Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > Mac Basics and Help

Reply
 
Thread Tools Search this Thread Display Modes
Old Sep 5, 2010, 11:27 PM   #1
hellodon
macrumors 6502
 
Join Date: Jan 2006
I think my router might be hacked?

I can't find much information on this online, but I have heard of routers being hijacked and rerouting websites, having DNS reroute problems etc.

Here are a few examples of things happening.

Sometimes when I go to a message board at offtopic.com, it loads washingtonpost.com

Today Twitter was some random blogspot blog

Ebay SSL Certificate showing up as invalid

PayPal SSL Certificate showing up as invalid

Facebook.com not loading

Shopping.com (I think....it was some shopping site) loaded Pricegrabber.com

Sometimes sites just don't load, when there are no issues with the site, it'll just get a white page with an error message.

There have been other odd happenings.

This is all pretty weird stuff that has happened over the past few months. I have kind of just brushed it off. I never enter personal info or anything so HOPEFULLY nothing important has been taken.

Now - it might be your first instint to assume that my computer might be hacked/hijacked/virus but it's NOT my computer. Like 100% not my computer. We have 3 macs here, 2 iPhones and an iPad. Whenever I am having these issues it is on ALL devices. All on wireless so this is definitely coming from the router. I have tried searching for help with this through google and can't seem to find any info. I see mention of what people were saying is a DNS hacked router, but no way to repair or even anyone discussing it so I really don't know where to turn. Maybe someone here can point me in the right direction?

What's also strange is these are always temporary...for example, I noticed it tonight when I went to do a PayPal refund, and got that SSL error so I left the site about a half hour ago. Just went again to get a screen shot to include with this post and its back to normal and SSL verified.

Can anyone offer any input on this? I'm tempted to just go buy a new router...unfortunate thing is, this one isnt old. I bought this last fall and have noticed the weird problems since shortly after that.

It's a Linksys WRT160Nv3 Firmware Version: v3.0.02

Thanks in advance! Any questions or suggestions let me know.
__________________
2.8GHz 24" iMac | 4GB Ram | 500GB HD
2.66GHz i7 15" MacBookPro | 4GB Ram | 500GB HD
hellodon is offline   0 Reply With Quote
Old Sep 6, 2010, 12:17 AM   #2
EricNau
Moderator
 
EricNau's Avatar
 
Join Date: Apr 2005
Location: San Francisco, CA
I'll admit, I'm not very familiar with reports of such hacking incidents (or any alternative explanations for the behavior you are experiencing), but using your router's reset button should revert all of its settings to factory defaults. If your router was indeed hacked, this should revert any changes. And as is the case whenever hacking is suspected, changing your passwords (both the network password and the router's admin password) is a must. Goodluck.
EricNau is offline   0 Reply With Quote
Old Sep 6, 2010, 12:51 AM   #3
sjinsjca
macrumors 65816
 
Join Date: Oct 2008
Sounds more like a DNS issue than a hacked router.

Suggestions:

o Check to see if the firmware is the latest.

o Make a backup of your router's settings, and print them out for good measure. Then (after updating the firmware, if a new rev is available) do what a previous poster suggested and reset the unit to its factory settings. The process varies by model, so check the manual. The "reset" button on some units just reboots the unit; on others it wipes everything.

o After resetting the unit, connect your computer via a cable and reconfigure the router via its web-based interface. Avoid the setup software that comes with many routers nowadays-- it's uniformly crap. Instead, go through the settings you recorded, paying special attention to the DNS-related settings to ensure they're what your ISP recommends. At the same time, take the opportunity to ensure that the router's security and QoS functionalities are turned on.

o When you're done, change the router's password and ensure that remote configuration is turned off (unless you have a very, very good reason to turn it on).
sjinsjca is offline   0 Reply With Quote
Old Sep 6, 2010, 01:06 AM   #4
hellodon
Thread Starter
macrumors 6502
 
Join Date: Jan 2006
Definitely is a DNS issue but what I read about is some form of hacking that hacks and redirects DNS within the router. That is DEFINITELY the issue.

I did a complete reset/reconfigure...still having the issue. Strange right?

It sorta sounds like this: http://blogs.forbes.com/firewall/201...e-to-web-hack/

But it's not a situation where I'm looking at what I THINK is one page, and the address bar says something different. For me, I see the correct address in the address bar but the page in front of me is either wrong or has some sort of error.

