Router being hacked

modo77 · 28 Jul 2010 at 20:57

I've got an issue which i have been looking into for a mate, he is getting his SSID and passphrase changed constantly. Using WPA.

This has happened on 2 different ISP's and a 3rd party router. Last night he disabled his wireless on the router as he was only using ethernet, but when he got home from work tonight the wireless was re-enabled and the details where changed again.
The passphrase is changed to youllneverchatchme or something along those lines. Now he has had some fraud on his bank while this has been ongoing but probably nothing to so with this.

Any ideas folks? I've checked for processes, startup items and ran hijackthis, but nothing in those.
No one else has access to his house.

Duke · 28 Jul 2010 at 21:02

There has to be something on the computer if the wireless was re-enabled? Try running malwarebytes on it.

Sparx · 28 Jul 2010 at 21:03

Change the Router IP from say 192.168.0.1 to 192.168.1.1 or something, as well as change or add (if there isn't already) the user login details for the router; set the password as something hard.. Then change the Wireless password yourself again to something completely different and hard.

Also, turn of Remote Access to the router as well as Wireless Access to Router if it has that specific feature, I know a few do.. Basically, you can not access the router's config from a computer outside of the network as well as anyone on a wireless connection - is unable to access the router unless wired straight to the router and on your network of course, it is worth looking into.

That should definately sort you out, hope that helps.

Jayster · 28 Jul 2010 at 21:42

Did he not have it secured at one point? If so somebody probably went into his router and enabled remote access

benftl · 28 Jul 2010 at 21:44

http://forums.overclockers.co.uk/showthread.php?t=18167347

modo77 · 28 Jul 2010 at 22:19

Cheers all, he doesn't have a remote access function on the router.
It has always been wpa enabled.
I'll get him to run malwarebytes (forgot about that

)
I'll get the ip and password changed aswell.

Also noticed that he can block certain macs, so going to block the others in his list. we'll see what happens..

arknor · 28 Jul 2010 at 22:22

you should be able to make it so your router allows config access only to hard wired computers.

mine is set up this way by default

Also noticed that he can block certain macs, so going to block the others in his list. we'll see what happens..

yea turn mac address filtering on so the router only allows the computers you want access to

PistolPete · 28 Jul 2010 at 22:32

It's most likely WAN access, to be sure unplug all LAN machines and see if the router gets hacked again.

What is the the router? Maybe flashing a newer firmware may close some odd vunerability?

MissChief · 28 Jul 2010 at 22:50

You want This page to setup your WPA passkey and your Password to access the Router. Every time you go to the page a unique key is created for you and you alone. 64 completely random characters that you could copy so you don't need to type it in.

modo77 · 29 Jul 2010 at 01:27

It doesn't have MAC access control list unfortunatly. The only option is to block ones which are connected.

Its a Tompson router from o2, forget the model at the moment. Thing is it happened on his old netgear from sky aswell.

Should have an update tomorrow..

MissChief · 29 Jul 2010 at 02:06

Does the Router have a power switch on it? he could always turn the Router off when he's not using it...

Destination · 29 Jul 2010 at 09:55

Sounds like his system may be compromised.
If not, then tell him to stop broadcasting his SSID, and to change his SSID to something odd.
After he does that change the password for wireless to something secure.
Then change the login detaisl to his router from the standard manufacturer details, root/root, admin/admin not good for security.
Activate WPA2 instead of 1 if he can, as I recall WPA had a linux based exploit where it could be opened in 3-4 minutes, thsu why WPA2 was generated so quickly after WPA to plug the hole.

PistolPete · 29 Jul 2010 at 18:11

Hmmmm both routers had the same issue? Beginning to sound more like a comprimised PC. I'd be tempted to connect to it with another PC and change the settings and see if that helps

If the main machine is comprimised then you could change the password and the hacker could be keylogging to capture the new password

Class-- · 30 Jul 2010 at 04:50

PistolPete said:
Hmmmm both routers had the same issue? Beginning to sound more like a comprimised PC. I'd be tempted to connect to it with another PC and change the settings and see if that helps

If the main machine is comprimised then you could change the password and the hacker could be keylogging to capture the new password

Yep that's what I was thinking or someone has remote desktop or such like meaning they will have bypassed the wifi and using ur pc to do it. Does he turn his pc off?

Class--

Destination · 30 Jul 2010 at 12:50

Any further word on this?

Roland0 · 30 Jul 2010 at 21:04

I'd love to know what was happening with this one ...

modo77 · 31 Jul 2010 at 00:48

Sorry

i will update as soon as i hear, should be tomorrow

Meridian · 31 Jul 2010 at 19:13

You have eliminated the obvious I take it: that it's not someone in the same house, or with access to the house? But start with the router password.

M

Infam0us · 31 Jul 2010 at 19:57

modo77 said:
It doesn't have MAC access control list unfortunatly.

Is this common these days? :eek:

deadite66 · 31 Jul 2010 at 20:08

mac filtering is as broken as wep though.