Help, i think my router is being hi-jacked.!!!

cunningstunt · ‎15-07-2012

Hi guys, for a year now i have been seeing some very strange behaviour, i have tightened up my routers security as much as possible, i have disabled wireless completely, done a hard reset and set a new password, a very secure password, lower case, upper case, numbers, symbols, not a guessable "word". I had noticed the routers activity light flickering a lot, more so than the network detection flicker it does every so often. I opened an account at Open DNS and set the DNS address in the router, this gives you the ability to see what traffic is crossing your router as you can see the DNS logs at open DNS, (And it is free, Why isnt virgin media offering this to customers?). Im at home with my parents, facebook, youtube, bf3, and news sites make up the main body of our browsing, nobody torrents anything, ever. In the logs at open dns i could see someone had attempted to download a load of cracked games, but i had added torrent sites to the blacklist at open DNS so the requests were denied. I got in contact with the virgin media online security team and told them what was happening, i asked them if they could monitor the traffic that is crossing the router from their side, they said they cannot do that, and, it is against the law. The only help they could offer was if i got the originating IP of the person using the router, (Catch22) how do i get it, if virgin media will not help me to get it?. So i am in a position, where no matter what i do to try and protect my privacy, and secure the router, someone somewhere, is able to use it against my wishes. And virgin media have offered absolutely nothing as a remedy, and do not seem to be taking this seriously, i am now in a position where i feel i am being victimised by someone, and virgin media are compliant in allowing it to happen. It has been happening for more than ayear, and, on two seperate routers. Does anyone have any ideas as to how i can help myself, as virgin media are not helping me in anyway at all. And i believe the superhub has a gaping hole in it somewhere that is allowing someone with a private hack to utilise them, and the bandwidth they offer.

plazma · ‎13-07-2012

Ok there is one thing you need to do.

TURN OF WPS completely, this can be hacked, once they have your pin it doesnt matter if you change the wireless key.

Once you have turned it off set a new wireless key (WPA AES) and then see what happens

cunningstunt · ‎15-07-2012

Hi plazma, thanks for taking the time to reply. The wireless aspect is completely switched off, my entire house is cat5 wired and wireless is not required. I would also like to point out, that when this started happening i was unsure if there was a virus on one of the 4 computers in use, afetr repeated scanning and the issue still being present, i decided to format all of them on the same day, and hard reset the router, i disconnected the router from thefiber connection, reset, changed password, set it up, then formatted the laptop i used to set the password, so it was in no way available, using a program called dariks boot and nuke, i used the ultimate boot cd tools to ensure the drives were completely clean before re-installing. All the bios's are up to date and clean. I really don't think i am missing anything, at any sign of an issue with a pc i nuke it immediately and start again. The problem continues, the attitude i found of "Well theres nothing we can do" when i telephoned the internet security center for virgin media and spoke to someone called mary brown, is most unhelpful, and has not in any way helped me to ascertain what the problem is, or, where it is coming from. As i have said, i feel virgin media is being complicit in the continued e-harassment we have been experiencing, if the router is not safe, no computer in my house is safe. I have tried everything i am capable of trying, over the last year to secure my privacy and nothing seems to be working. If there are any techies here, who are willing to provide me with some guidance as to how i can identify where the problem is coming from, i would appreciate it. I have been running wireshark intermittently to monitor my network traffic, can someone tell me how to monitor the traffic on the internet side of the router?. It does not seem to be the Pc's which have win 7 32/64 service pack 1 and all current updates installed on them. I appreciate any help the community can offer, im not getting any help from virgin media.

Steve_Brett · ‎16-01-2012

Hi cunningstunt

You can keep track of ther traffic passing through your superhub by clicking on the "Device Connection Status" button when you log into the superhub. From here you can keep a check on the amount of data uploaded or downloaded from your modem.

Kind Regards,

Steve Brett
Help & Support Forum Team

plazma · ‎13-07-2012

Wireshark will help in assisting you track down your issue, alas your not going to be able anything down below your superhub.

It maybe the results your getting from opendns giving route requests from your connection is due to maybe advert banner calls or something similar or possibly if your ip has changed and been given to someone else.

However one considiration might be if you have an old machine sitting around or which you can stick two network connections in or (see below)

That way you could pipe all the data through the box and monitor all dns requests and traffic made inside the network... however a far easier way.

If you have an old router that will run DD-WRT your able to connection this between all your machines and the superhub, there is an option for running to a syslog (montioring all requests) see here:

http://www.dd-wrt.com/wiki/index.php/Logging_with_DD-WRT

This would give you an idea of exactly what requests are being made.

From the sounds of it there should be no reason why you have been expoited and can only thing there is some flaw in the opendns reporting system, tallying up against a dd-wrt syslog you will be able to see if the requests are being made from inside your network... if they arent dont worry about it your secure.

cunningstunt · ‎15-07-2012

Thank you guys i really appreciate the help. I have a belkin play max router on my machine upstairs, i changed the firmware on it to dd-wrt as the belchin firmware was very poor,the dd-wrt has made it a whole different router, dd-wrt is amazing. It is this in part that is making me suspicious, all the other machines are directly behind the virgin router (3) of them, and it is on these machines, 1 connected directly, the two others are connected via lenovo mains socket ethernet adapters, i am seeing issues, the traffic is encrypted around the mains wiring. I will take your advice and see what i can see. It is nice to know there are people willing to help, thank you plazma and virgin support.

plazma · ‎13-07-2012

Its not likely to be the mains adapters home plug AV specification from memory is 256 AES, you would either have to know the network name (if you set it manually) if you used the pair button instead you would have only had a 1 minute window to hijack the pair sequence so its not very likely to be the power line adapters.

That said ive not come across lenovo (lbm) ones before and im not sure what spec the adhear to, but is its a non standard spec your also going to need another non standard (lenovo) plug to make the hack work.

So again i dont think its likely to be that.

Glad your liking DD-WRT try putting everything behind DD-WRT then using the syslog as i said above, that will help you identify if the requests are inside your network and if so whats making them.

cunningstunt · ‎15-07-2012

One last question plazma, do you know of any software that can read the DNS request packets, and filter them into a ip blocklist based on the information held inside the request?. I can block them at open dns if i have the domain name, but i need something that will do it based on the ip address inside the dns request packet. is this even possible?.

cunningstunt · ‎15-07-2012

Here is the link to dd-wrt for those that may have an old router lying around that they would like to be useful again. http://www.dd-wrt.com/wiki/index.php/Main_Page

plazma · ‎13-07-2012

Ummm, i think that if you want to block traffic from inside your network (DNS requests) you would be better to first identify whats making the requests.

Once you have the IP you should be able to use iptables script.

Using DD-WRT startup script (run script for testing) and following the guide here of the ip tables commands you need:

http://serverfault.com/questions/374846/block-all-incoming-dns-requests-except-from-ips-x-y

Help, i think my router is being hi-jacked.!!!

Re: Help, i think my router is being hi-jacked.!!!

Re: Help, i think my router is being hi-jacked.!!!

Re: Help, i think my router is being hi-jacked.!!!

Re: Help, i think my router is being hi-jacked.!!!

Re: Help, i think my router is being hi-jacked.!!!

Re: Help, i think my router is being hi-jacked.!!!

Re: Help, i think my router is being hi-jacked.!!!

Re: Help, i think my router is being hi-jacked.!!!

Re: Help, i think my router is being hi-jacked.!!!