Author |
Message |
Amigwyn
Master Baiter
Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...
|
Posted:
Tue Sep 28, 2010 8:18 pm |
|
I have just found out that I have a hijacked router. Whatever that means? I am not a techno idiot by any means but when it comes to networking and routers I'm a bit lost.
I have five desktops (all PCs) and one laptop (also PC) connected to my network. I use a wireless NetGear N router (I can get the specific model once I get home if needed) to connect to the internet. The computers all run Firefox for browsing and WIN XP, VISTA or 7. They are all updated regularly for security except probably the laptop which is running WIN 7.
What is happening ... the browsers will be randomly re-directed to various advertising sites. The latest is for "Anti-Virus" software that is full of malware and viruses I'm sure.
On one of the PCs it is not able to update anti-virus or malware scanning software at all. It gives a "corrupted" error even though scandisk checks out.
After researching a bit I've come across a forum that suggests ComboFix if you have technical assistance due to the complexity and power of the program. So ... is anyone familiar with malware that acts in this way? Is there any easy fix without having to use a program that could potentially do more damage than good? Any advice at all? |
_________________ [Click here to donate to Eater]
x 1 |
|
|
|
Bankster
Baiting Guru
Joined: 22 Jun 2007
Posts: 2239
Location: Gone for a while.
|
Posted:
Tue Sep 28, 2010 8:25 pm |
|
It's not often (though technically possible) that a router is 'hacked'. Does the problem disappear or persist when you use the laptop with another internet connection? (Ask a friend to use their WLAN or just find an open one)
If you can download and burn CD images, PM me for a copy of my personal antivirus/recovery CD to scan your computer(s) from a clean bootable CD. |
_________________ Whoever said you can't touch happiness has never petted a dog.
( ) x10 __ x? |
|
|
|
bill2
Baiting Guru
Joined: 10 Sep 2006
Posts: 5495
Location: Yeah who can tell me where I am?
|
Posted:
Tue Sep 28, 2010 8:35 pm |
|
Looks like a nice program has rewritten your hots file, found in windows/system32 or windows/I386 that directs your browser to the right or in your case wrong address.
looks like this when clean
Quote: |
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
|
you might find some changes there
Good Luck |
_________________ I don't do bling, I just do lads |
|
|
|
BluthBanana
Baiting Guru
Joined: 16 Sep 2008
Posts: 2260
Location: Balboa Towers
|
Posted:
Tue Sep 28, 2010 8:55 pm |
|
If it turns out to not be the router you might try booting Windows via the "Safe Mode" (press and hold F8 as your computer boots) and running this anti-malware program: http://www.malwarebytes.org/ |
_________________ {Area 419: Scambaiting Radio}
x11 x17 x3
x115
x2
Art baits: X-Wing
419 Eater Theatre: The Hitchhiker
Lads & Crocodiles: x3 x3 {John} {Willie} {Kingsley}
x2 - . .
"I will never forgive you for all the pains, trouble, frustrations, strandedness and disappointments you have caused us." - David |
|
|
|
sharky1969
Eager Beaver Baiter
Joined: 12 Aug 2010
Posts: 165
Location: Under Your Boat
|
Posted:
Tue Sep 28, 2010 9:13 pm |
|
After all that, try typing 192.168.0.1 into your browser search bar at the top of your page.
It will go directly to your router login page. You must connect an ethernet cable to the router first.
You can see who might be using your connection and you can also make it invisible to others.
It will show the IP addresses of all your pc`s that are connected.
If you have any more problems PM me and I will try to help.
|
_________________ <a href="/forum/donate.php">[Click here to donate to 419Eater.com]</a>
but you naver send the money to me forget me please you are a big scam
Those bank people they are very very stupid ,they keep on sending me
form to fill
me know you are send fake MTCN to the bank that is not the not MTCN you are playing Game
Also, do note that we are a profit oriented company and to efficiently and speedily deliver your package to you, the cost of delivering ( C.O.D) your winnings has to be paid. |
|
|
|
Amigwyn
Master Baiter
Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...
|
Posted:
Tue Sep 28, 2010 10:18 pm |
|
Amigwyn wrote: |
On one of the PCs it is not able to update anti-virus or malware scanning software at all. It gives a "corrupted" error even though scandisk checks out. |
I did forget to mention this PC was reformatted and it is continuing to have the problem.