Here are some of the few links I've found that seem like a similar issue:

http://www.computing.net/answers/net...ter/36016.html

This one is actually something I found just now...and I am trying the suggested DNS flush using Terminal. Maybe that'll do it. I'm glad to hear that someone said they think its NOT a DNS hijack....
http://davedrager.com/facebook-or-tw...-to-myspace-or

Sounds like I'm not alone in this problem. Maybe its the router? Definitely the latest firmware for it. Its a newer model since the CISCO buyout and it came with that firmware, no updates were found when I checked.
__________________
2.8GHz 24" iMac | 4GB Ram | 500GB HD
2.66GHz i7 15" MacBookPro | 4GB Ram | 500GB HD
hellodon is offline   0 Reply With Quote
Old Sep 6, 2010, 01:11 AM   #5
hellodon
Thread Starter
macrumors 6502
 
Join Date: Jan 2006
Now I'm reading that this is a known issue that Linksys seems to be ignoring.

http://homecommunity.cisco.com/t5/Wi...ues/m-p/238393

I'm going to try a few things, but does anyone have any suggestions on the best wireless router to buy? Maybe I'll just go with a new one that works better.

I have the following devices that need to be compatible.
iMac
MacBookPro
iPhone
iPad
Xbox 360 Slim, Built in Wireless N
PS3 Built In Wifi
Nintendo Wii

Long Range...I need something that has the best possible wifi range because I have weird walls and a very long house. Dont have room for wires or an access point and the living room isnt very close to the computer room where the router will be. Right now it gets signal out there just barely. 2000 SQFT house and its all one floor...

Everything should be fine, just worried about the Xbox and PS3 working well. Right now my PS3 has weird issues that it never had too. had to wire it to get it to download the other day. I think this router is just cursed! Might be time to burn it and move on if I can't get this stuff situated.

Thanks for the tips so far!
__________________
2.8GHz 24" iMac | 4GB Ram | 500GB HD
2.66GHz i7 15" MacBookPro | 4GB Ram | 500GB HD
hellodon is offline   0 Reply With Quote
Old Sep 6, 2010, 08:36 PM   #6
hellodon
Thread Starter
macrumors 6502
 
Join Date: Jan 2006
I tried the DNS flush last night.

Right now twitter.com is a white page and says:

Invalid URL

The requested URL "/", is invalid.
Reference #9.7c341818.1283823327.45e8495b



Just wanted to give an example.
__________________
2.8GHz 24" iMac | 4GB Ram | 500GB HD
2.66GHz i7 15" MacBookPro | 4GB Ram | 500GB HD
hellodon is offline   0 Reply With Quote
Old Jan 4, 2011, 03:57 PM   #7
sombrestyles
macrumors newbie
 
Join Date: Jan 2011
Same Problem

I am experiencing the exact same problem, sometimes its weird stuff like facebook going to google. But it is mostly that error message, blank page.

It will do it to pages I visit often, then once I cant use that site and go to another for a while it will do it to that one, I also have several devices and it happens on all of them.

I reset my router and changed my password and it seems to have gone away other than two short experiences (a few minutes) with that same error message.

Sorry im not much help at getting around it, But like you I have been searching A LOT, and I think this is the first time someone else explained it exactly like what Im getting,

It is really annoying, Ill post here again if I figure anything out
sombrestyles is offline   0 Reply With Quote
Old Jan 4, 2011, 05:24 PM   #8
miles01110
macrumors 604
 
miles01110's Avatar
 
Join Date: Jul 2006
Location: The Ivory Tower (I'm not coming down)
Try manually setting the DNS server address in the router control panel. Use OpenDNS or Google DNS.
__________________
Got a problem? Check here first.
miles01110 is offline   0 Reply With Quote
Old Jan 4, 2011, 06:36 PM   #9
morphineseason
macrumors regular
 
Join Date: Apr 2007
Send a message via AIM to morphineseason
Quote:
Originally Posted by miles01110 View Post
Try manually setting the DNS server address in the router control panel. Use OpenDNS or Google DNS.
I had the same exactly issue, and setting the router to manually use OpenDNS seemed to fix the issue (or at least make it happen less). I think I may have had the same router even. I eventually just replaced it with an Airport Extreme because I was tired of the issues and the overall slow performance.
morphineseason is offline   0 Reply With Quote
Old Jan 4, 2011, 07:52 PM   #10
SandboxGeneral
Moderator
 
SandboxGeneral's Avatar
 
Join Date: Sep 2010
Location: Great Lakes State
DNS Rebinding

It is possible that your router and/or browser was the subject of a DNS rebinding attack. I was going to try and explain it myself, but knew that security expert Steve Gibson told it far better than I could. I copied and pasted with a few small edits, the partial transcript from Security Now episode 260, dated 08/05/2010.

