Change Your Router Password NOW!

http://www.appscout.com/2007/02/change_your_router_password_no_1.php#more

Or undetectable jscript hack could easily steal your bank ID & PW.

DH

Change it now, provided you didn't change it before, that is. This really is only a problem for those running with the default settings.

Change it now, provided you didn't change it before, that is. This really is only a problem for those running with the default settings. I think default setting is the rule rather than the exception for most broadband ISP's ?

DH

I think default setting is the rule rather than the exception for most broadband ISP's ?
It's not the ISPs, it's the users. Many people open the box, plug it in, and never think about it again.

It's not the ISPs, it's the users. Many people open the box, plug it in, and never think about it again. Me too. Never changed the password until I had to go into the router to enable VNC protocol. Then I forgot to write down the password :(

DH

I think default setting is the rule rather than the exception for most broadband ISP's ?As Mike says, it's not the ISPs. It's the people who go to Best Buy, spend $50 on a router, come home, plug it in and never give it another thought.

Me too. Never changed the password until I had to go into the router to enable VNC protocol. Then I forgot to write down the password :(

I hate it when that happens. If you can reconstruct what you were thinking about at the time you changed the password, though, you might find you can figure out what you used. That has worked for me, though it works best if it's only been a short time since I set the password.

--Lindsey

Me too. Never changed the password until I had to go into the router to enable VNC protocol. Then I forgot to write down the password
Most routers have a reset button that will reset the router to the factory settings, including any passwords. You may need to reconfigure it, but at least you can get back into it.

Most routers have a reset button that will reset the router to the factory settings, including any passwords. You may need to reconfigure it, but at least you can get back into it. I don't know about routers, but one embedded network device, that I used to write C code for, had a special packet that you could send to it to reset it to the factory configuration that I had to use once when I accidentally set its IP address to zero :(

DH

Change Your Router Password NOW!

http://www.appscout.com/2007/02/change_your_router_password_no_1.php#more

Or undetectable jscript hack could easily steal your bank ID & PW.

DH

If the router is hacked and you can't fix it right away (e.g. bad guys changed to password), you can configure your PC network settings to use the IP addresses of OPENDNS.COM DNS servers.

BTW you can also use opendns.com to block adult web sites (optionally).

DH

I always change the LAN ip address of the router and therefore the ip address range handed out by the router's DHCP server, to something other than the default. This attack only works if the javascript looks for the default ip address of the router. For example, the router may have a default ip address of 192.168.1.1 and expect all computers on your local network to have addresses of the form 192.168.1.*. I would change that to, perhaps, 192.168.20.4 and serve addresses of 192.168.20.5 and up.

That way I can keep the default password, which I can always look up in the router's manual during the rare times that I need it.

-- sidney

I always change the LAN ip address of the router and therefore the ip address range handed out by the router's DHCP server, to something other than the default. This attack only works if the javascript looks for the default ip address of the router. For example, the router may have a default ip address of 192.168.1.1 and expect all computers on your local network to have addresses of the form 192.168.1.*. I would change that to, perhaps, 192.168.20.4 and serve addresses of 192.168.20.5 and up.

That way I can keep the default password, which I can always look up in the router's manual during the rare times that I need it.

-- sidney
Thanks for the idea.

Sounds like it should work. But perhaps an exploit could try a brute force attack against all possible 65535 addresses on the LAN ? Though the probability of successfully breaking in with a default password would be low if the default address was not used for the router. Also, I wonder if a script could download and invoke a java applet that somehow could look up the gateway address from the Windows PC (e.g. from registry?) ?

DH

perhaps an exploit could try a brute force attack against all possible 65535 addresses on the LAN ? [...] Also, I wonder if a script could download and invoke a java applet that somehow could look up the gateway address from the Windows PC (e.g. from registry?) ?

I don't think that kind of search would be feasible due to the time it would take to time out on a nonexistent ip address before realizing that it is no good and go on to the next one.

As for a Java applet, it would have to be signed and put up a dialog asking the user if it is to be trusted before it could read the registry.

Even if it were possible to have a script try to access the gateway on a nonstandard address, I doubt that anyone will bother doing that instead of going for the easy pickings of people with fully default setups.

In any case I'm safe because my WiFi access point is configured as a bridge and my DNS comes from a much less common box that is acting as my firewall. I doubt that anyone would include the default password for that box in their list or write the script to work with its login and configuration screens.

I don't think that kind of search would be feasible due to the time it would take to time out on a nonexistent ip address before realizing that it is no good and go on to the next one.

As for a Java applet, it would have to be signed and put up a dialog asking the user if it is to be trusted before it could read the registry.

Even if it were possible to have a script try to access the gateway on a nonstandard address, I doubt that anyone will bother doing that instead of going for the easy pickings of people with fully default setups.

In any case I'm safe because my WiFi access point is configured as a bridge and my DNS comes from a much less common box that is acting as my firewall. I doubt that anyone would include the default password for that box in their list or write the script to work with its login and configuration screens.

I had forgotten about the time outs.

I think some malwares may be using the ability of some routers to be configured to block certain domains (or domain names containing certain words) by configuring the routers to block access to anti-malware sites.

:(

DH

I had forgotten about the time outs.

I think some malwares may be using the ability of some routers to be configured to block certain domains (or domain names containing certain words) by configuring the routers to block access to anti-malware sites.

