were over but like I said, I got tired of hearing "you didn't get it all 'cause it's doing the same thing again"...

          Back to the hacked router theory... Check to see if there's any custom Gateways/DNS servers specified or strange ports forwarded but if you flash the firmware and reset it then you shouldn't have anything to worry about.
          If you're afraid of taking any chances then the chances are great that you will never learn anything

          Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
          0

          #5 User is offline   dirkgently42 Icon

          • Ultra Member
          • PipPipPipPipPipPip
            • Group: Donator/Beta Tester
            • Posts: 1,399
            • Joined: 26-February 05
            • Gender:Male
            • Location:o-n-s junior market, 1934 East Anaheim

            Posted 31 July 2008 - 09:32 PM

            Thanks masterchi and pcuser for your very informative replies to this topic!!!!

            When I read the initial post for this topic at work I really wanted to log in and reply, but I'm glad I waited.

            If I had been able to reply around lunch, I would have stated very briefly:
            "As a first step before connecting. keep the cleaned PC off the net, then contact the ISP and get a new IP address assigned."

            ---------------------------------------------------------------
            I'm pretty sure AT&T 2Wire uses static IP.

            Clear DNS cache and Time To Live on router and on PC before connecting to the net.
            ipconfig /release on the pc................ push reset button on the router
            (note: the malware infected sites also have a Time To Live...so they may still be looking for the IP they "know" they PWND at one time)

            Resetting the router should clear out a lot of crap and return to near normal.

            Install apps on client machine with hosts file blocking (and update/enable!) before connecting to the net.

            Spybot S&D
            SpywareBlaster
            --------------------------------
            I tried to clean the PC of a not so savvy college student...............THREE TIMES! the A-Hole brings it back to me saying "We got a problem!!!.........."I connect to the internet after I get it back from you and it starts doing the same damned thing as before."
            Well, DUH!!!!!

            I restored an after cleaning image the 2nd and third time. Still got no money. Then I told him to piss off.

            I got my updates via sneakernet. I think I managed pretty well at the time.
            In other words I had no net access at home at the time, but I made the effort/risk to get current a/v and a/s updates from work.

            He was determined to steal a neighbors' wi-fi service/bandwidth.
            I told the butthead not to hijack his neighbor, and that he should actually pay for dedicated service.

            This post has been edited by dirkgently42: 31 July 2008 - 09:37 PM

            "Ignorance is king. Many would not profit by his abdication. Many enrich themselves by means of his dark monarchy. They are his Court, and in his name they defraud and govern, enrich themselves and perpetuate their power." ; A Canticle for Leibowitz; Walter M. Miller, Jr.

            Woo-hoo! M-O-O-N, that spells "Nebraska"! The Stand

            Randy: "Hey Earl, someone just told me that Wednesday was hump day, but I don't see any ladies so you watch my back and I'll watch yours." My Name is Earl

            GEORGE: Yeah! Look at me! I was free and clear! I was living the dream! I was stripped to the waist, eating a block of cheese the size of a car battery!
            JERRY: Before we go any further, I'd just like to point out how disturbing it is that you equate eating a block of cheese with some sort of bachelor paradise. Seinfeld


            Klaatu barada nikto
            "Quando Omni Flunkus Moritati"
            Man's Prayer: "I'm a man, but I can change, if I have to, I guess."
            0

            #6 User is offline   turbine_blade Icon

            • Member
            • PipPip
              • Group: Members
              • Posts: 76
              • Joined: 29-June 06

              Posted 31 July 2008 - 10:01 PM

              Quote

              I took the liberty of writing a program that reads the timestamps from registry keys then compares it with timestamps on files (including cookies and history) which gives a pretty clear timeline of what went on prior to infection.


              Would pcuser consider sharing the program he wrote? This appears to have many uses.

              Cheers
              0

              #7 User is offline   pcuser Icon

              • Project Programmer
              • PipPipPipPipPipPipPip
                • Group: Moderator & Development
                • Posts: 3,889
                • Joined: 20-November 04
                • Gender:Male
                • Location:Kneebrasskee

                Posted 31 July 2008 - 10:26 PM

                Quote

                Would pcuser consider sharing the program he wrote? This appears to have many uses.


                Maybe eventually but it's not user friendly enough to the point that I want to publically support it.
                If you're afraid of taking any chances then the chances are great that you will never learn anything

                Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                0

                #8 User is offline   पागल Icon

                • Newbie
                • Pip
                  • Group: Members
                  • Posts: 10
                  • Joined: 31-July 08

                  Posted 31 July 2008 - 11:53 PM

                  before cleaning the pc make sure u don't have p2p program is install. it strongly recommended those program should be remove first.
                  0

                  #9 User is offline   dirkgently42 Icon

                  • Ultra Member
                  • PipPipPipPipPipPip
                    • Group: Donator/Beta Tester
                    • Posts: 1,399
                    • Joined: 26-February 05
                    • Gender:Male
                    • Location:o-n-s junior market, 1934 East Anaheim

                    Posted 01 August 2008 - 12:41 AM

                    I second the p2p apps elimination suggested by "पागल"
                    p2p apps have been a major pain for me too.
                    I don't use them, but any of the following ilk should be eradicated.
                    BearShare
                    LimeWire
                    etc.

                    It's not so much the service.....it's the crap that's served to extemely novice users who think they have mastered the "internet" after they buy an expensive PC, and manage to check their email, surf the web to some interesting sites and pay bills on time with their infected computer. Wow. :thumbdown:

                    This post has been edited by dirkgently42: 01 August 2008 - 12:44 AM

                    "Ignorance is king. Many would not profit by his abdication. Many enrich themselves by means of his dark monarchy. They are his Court, and in his name they defraud and govern, enrich themselves and perpetuate their power." ; A Canticle for Leibowitz; Walter M. Miller, Jr.

                    Woo-hoo! M-O-O-N, that spells "Nebraska"! The Stand

                    Randy: "Hey Earl, someone just told me that Wednesday was hump day, but I don't see any ladies so you watch my back and I'll watch yours." My Name is Earl

                    GEORGE: Yeah! Look at me! I was free and clear! I was living the dream! I was stripped to the waist, eating a block of cheese the size of a car battery!
                    JERRY: Before we go any further, I'd just like to point out how disturbing it is that you equate eating a block of cheese with some sort of bachelor paradise. Seinfeld


                    Klaatu barada nikto
                    "Quando Omni Flunkus Moritati"
                    Man's Prayer: "I'm a man, but I can change, if I have to, I guess."
                    0

                    #10 User is offline   JamesIEvans Icon

                    • Regular Member
                    • PipPipPip
                      • Group: BETA Tester
                      • Posts: 169
                      • Joined: 03-June 05
                      • Location:Ohio

                      Posted 01 August 2008 - 01:41 PM

                      View PostJamesIEvans, on Jul 31 2008, 12:27 PM, said:

                      Is it possible that router may have been hacked by the trojans to feed him pop-ups? When I go into the router, what should I look for?

                      Thanks.


                      All -

                      Thank you for the suggestions and ideas. I forgot about the host file and locking it down. Would / should ZoneAlarm have an issue with Spybot being resident? I will let you know what happens.

                      - Jim
                      0

                      Page 1 of 1
                      • You cannot start a new topic
                      • You cannot reply to this topic

                      1 User(s) are reading this topic
                      0 members, 1 guests, 0 anonymous users