T
T
Trifors2013-09-24 12:04:22
network hardware
Trifors, 2013-09-24 12:04:22

Hacking routers or something else?

Good day to all! The situation is this, I work on technical support and in the last couple of weeks there have been many calls from subscribers that the Internet does not work through the router. Some bring routers to our office, technicians go to the rest and everywhere the same problem - the router does not issue a gateway via dhcp to any connected devices and, accordingly, if you do not register it with pens, then the Internet does not work + it is impossible to enter the router interface, passwords are not suitable. All absolutely users have TP-Link model routers (741, 841, 940, etc.). I have to do a complete reset and set up a new one, this hemorrhoids are pretty fed up.
We called Tp-Link, described the problem to them, they say that we are already the 3rd provider with such a problem (2 more called from different cities, from different parts of the country) and they don’t know what to do.
Maybe someone faced such a problem? What could it be? Are there any solutions?
Thanks in advance.

Answer the question

In order to leave comments, you need to log in

8 answer(s)
N
Nikolai Vasilchuk, 2013-09-24
@Anonym

As a head-on solution, flash OpenWRT clients so that the problem does not reoccur.
Well, put a few “problem” routers in your place, connect via UART and write logs.

B
Boleg2, 2013-09-24
@Boleg2

I will logically assume: if we are talking about any hole that is common in certain firmware of a certain model of routers, then an attacker, gaining access to the router, is forced to cover this hole one way or another after himself so that the rest of the coolhackers do not go his way and deprive him of a heap dedikov.
Here, in order to identify what has changed, you can look at the same nmap picture: which ports open to the outside have disappeared on the router, the state before and after the capture (if, of course, we are talking about it). What is the answer for various services (although it is unlikely that anyone will edit the bag service in the firmware of the router, right?). In this way, you can indirectly calculate the security service and, if it is not critical, recommend that customers turn it off on certain models.
You can also try to dump the firmware and see what has changed there.
You can google for coolhacker boards.
In general, it is strange that an attacker so clearly provoked a reset - by disabling dhcp? Maybe it's really about the hardware / software problem of specific pieces of iron?

T
themiron, 2013-09-24
@themiron

as a start, you can hang out the pieces of iron in the client network and look in the console what is happening there.
a firmware dump will do little, except for a general confirmation of the changes, tk. and the kernel and rootfs parts are compressed in flash.

A
Alexey T, 2013-09-27
@Alexeyslav

The mass nature of the problem does not indicate a specific hacker (it’s unlikely that the 80th port, and even the router is open by default to the outside, besides, there are few providers that give access to the 80th client ports from the outside). This is either a problem with the router itself (corrupting the settings) because it is hacked with an engineering password from inside the provider's network - namely, from client equipment with some kind of trojan, for example. In principle, it is possible to detect a hacker inside the provider's network, but if other providers are also affected - most likely it is some kind of malware that takes advantage of router vulnerabilities and apparently does it wrong - changes some settings impudently overwriting important ones (for some other router model calculated) hence the unmasking.

E
emoxam, 2013-09-27
@emoxam

I don't think there is enough information.
Is there access to the routers from outside? If so, then:
1. you can change the remote control port, at least.
2. you can specify "Remote Management IP Address"
3. On the TL-WR741N (and we're kind of talking about it), there is an "Auto Mail Feature" in the system log section
Well, that's enough for a start. Or have I misunderstood something?
PS And then, if you are a provider, maybe it was worth taking pieces of iron with tr-069 support?

E
emoxam, 2013-09-27
@emoxam

It really didn’t work for me, but maybe your firmware is older and it will work
weblance.com.ua/blog/160-kriticheskaya-uyazvimost-v-routerah-i-tochkah-dostupa-tp-link.html
I was surprised by the moment:

To exploit the vulnerability, it is enough for an attacker to: generate an HTTP request to
/userRpmNatDebugRpm26525557/linux_cmdline.html
use the osteam login account, the password is 5up, then you can execute arbitrary code with root rights
Source: weblance.com.ua/blog/160-kriticheskaya-uyazvimost- v-routerah-i-tochkah-dostupa-tp-link.html

A
Alexey, 2013-11-26
@skazi_premiere

At 741 ND, by default, port 80 for access from the WAN is closed and opens with handles to a specific IP (in my opinion, not even a range). There is another option, leave the standard password and WPS enabled which can break .

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question