Also, I get a variation of the following error on ALL the PCs when attempting to update any anti-virus or anti-malware program (this one is from Malwarebytes):
I can use the program and when it scans it doesn't find anything. I can use all the scanners (anti-malware, anti-virus, anti-spyware, etc) but cannot update them.
@sharky - I went in and only my own PCs are connected to the router. I did have a look at the logs and several dozen different IPs showed up but I'm not sure what that means if anything. There are a bunch that I recognize as my ISP IPs but I don't know what the others are. I can send a small snippet of the log in PM if you think it will help.
I do want to thank you all for the help so far, though! It is greatly appreciated! |
_________________ [Click here to donate to Eater]
x 1 |
|
|
|
Dya Reyarunen-Downmeleg
** REMEMBERED **
Joined: 10 Aug 2009
Posts: 4129
Location: At the toilet door yelling are you almost done in there? Oops, too late...
|
Posted:
Tue Sep 28, 2010 11:46 pm |
|
That's exactly what's been happening to me, after we got a laptop and had to switch over to a router!!! And I'm on a Mac! I asked for help on the site and fellow Mac user Dwatina gave me some things to try out but the hijacking persisted. I ran a number of scans, deleted all cookies-they immediately came back, nothing was helping. Then on Sunday evening I googled the addresses of a couple of sites that I kept getting redirected to. The first one was wordslifedot com and as I typed it in the google gave me some choices, one of which was wordslifedotcom virus? The first thing that I read was this...
Quote: |
Wordslife.com is propagated by a browser redirecting/hijacking virus that changes DNS settings and infects Chrome, ie and firefox browsers. Once user clicks on a link in Google, Bing, Yahoo and MSN search results, they will be re-directed to Wordslife.com or various other corrupt websites. Once executed on the computer, the Wordslife.com may generate corrupt files in Windows directory and modify system processes. Wordslife.com may change Windows registry files, slash the computer and transmit your private information to remote servers. |
Dwatina said that it's like a worm or trojan.
The next one I googled was theclickcheckdotcom which is apparently another virus. I have a big list of cookies that are spyware and or viruses. They didn't show up on Macscan or any of the others that I tried.
Oh yeah, it also is causing problems with my children's itouches. When I tried to (repeatedly) go to the Malwarebytes scan page, Advast, it wouldn't let me go there telling me that the site was unavailable! We're having an IT guy come over to sort it all out, he's probably going to reformat everything.(Whatever that means!) You say that didn't work for you though?
Where are you getting redirected to, Amigwyn ??? |
_________________ ^ You are my favorite Canadian on Earth. Pastor Frank
x163
so as to enable the conclusion of this transaction on your behalf since you are not dead because if you are dead you would not have write me because I know that never will a dead
write to living...
I could receive the document official which you want to forward me for adhesion with TW@T
I am captivated, impressed and hypnotised with your sincerity
This you’re TW@T has it existed some how somewhere before?
Your ASSCODE is: 999-035-2655
"I Am Not a Justin Beiber Fan" innocent.being
Steward, WTF?
SAY NO TO SCURVY |
|
|
|
Pastor Frank
Baiting Guru
Joined: 31 Jan 2007
Posts: 12237
|
Posted:
Wed Sep 29, 2010 1:37 am |
|
Was the entire network affected at once? Then it could possibly be a router issue.
Type 192.168.0.1 into the location bar of Firefox, and then hit enter. Did it ask for a password? If not, then that is a problem. Set a (Edit: Good) password for your router after you reset back to factory settings.
Then look for something similar to this...
CLICK
...and give it a shot.
Start simple, then work your way down the tubes from your connection, to individual boxes or laptops. I'll help as much as I can, but I'm no computer guru.
***Warning, the default settings will often have the firewall off and your wireless unencrypted. You will need to re-enable that. And don't forget to set a router password when you are done. |
_________________ "Father Juan are sure that you are man of God,because your behaviors showed you as unbeliever" -Mary R |
|
|
|
Amigwyn
Master Baiter
Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...
|
Posted:
Wed Sep 29, 2010 2:16 am |
|
Fartina o'douriss wrote: |
...he's probably going to reformat everything.(Whatever that means!) You say that didn't work for you though? |
Right - one of the PCs was completely reformatted but it still gives the same error.
