Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was/Is my Router Infected & What Can I Do?


  • Please log in to reply
26 replies to this topic

#1 Computer_Idiot_

Computer_Idiot_

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 22 December 2014 - 07:46 PM

Hello to all here, I was advised to post my questions here after Satchfan did a fantastic and patient job of helping me clear malware, etc, from my laptop: http://www.bleepingcomputer.com/forums/t/558842/infected-with-malware-from-old-laptop-desperate/

 

To cut a long story short, I will go in order of what happened:

 

1. A casual Malwarebytes scan found 2 infections

 

2. I quarantined the infected files and also ran AVG Free and Superantispyware to clear-up any other issues

 

3. Because I have used my laptop for financial transactions for a family member I decided to restore to factory settings to 'overwrite' any remaining issues. I am not so bothered if my details are accessed, if anyone else's were I would be distraught

 

4. I re-installed Malwarebytes, Superantispyware and AVG. I ran a Malwarebytes and found over 200 infections, took the recommended action (quarantine) and did the same for Superantispyware and AVG. I closed the laptop down and have not switched it on again since

 

5. I then bought another laptop and reset my router before connecting it

 

6. I connected and installed Malwarebytes, AVG and Superantispyware. Malwarebytes found 200+ issues, with the names being the same as those which affected the old laptop

 

SO: my questiona are:

 

1. Is, is my router affected, somehow, by malware?

 

2. If I bought an iPad to use with WiFi connection to that router (to use for financial stuff, shopping) would the same issues affect that iPad, too?

 

Sorry I have had to be longwinded, guys. :-/



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 22 December 2014 - 08:24 PM

What is the make and model of the router. Check to see if the maker has updated the firmware to take care of security issues.

 

When you reset the router, did you change the default user name and password to access the router? If that was not changed, anybody could access your router if you have Remote Access enabled. Best security practices is turning off Remote Access and also UPnP on the router.

 

For Wireless, did you change the Security to WPA2 and AES using a long PSK password?

 

WEP security can be broken in minutes. It is no longer secure and hasn't been for years.

 

Not sure about the Ipad but I would think you would not be able to get infected if you did not visit any shady sites or open unknown email. Ipads are pretty secure but not immune. If your router was hacked, the people who did it could change your DNS servers too.

 

Hopefully other people with more Networking experience then me will add some extra thoughts.



#3 Computer_Idiot_

Computer_Idiot_
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 23 December 2014 - 05:34 PM

Hello John, thanks for your reply. I will answer in order, but I am not very technical.

 

1. The router is a Huawei and I'll do a search to see about firmware (Which I hadn't heard of before your reply! Embarrassing!)

 

2.I did change the router password. I may well phone my ISP to change it again, and also the router name

 

3. Even more embarrassingly, I don't even have enough nous to answer this!! "For Wireless, did you change the Security to WPA2 and AES using a long PSK password?"

 

How do I take the steps you've recommended?

 

Another question: I am thinking of downgrading my internet and TV package which will require my ISP installing a new router. If the router HAS been infected, if it is changed, will this solve the problem?

 

Thanks again, John! 



#4 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 23 December 2014 - 06:04 PM

Sorry, I was under the assumption you had a modem provided by your ISP and your wireless router which you bought. Am I correct in saying your modem and wireless router are in one unit?

 

The user name I was asking about is not provided by your ISP if you bought the router. That is changed in the web interface of the router. If you changed the password on your router, that should be sufficient. The default user name and password on a Heawei is admin. You can check the IP address of the router by typing ipconfig at a command prompt and looking at the the address given to the Default Gateway. Type that address ( for example 192.168.1.1) in a browser address bar and you should see your Web interface. I would not change anything if you are not familiar with the settings. If you get to the Web Interface using admin for the user and admin for the password then you did not change the router password.

 

If your ISP provided your modem and router then I assume they have WPA2 encryption on the router.  There may be a sticker on the side of the gateway that shows the default WPA2 password. You can see if you are using WPA2 encryption on a wireless connection shown here.

