Need Help With Router HiJack/Exploit
Hi.
I am having issues with my network being hijacked. I am aware of this as when I log into my email web interface, I get the last login information and it does not match my ISP server or my DNS settings (through my ISP) when I am connected through my TP-Link Archer c3200 WiFi Router.
As you can see from the 2 screenshots attached; one shows the correct information when I hard line directly to my ISP provided Fiber gateway ([s]MY IP[/s].utopia.xmission.net), the second shows the address I am being re-directed through when I am connected to my router (e221*DOT*mailout*DOT*ekwin*DOT*twelvehorses*DOT*com). I cant find anything other than the WHOIS which also shows the owner has another URL out of Denmark 'twelvehorses*DOT*de'.
I get the same result from any computer or device attached to my router (as far as being redirected). This lets me know that the redirect is coming through my router as one of those devices is my phone and it shows the proper IP info when not using the router. I only get redirected through the suspicious IP/URL when connected to my router.
How do I get things under control?
Note: Replaced part of the suspicious URL characters with *DOT* so others dont accidentally click or copy to a illicit URL site.
CORRECT IP/URL WHEN NOT USING TP LINK ROUTER VIA DIRECT GATEWAY
ILLICIT URL WHEN USING TP LINK ROUTER
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
IrvSp wrote
There are many ways to see your IP address.
Sites like Facebook and Google's GMAIL will show you.
Sites like this will as well:
https://whatismyipaddress.com/
https://www.whatismybrowser.com/detect/ip-address-location
https://www.iplocation.net/find-ip-address
https://www.expressvpn.com/what-is-my-ip
These should match the IP Address shown in the router (WAN IP Address).
Have you checked the DNS being the same when connected to the router and just the modem? Windows use in a CMD prompt IPCONFIG /ALL.
I understand you are trying to help with the best information you have, however, this is not something showing up through regular IP checks and seems to be being caused by my routers information. It is either the way my web mail server gathers that info from TP Link style routers or something more illicit, as when dirrectly connected I get the correct info as far as my last known login info. As well, my original description clrearly states what you are asking.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
OK, one last suggestion and I'll bud out...
There are sites on the web that WILL see if your router had been hijacked.
https://www.f-secure.com/us-en/home/free-tools/router-checker
Might want to give that a try. Not sure it will be worth it though. Basically it seems to check the IP address against the DNS and see if they are from the same ISP. That is because most 'hackings' resort to changing the DNS so it goes to either sites they prefer, ones that would deliver malware, or fake sites to steal data from you. You said the DNS were the same, so it probably isn't DNS poisoning.
- Copy Link
- Report Inappropriate Content
I have ran that after your suggestion. I am getting the results I would expect from my ISP DNS and such.
I also just called my ISP. They see my conenction to the router as correct but had no idea why their web mail server would be telling me my last known login location as the 'twelvehorses' bit (no pun intended, but funny one the less).
Being that when I log in not connected to the router, they give me the correct information and its only when I log in to the webmail server from any device using the router is the only time I get the illicit/suspicious reutrn shows me that it is not my machines or ISP settings but somehow being affected by the router.
Maybe not a 'man-in-the-middle' but possibly a mirrored 'man-on-the-side' attack.
I dont know and its got everyone I am speaking with baffled, yet they all agreee that the information on TwelveHorses (from WHOIS to social sites like LinkedIn) defintly sets off red flag warnings and bells.
Either its something wierd with this router or I have acciedntally stumbled upon a rare exploit variant that affects TP-Link routers and I just want to find out which it is.
- Copy Link
- Report Inappropriate Content
I also have another TP-Link router I will be trying to see if it causes the same results as maybe somehow its just something wierd with TP-Link routers and the info they send back to my ISP. I use my Archer C3200 for its range but have a c1200. I alos feel the C3200 may be more secure even though the avilable FW isnt as new. Ill update on those results later.
- Copy Link
- Report Inappropriate Content
PlayerOne wrote
I also have another TP-Link router I will be trying to see if it causes the same results as maybe somehow its just something wierd with TP-Link routers and the info they send back to my ISP. I use my Archer C3200 for its range but have a c1200. I alos feel the C3200 may be more secure even though the avilable FW isnt as new. Ill update on those results later.
It would seem to be very specific if it is a 'real' attack of some type? Specific to possibly only your ISP's email server too?
If it were a 'universal' change that no matter where you would go, it would appear to be via '12 horses', and than if others had that problem surely one would have been notified via FB or GMAIL of a new IP Address being used? I've had it happen a few times. When on a Cruise I used the ship's Internet, and I get notified by both FB and GMAIL that a new 'device' has connected and I should either approve it or contact them and change my p/w immediately. I also had it happen 'repeatedly' beta testing some s/w suite that had a VPN included. It wasn't a Fixed VPN but one that uses a farm and when I enabled that each time I had a different IP Address when I booted, so I was getting those warnings daily.
