Ever seen a pwned home router?

I had to go and sort out a client the other day as their router (a Bigpond branded Netcomm unit for a home NextG connection) had, somehow, been compromised and dodgy DNS server addresses were being handed out via DHCP. Changing the settings on the router didn’t seem to stick.

Google searches were being redirected to porn sites and other web sites were being redirected to the wrong things too.

Had to back up it’s config, as I had their username but not their password and interestingly enough unlike all other 3G connections I’ve seen used this one required a username and password to connect. Luckily the config file was in an xml style format and whilst the password was encrypted in the file, I could edit out the sections that related to DNS. I could also verify pretty well what was being configured with the config file too which was handy.

Restored the unit to factory defaults, uploaded the edited config and we were back up and running. I turned off all the other management interfaces (including telnet, ssh and snmp) leaving only http on the LAN interface.

They did have PCs on the network a short while ago that were replaced with Macs, it’s entirely possible the PCs were rooted and that’s how the router was compromised, but I’m not 100% sure on this as I didn’t see any of the PCs in action.

This article was posted by Kai Howells. If you liked this content and have any technical work in the Melbourne area, say hello via my contact form or give me a call on 0419 361 653 - I cover most of the greater Melbourne area and my rates are competitive.

Leave a Reply

Your email address will not be published. Required fields are marked *