 

If they change the router then, yes, that would rule out anything malware related coming through the router if they set it up with WPA2 encryption with a strong login password..

 

Edit: This page shows router setups for different Huawei routers. Does yours show a model number on the back?


Edited by JohnC_21, 23 December 2014 - 06:06 PM.


#5 Computer_Idiot_

Computer_Idiot_
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 26 December 2014 - 07:04 PM

Hello John, thanks for the reply. In sequence:

 

1. Yes, the router and modem are in the same device

 

2. When the router was installed it had the password on the back of it, a sticker placed there by my ISP. It wasn't 'admin' so maybe the ISP changed it? What I will do is to ask my ISP to change it again over the phone and I'll see whether the 'new' password is accepted

 

3. Am I right in thinking that, as the router had a password sticker on it, it is WPA2?

 

4. Yes, I the model number is on the back of the router

 

A daft Q from me: if the router is infected.compromised, if I used an iPad with the WiFi connection, would the data on THAT device also possibly be accessible? Because I would want to use the iPad for banking, shopping, etc. 

 

Thanks again for your help! :-D



#6 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 26 December 2014 - 07:27 PM

The only way I could see somebody accessing the router would be if someone actually saw the sticker. Did you check your wireless to see if it was WPA2 as in the link I provided?

Edited by JohnC_21, 26 December 2014 - 07:27 PM.


#7 Computer_Idiot_

Computer_Idiot_
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 27 December 2014 - 08:36 AM

I did, John, but I couldn't work out how to do it in Windows 8 - I'm thick like that!! 

 

I'll figure it out. I phoned my ISP. They didn't know. How can they NOT know?

 

Would you discount yhe possiblity of the router itself being infected by all this malware? Is it strange that the malware that affected my old laptop (which I thought I had cleared up, before I switched it off, never to be switched on again) then affected my new one? Or is that not unexpected?

 

And would an iPad be affected if I connected it to the WiFi, or would it be safe?



#8 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 27 December 2014 - 09:19 AM

With the password on a sticker, I would doubt the router has been hacked. You can always go into the routers Web Interface and change the password of  your Wireless encryption.

 

You can go to a command prompt and type the following. It will show you your network and encryption. If the ISP set up the wireless than I am pretty sure it should be WPA2.

netsh wlan show networks


#9 Computer_Idiot_

Computer_Idiot_
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 28 December 2014 - 06:49 PM

Thanks, John! :-D Indeed, it is WPA 2.

 

Even if it hasn't been hacked, do you think the router itself was (somehow) infected?

 

Will shopping transactions using an iPad be secure, do would you think, using this WiFi connection?



#10 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 28 December 2014 - 09:47 PM

WPA2 is secure. I don't think your router is infected but I can't give you a guarantee either. You could always change the WPA2 password in the router itself. I am not sure how your gateway is set up but mine does not have a username. The password in on the bottom of the router (not the WPA2 password). Anything setting that is changed requires tha password to be entered. If yours is like this, the only way I think it could be hacked is if somebody gave away the router and WPA2 password. You can ask your ISP if your gateway allows remote access and if it does, ask them how to disable it.

 

You should be okay on the Ipad as long as you are using trusted apps from Apple. If you are really worried, you could create a live cd or USB of a linux distro and boot that on your laptop. Then do your financial transactions using the DVD disk or USB. After the transactions are done, you would reboot into Windows. Always make sure you are at the correct financial site. You can click the little icon in the address bar to get more information on the site you are at.



#11 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 29 December 2014 - 04:50 PM

Routers are not targets of malware nor can malware be installed on a router.

 

" I connected and installed Malwarebytes, AVG and Superantispyware. Malwarebytes found 200+ issues, with the names being the same as those which affected the old laptop"

 

This is a false positive.  Odds are Malwarebytes is seeing either AVG or Superantispyware files as malware.  You only need one product not three.  I use bitdefender since it is far less intrusive then AVG or others I have used in the past. It also has high marks in reviews over others. The fact you did the same thing twice on two different hosts indicates its what you are doing that is what is giving you the results you have.

