I think my router might be hacked?

Discussion in 'Mac Basics and Help' started by hellodon, Sep 5, 2010.

  1. hellodon macrumors 6502

    Jan 19, 2006
    I can't find much information on this online, but I have heard of routers being hijacked and rerouting websites, having DNS reroute problems etc.

    Here are a few examples of things happening.

    Sometimes when I go to a message board at offtopic.com, it loads washingtonpost.com

    Today Twitter was some random blogspot blog

    Ebay SSL Certificate showing up as invalid

    PayPal SSL Certificate showing up as invalid

    Facebook.com not loading

    Shopping.com (I think....it was some shopping site) loaded Pricegrabber.com

    Sometimes sites just don't load, when there are no issues with the site, it'll just get a white page with an error message.

    There have been other odd happenings.

    This is all pretty weird stuff that has happened over the past few months. I have kind of just brushed it off. I never enter personal info or anything so HOPEFULLY nothing important has been taken.

    Now - it might be your first instint to assume that my computer might be hacked/hijacked/virus but it's NOT my computer. Like 100% not my computer. We have 3 macs here, 2 iPhones and an iPad. Whenever I am having these issues it is on ALL devices. All on wireless so this is definitely coming from the router. I have tried searching for help with this through google and can't seem to find any info. I see mention of what people were saying is a DNS hacked router, but no way to repair or even anyone discussing it so I really don't know where to turn. Maybe someone here can point me in the right direction?

    What's also strange is these are always temporary...for example, I noticed it tonight when I went to do a PayPal refund, and got that SSL error so I left the site about a half hour ago. Just went again to get a screen shot to include with this post and its back to normal and SSL verified.

    Can anyone offer any input on this? I'm tempted to just go buy a new router...unfortunate thing is, this one isnt old. I bought this last fall and have noticed the weird problems since shortly after that.

    It's a Linksys WRT160Nv3 Firmware Version: v3.0.02

    Thanks in advance! Any questions or suggestions let me know.
  2. EricNau Moderator emeritus


    Apr 27, 2005
    San Francisco, CA
    I'll admit, I'm not very familiar with reports of such hacking incidents (or any alternative explanations for the behavior you are experiencing), but using your router's reset button should revert all of its settings to factory defaults. If your router was indeed hacked, this should revert any changes. And as is the case whenever hacking is suspected, changing your passwords (both the network password and the router's admin password) is a must. Goodluck. :)
  3. sjinsjca macrumors 68020


    Oct 30, 2008
    Sounds more like a DNS issue than a hacked router.


    o Check to see if the firmware is the latest.

    o Make a backup of your router's settings, and print them out for good measure. Then (after updating the firmware, if a new rev is available) do what a previous poster suggested and reset the unit to its factory settings. The process varies by model, so check the manual. The "reset" button on some units just reboots the unit; on others it wipes everything.

    o After resetting the unit, connect your computer via a cable and reconfigure the router via its web-based interface. Avoid the setup software that comes with many routers nowadays-- it's uniformly crap. Instead, go through the settings you recorded, paying special attention to the DNS-related settings to ensure they're what your ISP recommends. At the same time, take the opportunity to ensure that the router's security and QoS functionalities are turned on.

    o When you're done, change the router's password and ensure that remote configuration is turned off (unless you have a very, very good reason to turn it on).
  4. hellodon thread starter macrumors 6502

    Jan 19, 2006
    Definitely is a DNS issue but what I read about is some form of hacking that hacks and redirects DNS within the router. That is DEFINITELY the issue.

    I did a complete reset/reconfigure...still having the issue. Strange right?

    It sorta sounds like this: http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/

    But it's not a situation where I'm looking at what I THINK is one page, and the address bar says something different. For me, I see the correct address in the address bar but the page in front of me is either wrong or has some sort of error.

    Here are some of the few links I've found that seem like a similar issue:


    This one is actually something I found just now...and I am trying the suggested DNS flush using Terminal. Maybe that'll do it. I'm glad to hear that someone said they think its NOT a DNS hijack....

    Sounds like I'm not alone in this problem. Maybe its the router? Definitely the latest firmware for it. Its a newer model since the CISCO buyout and it came with that firmware, no updates were found when I checked.
  5. hellodon thread starter macrumors 6502

    Jan 19, 2006
    Now I'm reading that this is a known issue that Linksys seems to be ignoring.


    I'm going to try a few things, but does anyone have any suggestions on the best wireless router to buy? Maybe I'll just go with a new one that works better.

    I have the following devices that need to be compatible.
    Xbox 360 Slim, Built in Wireless N
    PS3 Built In Wifi
    Nintendo Wii

    Long Range...I need something that has the best possible wifi range because I have weird walls and a very long house. Dont have room for wires or an access point and the living room isnt very close to the computer room where the router will be. Right now it gets signal out there just barely. 2000 SQFT house and its all one floor...

