dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2410
nvwifi
join:2010-03-21
Las Vegas, NV

nvwifi

Member

Belkin router virus??

I have talked to my 4th customer in as many days where the customer has been experiencing web sites that won't load images. The repeatable example is ebay. I have screen shared customer PCs and saw the behavior first hand.

Removing the router and hooking up directly fixes it. The issue is definitely the router. Replacing the router with a new router also fixes it.

It's weird - because 99% of my customers do not have public IP addresses - so the only way the virus could get into the router is from the PC.

Everyone has default passwords on their routers, so pwning their router is trivial for a virus to do if they can get to the customer PC.

I ready briefly about TheMoon virus which supposedly impacts Linksys routers.

I want to get one of these routers from my customer into my lab so I can test it and see if re-flashing fixes it.

Is anyone else seeing this issue in their customer base?
wirelessdog
join:2008-07-15
Queen Anne, MD

wirelessdog

Member

Sounds like a MTU issue. Are you replacing the routers with identical models and identical firmware?
jimbouse
join:2011-10-01
Bryan, TX

jimbouse to nvwifi

Member

to nvwifi
I had some of my WISP customers complain recently. All of them were using Belkin routers. I went onsite to a couple. It seems these model routers had some "anti-malware" inspection service that was screwing things up.

Putting the unit into bridge mode (turning it into a dumb AP) fixed things. I have all my CPE in router mode with NAT to private on the customer side so no issues there.
bburley
join:2010-04-30
Cold Lake, AB

1 recommendation

bburley to nvwifi

Member

to nvwifi
This may not be related to your exact problem but I have encountered consumer routers that have been reprogrammed by a virus. Obviously all the virus would need is a list of default passwords to find victim routers. In one case I saw the routers IP Address changed to the one used by Amazon.com then it tried to send traffic to a military site in the UK. Fortunately it never made it past my firewall and was logged. I wonder what the Internet will look like when everything has it's own IPv6 public address and these types of viruses will be more successful.
voxframe
join:2010-08-02

voxframe to nvwifi

Member

to nvwifi
There was a huge news item about this just recently. Wasn't Belkin one of those units mentioned?

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_ to nvwifi

MVM

to nvwifi
Yeah there was something recently, about SOHO routers with default or easily guessable passwords, or a plain exploitable vulnerability, being susceptible to becoming zombies on some botnet - or something to that effect. They are all little linux boxes, so the kinds of tools that can be deployed on them can be reasonably advanced.

And the thing is its very easy for ISPs to totally stop this being an issue, if the router manufacturers wont fix it themselves.

Just block inbound connections to things like port 80, 25, 22, 23, NetBIOS et al. Unblock them on a per-user basis by request with a warning.

Email your customers and say "On X date we will implement some security measures in response to recent events. Please let us know if you require these ports open."

Most users probably wont know what the hell you are talking about so wont contact you. Some will be curious and ask what its all about. And then there'll be a couple that will ask for the ports unblocked.

And of course, only an issue if you give your customers public IPs. If they are behind NAT, not so much of an issue (if at all.)

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak to nvwifi

Premium Member

to nvwifi
Ive had a similar yet unsolved issue with a tp-link router, combined with a mikrotik radio, combined with an Apple MAC computer.
Acts like MTU but other things on the router like windows laptops are OK.

Twice now have seen this and never figured it out.
Replacing the router with non-tp-link router fixes it.
bburley
join:2010-04-30
Cold Lake, AB

bburley to TomS_

Member

to TomS_
said by TomS_:

Just block inbound connections to things like port 80, 25, 22, 23, NetBIOS et al.

I'm not sure that that would work. The router I was talking about was programmed from a virus on the clients computer. After that it was client initiated connections. The only thing that stopped it was the use of a public IP Address on a subnet where it didn't belong.

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

Yeah, that wouldnt help if it came from the client side.

But for viruses that are fishing around the Internet looking for open things to infect, it would certainly help a lot.
mywisp
join:2014-03-17
United State

mywisp to nvwifi

Member

to nvwifi
If i remember correctly, Linksys is now owned by Belkin. I'm not saying that the same virus could be affecting Belkin routers as well, but there's always that possibility that SOHO's are being targetted specifically.
Mike_27
Premium Member
join:2004-05-15
Gardiner, MT

Mike_27 to nvwifi

Premium Member

to nvwifi
»www.cvedetails.com/vulne ··· kin.html