Router Virus ?

[HoneySuckleDreams]

I have an odd problem.

I'm trying to get to the bottom of a DNS problem. My flat mate complained of dodgy porn websites/adverts popping up and it looks like we have something taking over. She's now bug5erd of on holiday, her last words were, "don't you dare mess with anything whilst I'm away" , which is rather a mouthful in Luxembourgish.  So I'm ignoring her and will take the consequences on the chin/balls when she gets back.

I thought I had it sorted, I logged onto the Modem (it's a Cisco something or other so 192.168.0.1 works and low and behold there is no login/password setup  so it's all open). The primary DNS server was set to 31.207.6.128 (secondary DNS was 8.8.8.8 which is a google DNS server). As far as I can tell the 31... number is somewhere in the Czech republic. So, I changed it to 8.8.8.8 and the 2nd one to 8.8.4.4 both Google servers and it's stayed like that for the last week.

However, tonight, everything has started to run really slowly again, and I checked and the primary DNS has reset itself back to the 31.207... number. Do I ("we" in absentia) have a buggy virus in the firmware ?

I will be the 1st to admit that all this webby/IP stuff is a bit beyond me, but it does look odd

Much obliged for any help

 

[Lehaut]

If you share files over the network these could be compromised by a virus. As Routers do not have an operating system it is highly unlikely that it will get a virus. It is possible that the firmware running on the Router could be infected with a virus but the happens very rarely

[AnOther]

It should not be open and while it is it's at risk of being accessed and tampered with or even having rogue firmware pushed to it.

There has to be a login page somewhere, which model is it ?

[HoneySuckleDreams]

Thanks for coming along guys, I was hoping an Uber Geek would turn up

The router is a Cisco EPC2434

There is a login page but with no login credentials so you just press return to get access

 

Firmware epc2434-ESIP-16-v202r1262-120605s.bin

 

Software revision epc2434-ESIP-16-v202r1262-120605s

 

Is it easy to flash the firmware ?

 

[Quillan]

It would also help to know who the ISP is as well because normally they give you the settings for DNS etc. If it is Orange then they would us IPv4 primary 81.253.149.10, Secondary (IPv4 again) 80.10.246.3. Both belong to France Telecom (Orange) and are in France which is normal in that the DNS servers belong to the ISP as standard but you can of course change them for a particular reason. For instance you could change them to a UK based DNS server to watch BBC Iplayer.

 

[Quillan]

[quote user="HoneySuckleDreams"]

Thanks for coming along guys, I was hoping an Uber Geek would turn up

The router is a Cisco EPC2434

There is a login page but with no login credentials so you just press return to get access

 

Firmware epc2434-ESIP-16-v202r1262-120605s.bin

 

Software revision epc2434-ESIP-16-v202r1262-120605s

 

Is it easy to flash the firmware ?

 

[/quote]

 

https://www.cisco.com/web/consumer/support/userguides2/4011350.pdf

 

Go to page 57. It seems that when it was installed if the person got to the screen as shown on that page and just kept hitting the Enter key then no password would be created because it does not come with a default password. Every time thereafter you logged in it probably would not even ask for one.

 

I have had the problem with adverts etc and the system running slow. I even had adverts poping up when not in a browser. In this instance it was due to some software downloaded as part of some other free software downloaded from the web (DVD Ripping software). Took ages to clear it out using a couple of different software packages. I am almost certain that your problems are on the PC and not in the router.

 

A word of warning. Updating firmware dangerous even when you know what you are doing. You could end up totally screwing the router with no ability to recover it. You have been warned.

[HoneySuckleDreams]

I set a password up on the router and set the DNS servers to point to Google.

 

No weird issues have surfaced, and SWMBO is back with her gadgets and stuff and it's all still tip-top.

 

So we will see if she is carrying a virus within her bits and bobs and if so she will be getting a good delousing over the weekend... so far so good though.

 

[Jako]

Routers do run on an operating system, usually Linux. Even the Orange Livebox is running on Linux. If anyone is able to get 'root' access to a router he or she can do whatever they want with it, even control your local network and every device attached.

Hackers are keen on router access to run their exploits as routers are always turned on.

[Quillan]

For humble plebs like us it is highly unlikely that anyone will bother to hack your router but that's not to say they can't. You might find the following interesting although it is aimed at UK routers but it gives you the gest of it all.

http://www.pcadvisor.co.uk/how-to/network-wifi/how-reset-your-router-rid-it-of-malware-3595477/

There is other stuff on the web about Router Viruses and their most common effect is to change the DNS server then lock it.

I know with Orange they can check your router remotely and if required help you 're-flush' the operating system and if that fails they just give you returns number and you can swap it out at your nearest Orange shop. I guess that is one of the benefits of renting your Livebox, it stays under 'warranty' for as long as you have it.

[HoneySuckleDreams]

Since I reset the DNS servers to the Google servers and added a password to get to the admin page, we have had no more problems.... so fingers crossed.

I have also been talking to the ISP to ask what the original DNS settings were, Luxembourg Online (LOL...funnily enough)  and they have been less that useless. After nearly 2 weeks I am still getting emails from their support people asking what exactly is the problem, " can I see the internet " , " have I turned it off and back on again" etc

 

 

[AnOther]

[quote user="HoneySuckleDreams"]I have also been talking to the ISP to ask what the original DNS settings were[/quote] ?

To manually override the ISP's default DNS servers and substitute Google somewhere you will have had to tick a box and unticking it should make it revert, possibly with a restart.

[HoneySuckleDreams]

No tick box.

I just type into the IP4 Primary DNS boxes, and IP4 Secondary DNS boxes.  The router has been turned on/off several times and the information has stayed the same.

Still not heard from the LOL crowd

[AnOther]

The Cisco EPC2434 is a cable router, is that really correct ?