Fartina o'douriss wrote: |
Where are you getting redirected to, Amigwyn??? |
It seems to happen on very common websites like www.weather.com. That one always redirects to js.revsci.net but I never give it time to load, I just X out. I also get directed to 77-78-20-153 (replace - with .) which is a page that looks like "My Computer" and is "scanning" for viruses. There have been other random ad pages but I can't recall the exact pages. It seems to be all over the place with no solutions that I can find.
@PF - I reset the router already, although not through the software. I'm off to try that now. If that doesn't work I had someone pick up a new router to try out on the reformatted PC. If it works I'm going to assume the problem is in the old router and the worm/trojan is on the other PCs. I've a feeling my whole weekend is going to be spent backing up and reformatting quite a few PCs. *sigh*
ETA:
Progress?! I hope so! It seems the DNS servers were pointed to specific DNS servers instead of get automatically from ISP. I went to weather.com and so far no redirect. I'm going to browse around and see what I can find. Fartina, perhaps ensuring your DNS servers are set to Get Automatically From ISP in your router settings. Mine were both set to 217.xxx-something. (Wish I would have taken a screenshot now.) |
_________________ [Click here to donate to Eater]
x 1 |
|
|
|
evil_sheep
Compulsive Self Abuser
Joined: 15 Jul 2010
Posts: 1100
Location: 419eater Passport office.
|
Posted:
Wed Sep 29, 2010 7:38 am |
|
'ave a look at using OpenDNS, rather than the default ISP ones.
There's a pretty good free version.
www.opendns.com
Quote: |
77.78.20.153 resolves to
"razgrad1-ip153.networx-bg.com"
Top Level Domain: "networx-bg.com"
Country IP Address: BULGARIA |
|
_________________ x11 x3
"I thank you for your quick massage this morning. " - Prince Abdul Hakeem
"u lied. i know u as black man" - Timothy Fred
"Get out. If you mail me again, i will destroy your mailbox." - Clydesdale Bank PLC.
"picece of shit gett off here junkie" "arse hole like u" "u r a bullshit around the corner" "fuck off and die" "is that how you write ur father?" "do u need some crack from Brazil?" "please leave me alone" - Dr. Mohamed Gaza
FREE BEER!
"Baiting is like sex. If it does go pear-shaped, pull out, get a new email address and try again from a different angle." - Me |
|
|
|
sharky1969
Eager Beaver Baiter
Joined: 12 Aug 2010
Posts: 165
Location: Under Your Boat
|
Posted:
Wed Sep 29, 2010 11:18 am |
|
Password for NETGEAR Devices - Netgear
Reset and Restore the NETGEAR device to Factory Default Settings. How to View or Change Your Wireless Network Password. Router and Networking FAQ ...
[url]kbserver.netgear.com › Home › KB[/url] - Cached |
_________________ <a href="/forum/donate.php">[Click here to donate to 419Eater.com]</a>
but you naver send the money to me forget me please you are a big scam
Those bank people they are very very stupid ,they keep on sending me
form to fill
me know you are send fake MTCN to the bank that is not the not MTCN you are playing Game
Also, do note that we are a profit oriented company and to efficiently and speedily deliver your package to you, the cost of delivering ( C.O.D) your winnings has to be paid.
Last edited by sharky1969 on Thu Sep 30, 2010 10:30 am; edited 1 time in total |
|
|
|
Dutch
Baiting Guru
Joined: 22 Nov 2007
Posts: 4204
Location: Dislocated
|
Posted:
Wed Sep 29, 2010 1:06 pm |
|
Two more tips:
- Always make sure 'remote management' is turned off, that way your router can only be logged into from a PC that's part of your own network.
- Change the default password of your router. Leaving a router password on factory default is the main cause of it getting hacked. |
_________________ deadified fake websites) x 374
x11 x a couple
Yes we can! (with a bit of help) |
|
|
|
Amigwyn
Master Baiter
Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...
|
Posted:
Wed Sep 29, 2010 1:21 pm |
|
|
|
|
SlapHappy
Baiting Guru
Joined: 15 May 2006
Posts: 9612
Location: Floating up and down with happiness.
|
Posted:
Wed Sep 29, 2010 5:25 pm |
|
When trying to clean off infections, it is always a good idea to turn off system restore before cleaning. Trojans ans worms will usually put a copy into the restore files. After you clean them off, they will be reloaded from the restore files, if you don't turn off System Restore.
Also, disconnect all the pcs, and work on one system at a time.
