Is my DNS Relay setting being hacked? (TD-W8901G)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Is my DNS Relay setting being hacked? (TD-W8901G)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Is my DNS Relay setting being hacked? (TD-W8901G)
Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-05 14:56:06
Model :

Hardware Version : Not Clear

Firmware Version :

ISP :





When I configure my TD-W8901G I set the DNS Relay field to "Use Auto Discovered DNS Server Only" which grays out the Primary and Secondary Server fields. After a few weeks invariably I find the field value has changed to "Use User Discovered DNS Server Only"

Does this mean my router is getting hacked or how does this value change without my doing it? Is this a security risk?

Thanks

David
  0      
  0      
#1
Options
12 Reply
Re:Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-06 15:09:51
Is anyone else logged in your router?
I think the setting will not change by itself.
  0  
  0  
#2
Options
Re:Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-06 17:23:12
Thanks for reply kunkka.

No one is logged in to my knowledge. I found on Google somebody with the same issue though I don't know if same router. I have reset router and changed password but I am fairly sure it will happen again. I'll report back on this thread.

Would be good to hear from a tp-link support person please.
  0  
  0  
#3
Options
Re:Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-09 12:03:59
Would you believe less than 3 days! I noticed an extra tab popping up momentarily when browsing so tried accessing router via web page to see if it had been hacked again and couldn't even log on to the router. Tried pinging the router and couldn't do that either. Hard reset got me back in but I know I'll be hacked again.

HOW COME NO RESPONSE FROM SUPPORT STAFF!!!!!!!!

WHAT IS POINT OF SUPPORT FORUM IF SUPPORT STAFF DON'T REPLY?????
  0  
  0  
#4
Options
Re:Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-09 15:50:08
Dear davidk64
This is actually a spyware problem which is hiding somewhere in your phone, tablet or computer, your router is not at fault, you need to take the following steps to protect yourself for future
1. Disable the UPnP service in your router immediately. (This is an open service which give non authenticated access to your router)
2. Change the password of your routers admin account.
3. Change your dns to either auto or enter manually the correct dns
The above steps will make sure your router is protected from future troubles.
4. Run antivirus scans on all your devices and clean the spyware.

Hope the above solves your issues.
  0  
  0  
#5
Options
Re:Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-09 19:26:23
Many thanks for your reply coolsun85! I'm guessing you are not tp-link support staff so very decent of you. Do you think there are any actual support staff employed by TP-LINK?
1. The UPnP is already deactivated I found
2. I have changed the admin password after doing a hardware reset
3. The dns is back to auto after running the wizard
4. I have two PC's on my local network. A Dell desktop via ethernet to the router - Windows Defender full scan found nothing. An iMac via wireless to the router - AVG full scan found nothing.

Call me a pessimist but I don't think I've seen the end of this as I have changed the admin password on previous occasions and had the same problem return.

Can you explain a bit more what you think this spyware is doing? Is it logging my keystrokes to find out the admin password? Otherwise if it's not a problem with the router how could it gain access to change settings?
  0  
  0  
#6
Options
Re:Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-10 09:15:09
Less than 24 hours later and the router has been hacked again!
  0  
  0  
#7
Options
Re:Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-12 15:38:32
This spyware does not record keystrokes it only changes your DNS to inject Advertisements in your browser and the hackers earn quite a lot of money like this.
If your UPnP is disabled and you are still getting hacked I will suggest you disable Remote Management because many routers from Dlink, Netgear and TP-Link are getting hacked due to a
CGI-Script Vulnerability in their firmware.
Also for scanning your machines try using ADW Cleaner. Many adwares and spywares are not detected by windows defender and AVG.
if the above do not solve your problem I suggest you upgrade your router.
  0  
  0  
#8
Options
Re:Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-13 09:19:52
Thanks again for the reply coolsun85. I have discovered my PC is infected with "tradeadexchange" (through noticing a tab popping up momentarily when clicking links in Google Chrome and then seeing the entry in history). I have scanned with the following without success: adwCleaner, AVG, HitmanPro, TrendMicro Housecall, JRT, MalwareBytes, and Zemana. One question I have is why do all the websites say try this set of scanners, why can't they say for Virus Y use scanner Z that finds it? It doesn't seem like you can search on the net for "A scanner that has recently been successfully finding tradeadexchange virus"

I'm not certain whether my router has configurable remote access management? Unless it is this:





If so it is already disabled?

I guess I have to get rid of this virus regardless of whether I buy a new router and maybe need to pay a technician with better detection tools to do it?

How come TP-Link don't provide a new version of firmware to fix the vulnerability?
  0  
  0  
#9
Options
Re:Is my DNS Relay setting being hacked? (TD-W8901G)
2016-01-14 13:42:00
Dear Davidk64

1. This is a newly found vulnerability and no company including TP-Link will provide firmware update for older models, in fact you can stop expecting firmware updates from a networking company within 1 year of product launch, I know its terrible but this what the industry trend is.
2. You must be having a newer version of tradeadexchange virus because I have personally removed this virus using adwcleaner so it used to detect and clean it around 2 months back
3. You need to enable acl to stop remote mangement, please follow the below steps
For Web Interface 1:
Step2 Go to "Access Management – ACL" page and create one rule to only allow LAN access, so that remote WAN access was disabled; You can also create other rules according to your requirement, such as allow WAN side ping or telnet.



  0  
  0  
#10
Options
The game is afoot!
2016-01-14 16:49:16
Thanks once again - your help is greatly appreciated! I have made the changes to the ACL list per your instructions. By a bit of detective work I have convinced myself that the virus is in fact on the iMac not the Dell. I had assumed it was the Dell as I'd observed the redirection in Google Chrome on that machine. But in discussing it with my wife I realised once the router DNS field is hacked the behaviour could be evidenced on either machine without it following that the virus is located there. So now I'm searching for it on the iMac - this would explain why adw didn't locate it on the Dell.

I have tried AVG and Avira so far. Do you know per chance of a Mac free virus scanner that locates this virus?

I hope this thread will be useful to other people who experience this virus in the future.
  0  
  0  
#11
Options

Information

Helpful: 0

Views: 3373

Replies: 12

Related Articles