:(

DH

Turned out that malware had not reconfigured the D-Link DI-624 router in question (to me) to block anti-malware sites. Instead some bumbler had configured it to block any url with "ads" in the url. Which , by chance, affected our access to some anti-malware sites and other sites. Since the default password (none) was still there I could log in with CrossLoop and delete the 'parental controls' to stop the errors.

However, for at least this DI-624 , it WOULD be possible for a malware java script to reconfigure a raw from factory router to block specific anti malware domains . The only actual exploits I am aware of however (via ISC) relate to pointing the router DNS to a bogus DNS machine (for bank phishing attacks).

DH

Thanks for the idea.

Sounds like it should work. But perhaps an exploit could try a brute force attack against all possible 65535 addresses on the LAN ? Though the probability of successfully breaking in with a default password would be low if the default address was not used for the router. Also, I wonder if a script could download and invoke a java applet that somehow could look up the gateway address from the Windows PC (e.g. from registry?) ?

DH



David,

It's funny. I have been sitting on the sidelines smug as a bug...

(as I have w98se).

However, i just got DSL on my new restaurnt computer and Verizon totally befuddled me when they helped me set up DSL. Route number here...code there...on and on and I have not a clue where or what I entered. Except to not that it seemed quite involved and complicated.

I am getting a DSL wireless credit card machine, so I will have to now pay attention to such things as routerpasswords. With any luck, I will have the company tell me what to do and I'll just do it, but got to say, I am behind the eight ball here with XP (and home edition, not pro). <media center HP Paviliion Slimline s7620n.

SIGH

I just re-upped for Verizon DSL lite.

I used the same Westel 327W router that I had from Verizon before.

There was no setup at all required on my part.

I thought that I had to download and run some Verizon software to complete the sign up process. I couldn't get the software to run on Windows 98 even tho' it was supposed too. I forget the details. Turned out I did not need that software at all. They also included a CD with software that is supposed to help diagnose the connection in case there is trouble, but I could not get that program to install and run correctly either. So I have absolutely zero verizon software on this PC now.

I had pre-signed up for a user ID, when I ordered the service online. But I forgot my password and had to call support for them to reset my password.

So I finally got my verizon email to work and set up a absolute minimal web site on verizon and verified that I could access it with FTP in case I ever want to develop it. And I also could actually log in to my account and opt out of ads, etc. or order additional (probably mostly junk) online services in future.

Actually there was really no pressing need to make my verizon email and web site work since google email and google web sites are free and better.

I don't know anything about credit card machines. I don't know what protocols they use. I would rather think that they might oughta use some kind of encrypted protocol ?

I know that I did have to go into my router in the past to use the VNC protocol and tell the router that I wanted to use VNC protocol. Now I'm using Crossloop to access my wife's computer mouse keyboard and desktop remotely sometimes, and I don't know if Crossloop uses VNC protocol or not (maybe does)? So far I have not had to go into the router to mess with it anymore besides that one-time enabling of VNC protocol.

You can run winipcfg.exe or ipconfig.exe at the START | RUN command line to check out your network settings (it's safe, doesn't modify anything). I forget if winipcfg.exe is on XP. I think I might have copied it from Win 98 onto Win XP in past.

The reason for changing the router password is to prevent the possibility that you ever click on a compromised website or email that has javascript in it that knows the default passwords of routers and could thus go into the router and reprogram the router to get bogus IP addresses for real genuine domains (e.g. ebay.com) from a bogus DNS server and steal your passwords by showing you a website that could be pixel by pixel indistinguishable from the real, including showing you the "correct" web address in the address bar.

Of course, if you actually looked "under the hood" e.g. using NETSTAT.EXE you would see network traffic to "unknown/weird/bogus" IP addresses.

I think I mentioned elsewhere in this thread that I had to "fix" a messed up D-Link router recently. Turned out the mess up was probably just somebody didn't know what they were doing , and not malicious. I was a little bit scared at first because I thought if an attacker could mess up DNS then maybe they could mess up something else in the router.

If you have good anti-virus, anti-spy, firewall and use only Firefox with NoScript and AdAware on the PC on the same router as the card machine then the security risk of not changing the default password may be small.

I think Sidney also mentioned a trick you can use to protect yourself, without changing the default pw. But you may not want to go that deep into it.

My stepson suggested IE7Pro as an alternative for the sake of security to Firefox with NoScript, but I have not actually looked into it since I only rarely use IE and I don't know how well the IE7Pro add on might work with my IE6.

He also suggested using OpenDNS instead of the default DNS, to avoid any possible bad effect of the javascript exploit, but you DO have to go into your Windows network settings to do so.

If you're going to use NoScript in Firefox, I'd suggest going into the NoScript settings and disabling Java, Flash, and plugins on non-whitelisted sites.

I use Java for the weather radar on NWS NOAA and rarely Flash on Yahoo Webmessenger IM, but that's about it, so I don't mind temporarily clicking on an extra icon to run Java or Flash or music on a site that is non currently white listed by me in my NoScript.

DH

I finally came to a point where I had to go into my DSL router to check settings and so actually did need to enter my ID and password which I had forgotten LONG ago. Fortunately the router had a reset button accessible from the outside, so it was easy to set a new password.

David H.

There was another article on same or similar attacks (sets router to use malicious DNS) on ISC last week. There must be millions of such routers sold to clueless users every year, so I'd expect this kind to attack to continue as long as there are any vulnerabilities in Windows, Mac, or LINUX, etc. applications and system software to exploit, i.e. longer than the rest of my life.

David H.