Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something is changing my router user id/password


  • Please log in to reply
24 replies to this topic

#1 Scott Stoef

Scott Stoef

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 07 December 2015 - 01:50 PM

I've noticed twice in the past 6 months that my router's admin and password have been changed, and I keep having my credit cards get hacked.  Is there a way of determining if there is a piece of malware on one of my 4 computers that is causing this to happen. Unfortunately I couldnt' login to my router to see what settings were being modified because my user id and password are being blocked.  I reset the router back to factory defaults last night and added an even more complex user id and password. I'm absolutely positive I've entered the correct user and ID and password multiple times so there is definitely something (worm) causing my issue that the tools I have at my disposal cannot find. 

 

You can find more details here:  http://www.bleepingcomputer.com/forums/t/598617/wireless-settings-being-changed/#entry3880732

 



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 07 December 2015 - 02:27 PM

Reset your router again. You can pull the Ethernet or phone cable from the wall to temporarily disable internet. After resetting the router login Password and SSID for the router also make sure you disable remote access. This will prevent anybody from remotely accessing the router. It can only be accessed by a direct connection via Ethernet. I would also change your WPA2 PSK password. Depending on the router you can make it long. For a copy and paste of a new password for WPA2 go to GRC here. 63 printable ASCII characters hashed down to 256 binary bits:

 

After you are back up on the Internet I would recommend you do a scan with Hitman Pro and TDSS killer.



#3 Scott Stoef

Scott Stoef
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 07 December 2015 - 10:09 PM

Thanks John!  I went ahead and changed my settings and put in a new user ID and admin password us9ing the GRC link.  I didn't use that for the WPA2 because it would be impossible to remember.  I also disabled the remote access for my 2.4G and 5G bands.  The only thing on the network right now are my desktop and OOMA device.

 

I think I'm just going to reimage each computer from the factory partition unless you think those could be corrupted.  The only problem I see with this approach is that I cannot wipe the drives clean with DBAN without losing the partition and hence my Windows license.  I'm not sure if there is a way around that, but I'm going to look.

 

Do you think I need to do anything with my iphones or ipads or are they usually safe to put back on the network.  If I was a gambling persone I would think that one of my laptops with Windows is the culprit.  



#4 JohnC_21

JohnC_21

  • Members
  • 24,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 07 December 2015 - 10:47 PM

If you decide to do a factory reset, then that should eliminate any infection. I can't see the recovery partition being corrupted. I used the long password for WPA2. I put it in a text file on a flash drive. When ever I need to input it into a computer, I simply cut and paste. This could be a problem if using a device like a phone though.

 

If doing a factory reset make sure you have all your software licenses and backup any data including bookmarks and email if using an email client. The most important thing is you disabled remote access. Nobody can access your router via a wireless connection.

 

Edit: You reset the router, correct. This would remove any  change in the DNS addresses.


Edited by JohnC_21, 07 December 2015 - 10:49 PM.


#5 Scott Stoef

Scott Stoef
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 08 December 2015 - 06:55 AM

I did the factory reset the following evening but I guess I can always do it again with a 'Clean' computer.  That way I know nothing will be compromised at all.  I looked at a few comments from QuietMan in other posts and it sounds like a factory restore 'should' fix the issue, but it sounds like it could be possible for the infection (or whatever it is ) would still exist.  I actually did a factory restore of my laptop about 6 months ago, but it still ran slow after reinstalling the OS.  Mostly notice it in the lag time it takes to launch any browser, but Chrome is extremely bad.   

 

I will run a few different scans to see what I can find but I need to get at least 1 or 2 computers running so my kids can do their homework. Hopefully in the meantime I can get one of the experts here to help me thoroughly scan my computers to figure out what I'm dealing with.



#6 JohnC_21

JohnC_21

  • Members
  • 24,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 08 December 2015 - 08:19 AM

It is possible the infection transferred to the other partition but that is a rare occurrence. After the reset you can do a scan or go to the Virus Removal Forum. Look at the pinned posts to find out what you first need to do and what logs to post. A malware removal expert can look at your logs for any infection.

 

If you want to prevent someone from hacking your computer then when doing anything credit card related or banking use a live linux disk. Using one of these makes the chance of someone hacking your credit card very small. 

 

I would recommend using something like Mint or Ubuntu. You would be running in RAM and off a DVD or USB flash drive. You would need to input the WPA2 password to connect wirelessly.

 

Ubuntu

 

Mint

 

If you have a spare computer, it may be in your interest to install linux on it as once you have set it up with a strong password, your chances of getting infected are very small compared to Windows as the number of linux machines is small and hackers avoid it. The computer would need at least 1GB or RAM for linux to run well. If you are interested in creating a live linux disk or USB flash drive post back and I can give instructions.



