Exploit changes DNS settings and disable LAN interfaces

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Exploit changes DNS settings and disable LAN interfaces

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Exploit changes DNS settings and disable LAN interfaces
Exploit changes DNS settings and disable LAN interfaces
2014-04-16 20:17:50
Region : Argentina

Model : TD-W8968

Hardware Version : V3

Firmware Version :

ISP :


Hi!

I work at a major ISP in Argentina, we use among others the TD-W8151N router modem.

Thousands of our costumers are experiencing troubles relating with some kind of attack from a virus or "exploit" that do the following:

1.- Changes the DNS server to some "fake" servers ( 68.168.98.196 and 216.55.138.88 in our case )
2.- Disables the Physical ports of the DHCP server, LAN, Interfaces setup section.

I read some "old" articles with scary news:

http://www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-routers-alters-dns-settings.html

http://www.jakoblell.com/blog/2013/10/30/real-world-csrf-attack-hijacks-dns-server-configuration-of-tp-link-routers-2/

https://www.youtube.com/watch?v=pz9cZtdOrT8

Here my questions:

1- Does the last firmware fix this issue?
2- Where can we get that?
3- There are any tool to remotely fix thousand of devices firmwares?



I try to run an script to set the right configuration:

[CODE]set lan dhcp server
set lan dhcpdns a.c.d.c e.f.g.h[/CODE]

but did not find yet the commands to enable the Physical port at LAN interface.

4- Which command I need to run to enable the port?

Here the screenshot of a attacked device.






  0      
  0      
#1
Options
2 Reply
Exploit changes DNS settings and disable LAN interfaces
2014-04-17 00:53:40
Hello, it happened also to my router: TD-W8961ND

Same issue: dns changed to: 216.55.138.88
DHCP -> fisical lan port disabled

Firmare: 1.0.0 Build 101122 Rel.06433
Firmware ADSL: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_6.0

Incredible!

How to fix?
  0  
  0  
#2
Options
try googling w8968 vulnerability
2014-05-20 06:10:07
try googling w8968 vulnerability there is a list of issues but the only advice so far would be to put an openwrt firmware on the device instead of the vulnerable one.

The faults are all software rather than hardware it seems but replacing the firmware would in theory invalidate your warranty and that is on the assumption you can find or build an openwrt image
  0  
  0  
#3
Options