The trojan might be able to move from one pc to another through your network.
When one is clean, disconnect it, and put the next one alone on the router. Rinse and repeat, until they are all cleaned. You may have to reformat and reinstall windows, so Back Up any files you want to keep first.
Scan all your removable media, like usb drives, or recent cd or dvd burns, too, to make sure the trojan didn't jump onto them, too.
It sounds like a nightmare to me. Good luck. Given time, I'm sure it will be straightened out. It always is if you don't give up. |
_________________ x Reven U., Fats Walla, Donny
x10 X2 MM:Mikex2, JohnK, D@rlington, Ob1, Armstrong, Ismail, TG&Friend
x3 Nancy, Security Guy, Robert Accra-Tamale
(19 mo.) Tina and Joe's Safari - Accra to Niger & Timbucktu
Z@ke & Charlie -Wulugu Or Bust Safari- Lagos to Paga & Tokwari X2 - 3800mi.
x3 H3ctor & C@leb - Yankar1 & Parakou
x2 Charles and Friend-Amsterdam to Vatican
Issac to Chad
Be A Cool Cat, Like Me Trophy Videos Cool Stuff
|
|
|
|
sharky1969
Eager Beaver Baiter
Joined: 12 Aug 2010
Posts: 165
Location: Under Your Boat
|
Posted:
Wed Sep 29, 2010 6:01 pm |
|
SlapHappy wrote: |
When trying to clean off infections, it is always a good idea to turn off system restore before cleaning. Trojans ans worms will usually put a copy into the restore files. After you clean them off, they will be reloaded from the restore files, if you don't turn off System Restore.
Also, disconnect all the pcs, and work on one system at a time.
The trojan might be able to move from one pc to another through your network.
When one is clean, disconnect it, and put the next one alone on the router. Rinse and repeat, until they are all cleaned. You may have to reformat and reinstall windows, so Back Up any files you want to keep first.
Scan all your removable media, like usb drives, or recent cd or dvd burns, too, to make sure the trojan didn't jump onto them, too.
It sounds like a nightmare to me. Good luck. Given time, I'm sure it will be straightened out. It always is if you don't give up. |
That`s good advice SlapHappy. I use Linux/Ubuntu, so I declined to speak about Windows. I haven`t use it in ages. |
_________________ <a href="/forum/donate.php">[Click here to donate to 419Eater.com]</a>
but you naver send the money to me forget me please you are a big scam
Those bank people they are very very stupid ,they keep on sending me
form to fill
me know you are send fake MTCN to the bank that is not the not MTCN you are playing Game
Also, do note that we are a profit oriented company and to efficiently and speedily deliver your package to you, the cost of delivering ( C.O.D) your winnings has to be paid. |
|
|
|
evil_sheep
Compulsive Self Abuser
Joined: 15 Jul 2010
Posts: 1100
Location: 419eater Passport office.
|
Posted:
Wed Sep 29, 2010 6:19 pm |
|
sharky1969 wrote: |
You must use your ethernet cable to connect to your wireless router.
Going through these processes without the ethernet cable (using only wireless)will leave your network open to any hackers etc. They will see what you are doing. |
Not exactly - If "whoever" (if it actually was a person) who did something to your router, then will have had to be close in order to capture the Wireless Network Traffic, as in someone with driving past with a laptop and parking outside your house and sniffing, or a neighbour.
Now, if it is a neighbour, depending on the type of security encryption on the network, will be able to break your network key, taking as much time as they want to and you will be none the wiser. ANytime they want, they can just get back into your router and change the DNS entries (though, this is a really stupid (but personal) way of directing you to spyware. ).
You want to be using WPA2 encryption ( eight characters minimum, I usually go for my telephone number backwards (not that paranoid ) for wireless, or just use cables.
You do NOT want to use WEP encryption at all.
Quote: |
You must also make sure that you know all of your computers IP addresses to add to the router.
Use the `C: Command terminal`, found on your `start button in windows` and type `ipconfig all` with each computer. This will give you the IP address of your computer.
Then you only allow those computers to connect in your router settings. |
I don't agree with that. You can manually assign IP addresses OUT of the "192.168.X.X" or "10.0.X.x" ranges, but seeing as you can't tell the router to allow only certain IP addresses it, it is pointless. Home use routers can be configured to give the same IP address to the same device everytime, but it cannot permit access to the network.
