malware changing router settings
in [Spyware]
|
Prev: Seeking TECH tutorial about cookies, beacons, etc
Next: I received a warning from Google ......
From: smurf on 6 Aug 2010 12:41 Spotted it today, a dg834g netgear router was accessed by some malicious software which followed a limewire download. The software logged onto the router (using default password) and changed dns settings from automatic to a set of manual addresses. The consequence was, of say a google search, any link had a results5 prefix. The standard fix for results5 infections was the tdds killer etc, of course no good here as the source of the problem was hte router. removed the dns addresses, changed the password on the router and flushed the dns cache of the connected machines. First time come across this.
From: David H. Lipman on 6 Aug 2010 19:35 From: "smurf" <smurf(a)smurf.com> | Spotted it today, a dg834g netgear router was accessed by some malicious | software which followed a limewire download. The software logged onto the | router (using default password) and changed dns settings from automatic to a | set of manual addresses. | The consequence was, of say a google search, any link had a results5 prefix. | The standard fix for results5 infections was the tdds killer etc, of course | no good here as the source of the problem was hte router. | removed the dns addresses, changed the password on the router and flushed | the dns cache of the connected machines. | First time come across this. http://www.trustedsource.org/blog/42/New-DNSChanger-Trojan-hacks-into-routers http://www.pc1news.com/news/0017/warning-a-new-zlob-trojan-modifies-wireless-router-settings.html http://vil.nai.com/vil/content/v_141841.htm -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: zxcar on 6 Aug 2010 23:50 On 8/6/2010 7:35 PM, David H. Lipman wrote: > > http://www.trustedsource.org/blog/42/New-DNSChanger-Trojan-hacks-into-routers > > http://www.pc1news.com/news/0017/warning-a-new-zlob-trojan-modifies-wireless-router-settings.html > > http://vil.nai.com/vil/content/v_141841.htm > Thanks... Here's 2 others for the list that I found under the HKLM > System > CurrentControlSet > Services > TCPIP > Parameters > DHCPNameServer > 213.109.64.5 213.109.72.21 0.1.1.1 They are under Interfaces too. I've read that a NameServer Key will override those settings?
From: Lil' Abner on 7 Aug 2010 00:51 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in news:i3i7s002u63(a)news6.newsguy.com: > From: "smurf" <smurf(a)smurf.com> > >| Spotted it today, a dg834g netgear router was accessed by some >| malicious software which followed a limewire download. The software >| logged onto the router (using default password) and changed dns >| settings from automatic to a set of manual addresses. > >| The consequence was, of say a google search, any link had a results5 >| prefix. > >| The standard fix for results5 infections was the tdds killer etc, of >| course no good here as the source of the problem was hte router. > >| removed the dns addresses, changed the password on the router and >| flushed the dns cache of the connected machines. > >| First time come across this. > > > http://www.trustedsource.org/blog/42/New-DNSChanger-Trojan-hacks-into-r > outers > > http://www.pc1news.com/news/0017/warning-a-new-zlob-trojan-modifies-wir > eless-router-settings.html > > http://vil.nai.com/vil/content/v_141841.htm OK, now you have *me* nervous. I had a problem earlier day with newegg.com getting redirected to dpbolvw.net. The latter is bad news and is blocked in my HOSTS file. So I got to reading this thread and decided to check my firewall settings in my D-Link 604 router. Look at http://mewnlite.com/di-604.gif The 4 circled items were not put there by me. The rest of them are all items I have listed under virtual server. According to what I've Googled, the legit Teredo has something it do with IPv6. The LIMExxxxxxxxx entries do not ring a bell with me - do they to anyone else? -- --- Everybody has a right to my opinion. ---
From: Lil' Abner on 7 Aug 2010 03:31 "Lil' Abner" <blvstk(a)dogpatch.com> wrote in news:Xns9DCCF2C61E263butter(a)wefb973cbe498: > "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in > news:i3i7s002u63(a)news6.newsguy.com: > >> From: "smurf" <smurf(a)smurf.com> >> >>| Spotted it today, a dg834g netgear router was accessed by some >>| malicious software which followed a limewire download. The software >>| logged onto the router (using default password) and changed dns >>| settings from automatic to a set of manual addresses. >> >>| The consequence was, of say a google search, any link had a results5 >>| prefix. >> >>| The standard fix for results5 infections was the tdds killer etc, of >>| course no good here as the source of the problem was hte router. >> >>| removed the dns addresses, changed the password on the router and >>| flushed the dns cache of the connected machines. >> >>| First time come across this. >> >> >> http://www.trustedsource.org/blog/42/New-DNSChanger-Trojan-hacks-into- >> r outers >> >> http://www.pc1news.com/news/0017/warning-a-new-zlob-trojan-modifies-wi >> r eless-router-settings.html >> >> http://vil.nai.com/vil/content/v_141841.htm > > OK, now you have *me* nervous. I had a problem earlier day with > newegg.com getting redirected to dpbolvw.net. The latter is bad news > and is blocked in my HOSTS file. So I got to reading this thread and > decided to check my firewall settings in my D-Link 604 router. > Look at http://mewnlite.com/di-604.gif > The 4 circled items were not put there by me. The rest of them are all > items I have listed under virtual server. According to what I've > Googled, the legit Teredo has something it do with IPv6. The > LIMExxxxxxxxx entries do not ring a bell with me - do they to anyone > else? OK. Since that post, I hooked up a spare router that was programmed exactly the same as the original. The Teredo and Limexxxxx entries were not there. So I hooked the original router back up and now the entries are gone there too! OK, the LIMExxxxx entry made me wonder about Limewire. I do have it installed but I haven't used it forever. So just for kicks I started it up and sure enough the LIMExxxx entries ahowed back up in my router. The Toredo ones did not. And when I shut Limewire down the entry went away again. So now I'm thoroughly confused. My router is protected with a very unique password. How can an application change my settings so easily? -- --- Everybody has a right to my opinion. ---
|
Next
|
Last
Pages: 1 2 Prev: Seeking TECH tutorial about cookies, beacons, etc Next: I received a warning from Google ...... |