 

BTW WPA2 can be hacked

http://www.sciencedaily.com/releases/2014/03/140320100824.htm



#12 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 29 December 2014 - 05:27 PM

Did not know about the WPA2 hack. Thanks for that. Maybe increasing the length of the PSK would help?

 

Edit: For Malware on the router, I was referring to something like this. I guess I wasn't clear on that. Turning off Remote Access is what I was recommending.

 

Another article on WPA2 Encryption.


Edited by JohnC_21, 29 December 2014 - 05:44 PM.


#13 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 29 December 2014 - 06:12 PM

I hadn't heard about the moon malware.  Pretty dumb of Linksys to have remote management enabled as default.  Usually its just the opposite, its disabled by default.  Though these older routers are vulnerable to this attack they can't infect pcs with malware.



#14 Computer_Idiot_

Computer_Idiot_
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 29 December 2014 - 08:56 PM

Routers are not targets of malware nor can malware be installed on a router.

 

" I connected and installed Malwarebytes, AVG and Superantispyware. Malwarebytes found 200+ issues, with the names being the same as those which affected the old laptop"

 

This is a false positive.  Odds are Malwarebytes is seeing either AVG or Superantispyware files as malware.  You only need one product not three.  I use bitdefender since it is far less intrusive then AVG or others I have used in the past. It also has high marks in reviews over others. The fact you did the same thing twice on two different hosts indicates its what you are doing that is what is giving you the results you have.

 

BTW WPA2 can be hacked

http://www.sciencedaily.com/releases/2014/03/140320100824.htm

 

 

Hello, thanks for your reply!

 

I don't think malwarebytes, AVG and Superantispyware were detecting each other and giving false positives. The story as to why is a bit lengthy, so bear with me.

 

I was running all three (and ZoneAlarm) as the firewall for months and found just the odd bit of adware which I would then remove.

 

But on one occasion when I ran a malwarebytes scan, instead of it finding no infections, it found 2 infections.

 

Because I had used the laptop for a lot of financial transactions I panicked. I quarantined the infected files, did a scan with AVG and Superantispyware and took the recommended actions.

 

After this I did a restore to factory settings to 'overwrite' any infection which may be lingering.

 

When I re-installed Superantispyware (as well as Malwarebytes, AVG and ZoneAlarm) and ran a scan it found 200+ issues. Cue further panic. So removed what it told me to, and ran Malwarebytes and AVG and tool the recommended remedial actions.

 

I then switched off that laptop and bought a new one. It is this new one which, when I downloaded AVG, Superantispyware and malwarebytes, which then also had the 200+ issues.

 

So, to cut a long story short, as being as the programs did not throw-up 200+ issues before, I can't think that it was the programs 'clashing'.

 

If routers cannot be infected with malware, viruses, etc (and I am meaning infected, rather than hacked) is it unusual that the issues which affected my old laptop also affected this one, when:

 

1. The old one was 'cleaned up' with anti-virus and anti-malware software

 

2. It was then closed down and never since rebooted

 

3. With botf of these steps being done before I bought and connected this current laptop

 

I am struggling to understand how the issues which affected the old one could affect the new one when they have not been connected to the same WiFi network a the same time. Particularly as being as AVG, Superantispyware and malwarebytes told me the old computer was clean before it was consigned to the scrapheap.



#15 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 30 December 2014 - 08:33 AM

Did the programs you used save any logs on what was removed? If you still have the old laptop, boot that and get the logs off using a USB flash drive and then post them.

 

If you still are not at ease then post a new thread in the "Am I Infected?" forum referencing this thread and see if you get a response. If not, there is a link at the top of the forum you can go to that will send to a type of holding area that should get you a response.

 

I would not send that other laptop to the junk heap. Do another factory reset on the old laptop. Copy Malwarebytes to the laptop using a USB flash drive, do a scan and get the log. You can also connect it to the internet and do an online scan with Eset.

 

If you do not want to do that, you could always reformat the drive and install a linux distro, What is the make and model of the old laptop? If you do only email, browsing and financial sites on the laptop, linux would do nicely.

 

Wand3r3r may also have some helpful suggestions.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users