You can also read more about DNS rebinding >>here<<.

Most routers are capable of having up to a 63 character password for the wireless side and even for the admin password. I always encourage people to use a good pseudo random generated password with maximum entropy for their security. Also, make sure you're using the protocol WPA or WPA2 and never WEP. WEP can be cracked (<<MP3 Podcast link) in as little as 3 or 4 minutes regardless of how good your password is because of the TKIP protocol. And always make sure you have the WAN access of your router disabled. There really is no good reason to have it enabled.

Firefox with the NoScript add-on installed is about the most secure you can make your browser unless you disable Javascript altogether. But then a lot of sites you want to work, will stop working. It's a damned if you do, damned if you don't approach and it sucks. With NoScript it blocks all JavaScript from running on your browser by default and you have the option to allow temporarily or permanently scripting on domains of your choice.

Also, check for any new firmware updates for your router since August when the rebinding attack was revealed again at Black Hat. Many companies have scrambled to make the fixes, including Apple which pushed out a firmware update for their line of routers in December.

Also another good application to use is Flush. It is for OS/X and will clear out all the LSO's (Local Shared Objects) or Flash cookies. These are cookies that are cross-platform, meaning the same Flash cookie will be used by Safari, Chrome, IE, Firefox etc... They are used to track you like regular cookies, but are more powerful at it and harder to clear without Flush or for Firefox the Better Privacy add-on. Better Privacy can be configured to clear the LSO's upon exiting a browser session automatically.

Quote:
The DNS rebinding issue has been around for a while. There is something called "same-origin policy,"
The developers of Netscape Navigator 2.0, who put JavaScript into web browsers for the first time, realized that scripting was very powerful. When you went to a website and downloaded a page which contained JavaScript, this JavaScript was going to run in the browser, and it could do lots of things. What they wanted to prevent was it doing anything to other websites on behalf of the user. They wanted to constrain the scripting so that it's not going to get up to any other mischief. And they let the script only deal with the same site, that is, the site that it came from is the only server domain name that it's able to access. And so this notion of same-origin policy, that is, the origin where the script originated, the origin of the script is a constraint that all browsers since then have imposed. Some of them do it to different degrees.

For example, origin is supposed to mean the same domain and port and protocol. So, for example, if you got a document over https://amazon.com, then the script could not do anything to http:// because that's a different protocol, HTTPS versus HTTP. So it's got to be the same protocol. Also the same port, although it turns out IE doesn't enforce the port side. And, for example, cookies don't obey the protocol side. So cookies that you transact over HTTP will also be transacted over HTTPS as long as the domain is the same.

So these things are understood. And this has been sort of evolving along for some time. The problem is that DNS creates a relatively weak link or, to use the fancy term, "binding," a weak binding between the domain name and the IP. That is, that's what DNS does is it binds a domain name to an IP so that, as we know, you ask DNS on the Internet, wherever it is, what's the IP for this domain name, and some sort of a process goes about resolving that domain name into the IP, and you get an answer.

So it's been understood, though, that there are some problems created with this. And this has also been known since about 14 years. It was in 1996 that the first DNS rebinding attack was first seen. And it was used against the Java Virtual Machine. The idea there was that, and we discussed this briefly a couple weeks ago, when you ask for the address, the IP address of a DNS domain, you can receive more than one IP address in return. This is often used for load balancing. For example, I think if you ask - I'm trying to think, I think like the IP for Amazon, you don't get one, you get, like, three or four, or Microsoft. And every time you ask, the server rotates them so that the one that's sort of first in line is what the browser will use. But the point is, if there's a problem, if that server's overloaded, or it can't make a connection, it'll go to the next one.

Well, what some clever hackers realized was that they could return the actual IP address for a malicious site as the first address, and a local IP like 127.0.0.1, which is the localhost IP, for the second address. So when the browser attempted to get another resource from the malicious server, it would send a reset packet. It would send a TCP reset packet back to the browser, denying that connection on the IP that it wanted to use. Well, since the browser had received a number of IPs, or at least two, it would go to the second one, which in this case was 127.0.0.1, which is sort of universal. It's called the localhost IP. It's always used to refer to that own machine.