What you can "do" (won't make a bit of difference though if the attacker knows what they are doing) however, is set up a MAC exclusion list. Every single individual network interface (wireless and wired) on the planet, has it's own MAC Address, detailing the manufacture and model type of the card. You can set the router up to only allow a specific list of MACs to connect, but unfortunately, anyone with a Packet sniffer can easily pluck the MACs outof the air, and then physically change their device's MAC to match.
"Start" -> "Run" -> "cmd" -> Ipconfig, or just by looking in the networking icon on the taskbar is my prefered way of finding out the IP address
Quote: |
As for using firewalls etc. It`s up to you. But using too many or not un-installing them properly will cause a software conflict etc. |
2 PC based Firewalls is too many. Use one, and only one.
2 PC based Anti viruses is too many. Again, use one, and only one.
If you use multiple programs that do the same job automatically, they will fight over who actually gets to do the job when it is needed, and the actual problem (intrusion attempt or just a virus) will go un-dealt with.
However, using the router Firewall AND the PC one is fine - the router should stop any attempts before reaching the PC, and the PC one will (hopefully) stop any attacks that find a way in.
Also, using an anti virus AND an anti spyware program at the same time is OK if they are both not passively scanning all the time. Spybot is a good anti spyware that you manually scan your pc with now and again, and you don;t need to turn my anti-virus off either!
In my opinion, it most likely to have been a hole in the router software that has caused this. However, Netgear are a good company and so the router should be fairly secure. Do you know if you are using the latest version of the firmware on the router?
http://www.wi-fiplanet.com/tutorials/article.php/3814811/How-to-Prevent-Detect-and-Recover-from-Router-Worms.htm
Like suggested above, change the defaulte admin password (and username if it will let you) turn off remote administration if it is turned on and my advise is to close down any open ports on the router (have a look for "Port forwarding" or something similar when you are logged into the router).
Do what Slaphappy suggests and turn off system restore too.
Hope that helps |
_________________ x11 x3
"I thank you for your quick massage this morning. " - Prince Abdul Hakeem
"u lied. i know u as black man" - Timothy Fred
"Get out. If you mail me again, i will destroy your mailbox." - Clydesdale Bank PLC.
"picece of shit gett off here junkie" "arse hole like u" "u r a bullshit around the corner" "fuck off and die" "is that how you write ur father?" "do u need some crack from Brazil?" "please leave me alone" - Dr. Mohamed Gaza
FREE BEER!
"Baiting is like sex. If it does go pear-shaped, pull out, get a new email address and try again from a different angle." - Me |
|
|
|
sharky1969
Eager Beaver Baiter
Joined: 12 Aug 2010
Posts: 165
Location: Under Your Boat
|
Posted:
Thu Sep 30, 2010 10:33 am |
|
^^^
No need to quote the whole of the preceding post!-MM
I was just trying to help. I have deleted the advice from the post to save any confusion.
As I said, I don`t use windows. |
_________________ <a href="/forum/donate.php">[Click here to donate to 419Eater.com]</a>
but you naver send the money to me forget me please you are a big scam
Those bank people they are very very stupid ,they keep on sending me
form to fill
me know you are send fake MTCN to the bank that is not the not MTCN you are playing Game
Also, do note that we are a profit oriented company and to efficiently and speedily deliver your package to you, the cost of delivering ( C.O.D) your winnings has to be paid. |
|
|
|
evil_sheep
Compulsive Self Abuser
Joined: 15 Jul 2010
Posts: 1100
Location: 419eater Passport office.
|
Posted:
Thu Sep 30, 2010 11:35 am |
|
I do appreciate you were trying to help, and for that I raise my hat to you sir! |
_________________ x11 x3
"I thank you for your quick massage this morning. " - Prince Abdul Hakeem
"u lied. i know u as black man" - Timothy Fred
"Get out. If you mail me again, i will destroy your mailbox." - Clydesdale Bank PLC.
"picece of shit gett off here junkie" "arse hole like u" "u r a bullshit around the corner" "fuck off and die" "is that how you write ur father?" "do u need some crack from Brazil?" "please leave me alone" - Dr. Mohamed Gaza
FREE BEER!
"Baiting is like sex. If it does go pear-shaped, pull out, get a new email address and try again from a different angle." - Me |
|
|
|
|
|
View next topic
View previous topic
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|