| Linksys router possibly hacked by neighbor I thought I knew something about setting up a wireless router, but apparently not... Someone in my neighborhood had gotten into my router and changed the SSID to something obnoxious. My smartphone showed the new name as I drove into the driveway, and did not connect into my usual SSID. Then, suddenly my phone connects into my router and starts working. My router shows an uptime of about 5 minutes after an uptime of about 6 months (dd-wrt) when I checked last week. All the logs had been erased (maybe due to the reboot)? The router was a wrt54gl v1.1 Linksys. I was running ddwrt 24, WPA2 AES. The psk was a 34 char sentence, but I did leave the remote management enabled with a nonstandard username and a 9 char password. That was probably a mistake looking back. This Linksys does have that WPS button but I don't think ddwrt supports that.
This guy (or kid) pulled this same stunt on me about 7 months ago on a different router. I am using a wired router right now and am hesitant to use wireless again at this point. I am dismayed to say the least. I have some time for research since I am in between jobs - do you folks have any recommendations? I guess what I am asking is, is there an "industrial strength" wap or such I could investigate or did I more likely overlook a setting?
Thanks for reading this far - l appreciate any responses, positive or otherwise  ... |
|
1 recommendation | Try a newer build of DD-WRT, disable WPS, remote access and anything else you don't use. Use a longer passkey (>16chars) made out of randomish ASCII characters, don't use TKIP or AES + TKIP. Don't give out your network key to other people, if you have guests, set up a guest network which is separate from your main one.
When you do make all these changes turn off the wifi and connect by wire to change the settings. |
|
1 recommendation | reply to Humbled
Remote admin seems like the most likely vector from your narration of events. Turn that off first thing, obviously.
Make sure you're running the most current recommended patch level of DD-WRT. Exposures, sometimes serious ones, are fixed going to new versions. If you haven't updated it in a while, or since you originally flashed it, check.
WPS off, has been mentioned.
Use a strong admin password and a strong passphrase. I am not a fan of long random ones, just use something that can't be dictionaried, or otherwise guessed.
--
Scott Brown Consulting |
|
|
|
| reply to Humbled
said by Humbled :All the logs had been erased (maybe due to the reboot)? Offdevice storage of the logs in a nonvolitile storage medium -- ie. a syslog server.
said by Humbled :but I did leave the remote management enabled with a nonstandard username and a 9 char password. That was
probably a mistake looking back. Probably already know the answer to this, but a) did your DDWRT log the username(s) logging in, date / time of entry,
and results of the login attempt? Secondly, did it have a limit of failed logins before locking out access?
My 00000010bits
Regards |
|
| reply to Humbled
Thanks everyone, I appreciate your responses. I wish I had the brains to set up a Syslog server, or even to turn off remote admin. Found some info about an exploit for remote admin in dd-wrt that was patched in 2009. I should have kept it simple and just used the original firmware I guess, got in over my head. I just thought it was cool with the bandwidth monitor and that status screen, thinking it would be impervious to attack by default without knowledge of how to correctly set it up. |
|
1 recommendation | reply to Humbled
Be thankful you found out about it... worst thing is someone hacking it, then continuing to 0wn it without your
further knowledge till you got a call from the ISP, or worse, law enforcement / 3letter government agencies...
Regards |
|