And what that did was that gave Java, the Java Virtual Machine, something by design it should never have, which is socket-level, network-level access to your own machine. Which hackers had all kinds of fun with until it was understood that this was causing a real problem. So what happened that got this into the news just recently is that another new vulnerability was discovered in routers that hadn't been suspected before, which was, okay, now get this. The router will obey connections aimed at its WAN IP from the LAN.

So the idea is that, normally when you connect to your browser, like you want to do administration on your browser, you typically use its gateway address, 198 or 192.168.0.1 or 1.1 or whatever, which is typically the same IP that it uses for its gateway. It has a web server running in it. And so you point your browser at that IP, and that brings up its admin interface. Well, because rebinding is a problem, there have been protections put in place historically against - by browsers against being fooled by having the script able to use local IPs to access your browser.

So let's step back a little bit and understand how that works first because the idea would be you browse to a malicious site. You don't need to press any buttons, click any links, do anything. You just download a page from the site. Or what's even more disturbing, a web ad is served by a malicious site. So you don't even have to go to a site. You can simply be surfing around benignly on the Internet, and a web ad is displayed which is, after all, a browser document. And we know that those can contain scripts because they often are Flash, which has got some script running to show you a Flash ad. It can also be JavaScript.

So the idea is, when your browser asked for the IP address of attacker.com, it received a valid IP address the first time it asked. Then, in running the script, the script says, oh, I need something else from attacker.com. So what happens is your computer makes another request for the IP address of attacker.com. The reason it does that is that your browser has its own DNS cache, but plug-ins like Flash have their own. So even though your browser knew the IP address of attacker.com, Flash, the Flash plug-in, technically the term is they have separate DNS name spaces. So the Flash plug-in, or Java, or Silverlight or whatever, they're not privy to, for example, Firefox's DNS cache or even your system's DNS cache. They've got their own. So they'll make a request.

When that second request is made, instead of returning the IP address of the site, it returns an IP address that is probably your router's gateway, like 192.168.0.1. So now what happens is this same-origin policy we were talking about, which prevents a script from having access to different domains, now what it has is it says it asked for attacker.com, which it's just been told is 192.168.0.1. But attacker.com is where the script came from because that's where the browser originally loaded it from. Which means that the script came from attacker.com. Now this Flash plug-in believes that attacker.com is your gateway, is your router.

Which means it has full permission within the same-origin policy to do anything it wants. And so it's able to establish a web browser session, a web connection to your router, login without you knowing it, assuming that you didn't change your username and password. It can typically identify the brand, make, and model of your router from the greeting page, the login page that tells it what kind of router you have, make and model. It then looks up in its own little dictionary the default username and password. And more often than not, about half the time apparently, it's able to log on. And so that's the way same-origin policy is broken.

Now, some browsers and plug-ins protect against this because this, again, has been known for a long time. They block 192.168 dot anything dot anything. They block 10-dot anything anything anything. And the 172.16 through 172 dot what is it, 24? 29? I can't remember what the second byte of that is. But basically the RFC 1918 is where those define. Those three networks, they're smart enough not to allow that. So this problem was believed to have gone away.

It turns out it crept back in, in a different form. And that's what this hacker revealed last weekend at Black Hat, which is, not only can you browse to your router's web browser using the private gateway IP, 192.168 dot whatever dot whatever, or whatever it is; you can, believe it or not, also get there using its public IP, that is, the WAN IP, the public IP of the browser, even if it has been disabled, even if you've specifically configured your router not to allow WAN-side access. The way the stacks are written in the DD-WRT and OpenWrt browsers, these aftermarket firmwares, and some of the standard manufacture firmware, will still allow the browser to respond from inside the network, if you use the IP from outside the network.

And so the next-generation attack that was revealed last week, which I'm sure all of the various firmwares are in the process of scrambling around to fix right now, solves, well, what it does is it gets around the blocks against internal LAN access IPs by using your public IP. And of course the remote DNS server gets your public IP because that's the IP from which the request comes to it. It's emitted by your computer, asking for the IP address of attacker.com. Well, that comes from your public IP. So it's able to return the public IP to the script running in a plug-in, which then knows how to get around the use of private IPs on the LAN to access your router.

So, I mean, this is the kind of complexity we're dealing with in this day and age because we've made our systems so complicated. It's, I mean, it's just like one more little hole that's been found that we now have to scramble around and patch.