#7 Scott Stoef

Scott Stoef
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 December 2015 - 07:38 AM

Looks like the factory restore partition on one of my laptops got corrupted in the last 6 months.  I can only assume that is the computer that has the issue, but I'm still going to be safe and rebuild the rest too.  All of the laptops are running a version of windows, but there are no license keys on them since I purchased them all from a store.  I'm definitely going to DBAN the one with the corrupted partition, but I'm only planning (key word) on doing a factory restore on the rest.  

 

I've thought in the past of installing Zorin on one of my machines, so this might be a good time to put that on the corrupted laptop.  Do you think that is as good as Mint?  I like the fact it looks and feels a lot like windows 7.  Another guy at work has tried to get me on Linux OS, but I never did because he said it takes a lot of time to figure it out and research to get used to it.  I don't have a lot of time on my side so I avoided it.  He also told me to setup a virtual machine on my computer as well.  I tried that option but Windows needed a new license for the virtual machine so I scrapped that idea.  So I'm open to your suggestion on setting up a live linux USB drive so instructions would be great. 

 

I'm going to buy a fourth computer that I know is clean and reset the network with it one more time.  I did some reading last night and I think I should be okay with bringing my ipads and iphones back on the wireless network since we don't do really anything with them other than surf the net.  What do you think?



#8 JohnC_21

JohnC_21

  • Members
  • 24,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 09 December 2015 - 08:18 AM

Just as a precaution you can back up you activation files for each computer using Advanced Token Manager. The backup files are in the folder you unzipped Token Manager to. You can then store these on a USB flash drive.

 

I am not familiar with Zorin enough to answer if it is just as good as Mint or Ubuntu. That most likely is a personal preference. You could ask that in the Linux Forum. From what I have read Zorin 9 is based on Ubuntu 14.04 LTS which is good. That means it is supported until 2019.

 

For creating a USB bootable flash drive you can use Rufus with any bootable iso file. Run Rufus and make sure your USB flash drive is listed. Use MBR for a partition scheme. Everything else you can leave as checked including Quick Format. Where you see FreeDos in the dropdown box select iso image and click the folder icon. Browse to your iso file of your linux distribution. Press Start. Backup anything on the flash drive you need as it will be formatted.

 

As long as you disabled remote access on the router and have a strong router and WPA2 password you should be fine with the ipads and iphones.



#9 Scott Stoef

Scott Stoef
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 December 2015 - 09:13 AM

I couldn't find an option to disable remote access in the router settings.  I even googled it and the only thing that came up was disabling the bands so I don't have any wifi access right now.  So maybe I still don't have it setup correctly after all.  I did disable the WPS functionality though.



#10 JohnC_21

JohnC_21

  • Members
  • 24,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 09 December 2015 - 11:33 AM

Disabling WPS is a good idea. What is the make and model of the router?



#11 Scott Stoef

Scott Stoef
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 December 2015 - 11:42 AM

It is an Aus RT-N66U.



#12 JohnC_21

JohnC_21

  • Members
  • 24,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 09 December 2015 - 12:08 PM

See image in this thread on disabling Web Access From WAN.

 

http://www.dslreports.com/forum/r29802298-Asus-RT-N66u-Remote-Admin



#13 Scott Stoef

Scott Stoef
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 December 2015 - 01:32 PM

It looks this is disabled based on the latest firmware patch. 

 

I keep remembering when I log onto my work computer I would get port scan attacks being logged, but no other informaiton.  I talked to a few other indivdiuals at work and they got the same thing so I didn't think anything about, espeically after I had our IT group do a full scan of my computer with their diagnostic tools. 

 

The laptop with the corrupted factory partition is also the one that the good folks at Bleeping Computer scanned and couldn't find anything either.



#14 JohnC_21

JohnC_21

  • Members
  • 24,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 09 December 2015 - 01:47 PM

I am not sure how your router password was hacked if Web access was disabled. You would need physical access to a computer connected to the router via Ethernet.  Another thing you can do to lock down your router is to enable MAC address filtering. It's not totally effective against hackers but it can slow them down. By whitelisting only devices that you own, nobody would be able to access your internet with a MAC address that is not on the whitelist.



#15 Scott Stoef

Scott Stoef
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 December 2015 - 02:45 PM

Web access is disabled now with the newest firmware, but I don't know if the previous one had it enabled or disabled.  

 

My main PC is connected directly to the router via ethernet cable. I can only think of one time that I downloaded something to manipulate a song for my daughters gymnastics performance that lit my computer up.  I did all kinds of cleaning and I thought I had it quarantined but maybe not. 

 

I'm assuming this gave some access to the router to make the changes they wanted.  I'm just worried that in wormed into other computers to infect them as well.  Our main laptop which is only connected wirelessly was the first to experience an issue so I rebuilt it.  It never went back to running correctly but no one could find anything on it.

 

My son's computer also started running very slowly too so I'm concerned it might have gotten into that computer as well. I have scanned it with Malwarebytes, Super Anti-spyware, ESET, etc., and it never finds anything.  That is why I'm so concerned about it infecting the ipad and iphones if it is that advanced of a worm.  

 

Again I don't know if malware is that advanced, but what ever I have even the experts cannot find it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users