    Everything should be fine, just worried about the Xbox and PS3 working well. Right now my PS3 has weird issues that it never had too. had to wire it to get it to download the other day. I think this router is just cursed! Might be time to burn it and move on if I can't get this stuff situated.

    Thanks for the tips so far!
  6. hellodon thread starter macrumors 6502

    Jan 19, 2006
    I tried the DNS flush last night.

    Right now twitter.com is a white page and says:

    Invalid URL

    The requested URL "/", is invalid.
    Reference #9.7c341818.1283823327.45e8495b

    Just wanted to give an example.
  7. sombrestyles macrumors newbie

    Jan 4, 2011
    Same Problem

    I am experiencing the exact same problem, sometimes its weird stuff like facebook going to google. But it is mostly that error message, blank page.

    It will do it to pages I visit often, then once I can’t use that site and go to another for a while it will do it to that one, I also have several devices and it happens on all of them.

    I reset my router and changed my password and it seems to have gone away other than two short experiences (a few minutes) with that same error message.

    Sorry im not much help at getting around it, But like you I have been searching A LOT, and I think this is the first time someone else explained it exactly like what I’m getting,

    It is really annoying, I’ll post here again if I figure anything out
  8. miles01110 macrumors Core


    Jul 24, 2006
    The Ivory Tower (I'm not coming down)
    Try manually setting the DNS server address in the router control panel. Use OpenDNS or Google DNS.
  9. morphineseason macrumors regular

    Apr 1, 2007
    I had the same exactly issue, and setting the router to manually use OpenDNS seemed to fix the issue (or at least make it happen less). I think I may have had the same router even. I eventually just replaced it with an Airport Extreme because I was tired of the issues and the overall slow performance.
  10. SandboxGeneral, Jan 4, 2011
    Last edited: Jan 4, 2011

    SandboxGeneral Moderator emeritus


    Sep 8, 2010
    DNS Rebinding

    It is possible that your router and/or browser was the subject of a DNS rebinding attack. I was going to try and explain it myself, but knew that security expert Steve Gibson told it far better than I could. I copied and pasted with a few small edits, the partial transcript from Security Now episode 260, dated 08/05/2010.

    You can also read more about DNS rebinding >>here<<.

    Most routers are capable of having up to a 63 character password for the wireless side and even for the admin password. I always encourage people to use a good pseudo random generated password with maximum entropy for their security. Also, make sure you're using the protocol WPA or WPA2 and never WEP. WEP can be cracked (<<MP3 Podcast link) in as little as 3 or 4 minutes regardless of how good your password is because of the TKIP protocol. And always make sure you have the WAN access of your router disabled. There really is no good reason to have it enabled.

    Firefox with the NoScript add-on installed is about the most secure you can make your browser unless you disable Javascript altogether. But then a lot of sites you want to work, will stop working. It's a damned if you do, damned if you don't approach and it sucks. With NoScript it blocks all JavaScript from running on your browser by default and you have the option to allow temporarily or permanently scripting on domains of your choice.

    Also, check for any new firmware updates for your router since August when the rebinding attack was revealed again at Black Hat. Many companies have scrambled to make the fixes, including Apple which pushed out a firmware update for their line of routers in December.

    Also another good application to use is Flush. It is for OS/X and will clear out all the LSO's (Local Shared Objects) or Flash cookies. These are cookies that are cross-platform, meaning the same Flash cookie will be used by Safari, Chrome, IE, Firefox etc... They are used to track you like regular cookies, but are more powerful at it and harder to clear without Flush or for Firefox the Better Privacy add-on. Better Privacy can be configured to clear the LSO's upon exiting a browser session automatically.

  11. AlphaDogg, Jan 4, 2011
    Last edited: Jan 4, 2011

    AlphaDogg macrumors 68040


    May 20, 2010
    Boulder, CO
    I have the same exact router and the same exact issues. It is an issue with the router. I changed the DNS setting to google DNS settings and it hasn't been happening as much. I need to find better DNS settings.

    Edit I just updated my router to the 3.0.03 Firmware, and it seems to have fixed the issue. It is also faster after the update, because I do not need to use Google DNS settings. Using the default ISP DNS settings, I am getting about 4-5x the download/upload speeds that I was getting with Google DNS settings. With Google DNS settings, I was getting a seldom max of 1.5mbps down and 350kbps up, with an average of about 900kbps down and 150kbps up. With my default ISP DNS settings, I am getting a max of 4.5mbps down, and 750kbps up, and an average of 4mbps down and 700kbps up.

Share This Page