Now, I mentioned a couple weeks ago that NoScript had some built-in protection for this, that is, for prior types of attacks like this. They're very, very close to releasing v2.0 of NoScript. I think we're at 1.9.9.96. We're just about to roll over to v2.0. And 2.0, I was looking at the release candidate log at RC7 and then 8. They've just added a new feature which will block this next type of attack, as well.

There's something very cool that I never really looked at in NoScript called ABE, stands for Application Boundaries Enforcer. And if you go into NoScript Options and then Advanced, under the Advanced tab there's an ABE subtab. And there's actually a little rule-based firewall that there's a page of documentation about it. On the 'Net you can go to noscript.net/abe and learn about this. But this is built into NoScript, and it allows some interesting restrictions to be put on what your browser is able to do. They're not normally enforcing very many rules. There's a default rule that prevents this kind of problem, the first-generation type of rebinding attack that your browser would launch against any other machines in your local network.

And by the way, this doesn't only have to be launched against your router. Essentially, what these rebinding attacks allow is your computer to serve as a proxy that's then operating inside your network and, with script running in it, that potentially has access to any of the machines in your network. Even, for example, to Windows filesharing, where behind your router you might believe that filesharing is safe because your router is going to protect you. But if something has set up a beachhead in your browser which then has access to your network, and this is specifically what same-origin policy is designed to prohibit, if that's broken, then you've got something running in your browser that has visibility into your entire LAN. Which is frankly terrifying.

So we have essentially this DNS problem which DNSSEC doesn't protect us from. It takes advantage of the fact that our systems have gotten complex, so that they're sort of all doing their own DNS fetches and not taking advantage of the DNS knowledge that different pieces of the system have, which allows the same domain to be known by multiple IPs. And if some of those IPs are within your network, then scripts which have been deliberately restricted against having access to anything but the domain they came from, well, they then believe that the domain they came from is whatever machine inside your network they want access to. This makes it possible. And Flash and Java both have socket-level capabilities, meaning they can open connections, low-level network connections. They're not constrained to just web-based accesses. They can open network-level connections to, for example, email servers within your network, and then use your email server to send spam out, or do whatever it is they want to. And they can have a persistent connection to a remote attacker who's got now persistent access to your machine, essentially using your machine like a proxy into your network. So, frightening stuff.
__________________

Last edited by SandboxGeneral; Jan 4, 2011 at 08:05 PM.
SandboxGeneral is offline   0 Reply With Quote
Old Jan 4, 2011, 07:55 PM   #11
AlphaDogg
macrumors 68040
 
AlphaDogg's Avatar
 
Join Date: May 2010
Location: Denver, CO
Quote:
Originally Posted by hellodon View Post
It's a Linksys WRT160Nv3 Firmware Version: v3.0.02

Thanks in advance! Any questions or suggestions let me know.
I have the same exact router and the same exact issues. It is an issue with the router. I changed the DNS setting to google DNS settings and it hasn't been happening as much. I need to find better DNS settings.

Edit I just updated my router to the 3.0.03 Firmware, and it seems to have fixed the issue. It is also faster after the update, because I do not need to use Google DNS settings. Using the default ISP DNS settings, I am getting about 4-5x the download/upload speeds that I was getting with Google DNS settings. With Google DNS settings, I was getting a seldom max of 1.5mbps down and 350kbps up, with an average of about 900kbps down and 150kbps up. With my default ISP DNS settings, I am getting a max of 4.5mbps down, and 750kbps up, and an average of 4mbps down and 700kbps up.
__________________
15" 2.66GHz C2D uMBP | 13" 2.4GHz i5 MBP 500GB | '07 MacBook
iPhone 5 32GB | iPhone 3GS 8GB | iPhone 8GB
אני רוצה לעשות עליה לישראל

Last edited by AlphaDogg; Jan 4, 2011 at 10:09 PM.
AlphaDogg is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > Mac Basics and Help

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
was i hacked? davelanger OS X Mavericks (10.9) 14 Nov 13, 2013 05:34 PM
Apple TV Home Sharing: Router or No Router? bryanscott Apple TV and Home Theater 20 May 4, 2013 06:52 PM
iMac Router vs. Netgear router Tofray iMac 12 Jan 12, 2013 09:24 AM
Hacked Need Help CapeFearless MacBook 0 Jan 9, 2013 03:40 PM
Hacked? adriennec iPhone 7 Oct 26, 2012 08:49 PM

Forum Jump

All times are GMT -5. The time now is 03:19 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC