How can a malicious website hack your router?

G

guppy

Limp Gawd
Joined
Jul 1, 2009
Messages
311
I updated nocript for Firefox yesterday and it has this new module called 'Abe'. I clicked on the link to read what Abe does on the noscript website and it took me to a site from the person who developed it. It is to stop malicious websites from hacking your router. How can a website hack your router so easily if it doesn't know the routers password? Does it bypass the password somehow or what?
 
My guess that most exploits against routers employ a small library of
*Default LAN IP addresses..192.168.0.1, 192.168.1.1, etc.
*And usernames/passwords...90% of the home routers are admin/admin or admin/<blank> or <blank>/admin out of the box.

I know a few routers did have bugs in their firmware allowing access to administration bypassing the password...some of those are probably included in the malicious code..in hopes of running into those routers that haven't had their firmware updated to fix that bug.
 
OK, thanks, I guess it would help if I changed my router to only allow https and not just http to access its settings. Maybe I'll change my password to 20 character length random password too. I had my router hacked once. Went to go into the settings one day and the password didn't work. Did a hard reset on the router and when I got in I saw that there was this odd looking ascii text where you would put domain name manually. Clicked on it and the router reported "illegal ascii". Wiped all that out, checked all the settings and created a stronger password, turned logging on too which I didn't have on before. Now I check the logs every day or so.

My router is Linksys WR5GTL. You know if that has that firmware bug or not? Probably not because I don't see any firmware update for it. This router can use 3rd party Linux firmware too. I downloaded a couple of them but never did install them. One called Tomato was recommended if you want more options. My router uses the default IP address, you recommend I change it?
 
Last edited:
Pretty much as YeOlde said, most people don't know diddly-squit about their router so it will likely be on a default username and password.
When you visit the site they know your IP so it could easily run a script to attempt a remote router login, or embed something in the page that will do it from your machine.
 
Most routers come with ICMP echo disabled and won't allow access to the admin page from the WAN port unless you physically turn that on in the settings....

A drive by download that gets into the network through an IE exploit could then hop from an internal 192.* address to the admin page to change any settings to make the network wiiiide open.
 
dx2 said:
Most routers come with ICMP echo disabled and won't allow access to the admin page from the WAN port unless you physically turn that on in the settings....

A drive by download that gets into the network through an IE exploit could then hop from an internal 192.* address to the admin page to change any settings to make the network wiiiide open.
Click to expand...

Just what I was thinking, usually remote login is disabled on routers unless you enable it.
 
flash that bad boy with a version of ddwrt and be done with it :)

Flashed my Linksys and couldnt be happier and it was a snap too.
 
dx2 said:
flash that bad boy with a version of ddwrt and be done with it :)

Flashed my Linksys and couldnt be happier and it was a snap too.
Click to expand...

You still have to change the password.

Most of these exploits I have heard about are like YeOlde said...they just use the default addresses/logins to try and get in.

So many just plug in the router and never change the default passwords, works for most, but if one of them gets an exploit code they might be in trouble.
 
What the others said - the exploits use default settings (or try a variety of possible default settings) and/or authentication bugs in the router's firmware. Some routers had bugs where you could submit changes or get to config pages without actually having to login. You could go to something like http://192.168.1.1/config?setting1=value1&setting2=value2 and it would change your settings. Since the request is coming from your PC (a hidden link on a malicious page), the remote configuration options are irrelevant. psyb0t is a worm that brute-forces simple passwords on routers that have remote configuration enabled, though that stuff is generally disabled by default.

Grentz said:
dx2 said:
flash that bad boy with a version of ddwrt and be done with it :)
Click to expand...
You still have to change the password.
Click to expand...
FYI, DD-WRT doesn't have a default password. You have to set it when you first login to the web interface.
 
Lots of dlinks and other routers do that now too (require you to change the pass), but if you never login it never changes it.
 
one would hope that if you were flashing the firm-ware of your router that you would also change the password to get to the config page.....then again people have done things much more stupid.
 
xdivenx said:
Try Tomato.
Click to expand...

Maybe, I already have that one downloaded but I think I am ok with the default firmware. Today I changed the default IP address of the router too. I can't see a place to change login name for admin though. I could do that on my Dlink but it looks like it is not possible with the Linksys. Does Tomato give me that option? Not really important as I think I have it quite secure now. Changed password to random alpha-numeric, changed router name, changed IP address of router, no remote admin possible and have never had that enabled anyway, wireless access is disabled, discard ping in router firewall etc. Apart from buying an expensive hardware firewall I don't think there is much else I could do. I have DocSys modem too and it has standby button so when I am not using the internet it is in standby and no one could even get access to the router when it is in that mode.
 
Last edited:
guppy said:
I have this router http://www.linksysbycisco.com/US/en/products/WRT54GL and according to http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html is not supported.
Click to expand...

you are doing something wrong on that page. the whole point of the wrt54gl is putting third party firmware on it. linksys does not really update that firmware since they open sourced it and expect end users to do it. I just dropped wrt54gl on that page and it comes right up, not to mention I have a wrt54gl with dd-wrt on it (build 12188, do not use any of the sp1 builds). its one of the most supported g hardware devices for dd-wrt. based on your needs, you could do a lot more with dd-wrt compared to the stock linksys firmware.

all you need to do to secure your router settings is use a halfway decent password. there is little point putting in more effort than that. remote admin will be disable be default as well. when you first install dd-wrt, it makes you set a password. use a password generator to come up with a 8 character alpha numeric password. then write the password on a piece of tape and stick it to the router so you do not lose it. if you manage to somehow get hacked like that, it would be a first.
Posted via [H] Mobile Device
 
Last edited:
OK, got it now, must have made a typo before, thanks. Is this the correct file I need to use?

dd-wrt.v24_mini_generic.bin

It says this there so assume it is.

Notes:

* Initial flashing with mini_generic.bin via web interface. Give it at least 2 mins after reboot!
 
Yes you flash it with the mini first....it's the supported method instead of attempting to flash with the standard firmware first (which can have issues if done first).

You can stick with the mini, or from there....do the upgrade to the standard (or VoIP or VPN or XBox version) if you want those additional features.

Personally for basic use I prefer Tomato firmware over DD...it's a bit faster and more stable.
 
Hmm, I better make sure I get the best firmware before flashing. How is the dd_wr unstable? What does the Xbox version do? I have PS3 but not Xbox.
 
guppy said:
Hmm, I better make sure I get the best firmware before flashing. How is the dd_wr unstable? What does the Xbox version do? I have PS3 but not Xbox.
Click to expand...

first you flash a mini build, then you want the standard generic. depending on the revision you have, you may be able to skip the extra step of flashing a mini build first. if you click community on the dd-wrt page then go to the forum, you can find tons of info in the broadcom section. the peacock post has the info in it (its a sticky on the forum called peacock thread).

the xbox version has some feature for the original xbox to play online without using xbox live so you do not need that. for using your ps3, all you need to do is enable upnp in one of the standard generic builds.
Posted via [H] Mobile Device
 
guppy said:
Hmm, I better make sure I get the best firmware before flashing. How is the dd_wr unstable?
Click to expand...

Try different ones, and see which works best for you. DD is definitely more stable than stock firmware, but even still on the several different routers I ran it on, now 'n then it'd need a reboot. I find with Tomato, well...plug it in..and let it go for as long as you use it. Also with Tomato response as far as web browsing 'n stuff was a hair quicker. It doesn't have as many features as DD can....but then again..9 out of 10 people will never use the additional features DD has...nevermind even know what they are.
 
OK, thanks. I am running Tomato firmware now. At first I messed with too many settings that I didn't really understand and was locked out of the internet. Had to do a hard reset and then just change what I did understand. I have a website bookmarked that explains the settings so will look at it later.
 
You must log in or register to reply here.
Back
Top