However recently DLINK routers had DNS attacks. Google "d'link dns attack" and you'll see many, from recent to over a year ago, like this one, https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/, however they all are DNS replacement attacks.
I'm on an A20 and I'm not seeing this? FB has a log going back to late June, and it shows only my 3 devices I use, PC, iPad, and phone have connected. My account at Google shows the same and no 'security events' in the last 28 days.
As for an attack, in the case of D-Link I suspect it is the same 'exposure' in all the model's f/w that was exploited. TP-Link, D-Link, Netgear, and probably other use GPL Source code that is available. Easy (not really) to see an exploit possible. Also build 3rd party f/w. I had some Netgear Routers and some 3rd party f/w was better than the stock f/w, but the origin's of the f/w (Russia for instance) could make one think twice about using it. At one time TP-Link even blocked 3rd party f/w from installing.
I'll say this though, if all your devices cause this, then I'd think like you do, especially if one is a phone. Has to be your routing to the ISP mail server or something different for you only. I guess that is what the TRACERT would show, especially 2, one from only the modem, the other modem and router. I can also TELNET to my ISP's mail server. Suspect you can too, if you know he commands in Telnet to connect. Wonder if that would report a different login?
- Copy Link
- Report Inappropriate Content
To the contrary, I do not believe it is just happening with my ISP webmail. It is fully to do with the TP-Link router. I do believe that my ISP has a better understanding of real security than Facebook and the other places mentioned or suggested that might show a general idea of my last login... to which FB (and other 'premium services' is usually not so accurate. But they aren’t trying to be unless it creates a liability for them and our security in that manner is not any liability to them.
XMission is one of the most unique companies in the world. They have not lost a customer to straight dis-satisfaction since they started as Utah's first Internet Provider in 1993. Sure, they have lost them to moving or inability to pay but anyone with XMission stays with them because of the over the top service and support they give. XMission mainly operates now on a co-op fiber optic infrastructure, even though they do provide some DSL connections to those not in the fiber cities.
I can also attest to their security and willingness to look at things past what Comcast, TWC, or your other monopoly providers do as well. Back several years ago I was having some issues with Avast reporting the wrong connection when I would connect with my router. Xmission went past just saying 'Oh, we got everything under control' or 'We are the provider, we know more than you'.
They went through things with me and it ended up involving the FBI IC3 department; which then led to information being gathered that the FBI was able to bust a ring now referred to as 'Operation Ghost Click' and bringing down a very unique exploitation by a group calling themselves 'MyCandianPharmacy' which did not require a user click on anything in an email from them to be hijacked and somehow built their site from mutiple other legitamate websites, taking a pic form here, a few lines of text from there, another pic or two from another. It was very above what most people thought was even possible... even among securoty experts.
It was a combination of XMission's willingness to accept what their customer was reporting along with Avast reporting something other companies did not notice that led to any of my experience being given the proper attention. Had I been with ANY OTHER ISP, this gathering of information and support abiltiy, these two illicit rings might still be operating even today.
The problem is with the TP-Link router and I do fully believe it is more than just when I log into my webmail server with XMission. Yet, XMission is set up to detect what others might not see any reason to really look at and just give the basics. Heck, even WHOIS can be grossly wrong if the domain handler hasn’t been properly updated with IIS.
Even if it I am wrong and it is only when I log into my webmail, the fact it DOES NOT happen when directly connected again shows the issue is with the TP-Link router and not even where the exploit is 'pointed'. Otherwise, I would get the same results when not using the router.
As Sherlock Holmes would say 'Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.'
Offhand, here is a video of the founder/CEO of XMission that might help you unsderstand the knowledge and security they ACTUALLY provide instead of claim like other ISP's and serivces you use. He breifly covers some of what I suggested above about 9 minutes in concerning a 'sinlge IP'.
- Copy Link
- Report Inappropriate Content
Anyhow, I wil lhave more to report once I attempt to switch routers.
- Copy Link
- Report Inappropriate Content
Wow, nothing like the experience I've had/got.
17 years ago when we bought our house in a new community, the developer included TV in the Homeowner dues. They signed a 10 year contract for the cable use. That same cable company had exclusive rights from us for cable Internet. Other choice was DSL so we took it. It was a Canadian company trying to get started in the US (we are far away from Canada). 5 years later they sold out to Time Warner. Support went downhill. 7 years later, TWC spun-off our part to Brighthouse. Only good part of that, our e-mail addresses didn't need to change as they did when we left the Canadian Co. They let Brighthouse use Roadrunner. Again, service and support declined. Well, about 3 years ago Spectrum (re-labeled Charter) gobbled up both Brighthouse and TWC. I didn't think it could get worse but it has. I can't even tell you how much SPAM we get now comparer to before with Brighthouse. OFF the wall... our e-mail addresses are on the Dark web. Used to be Brighthouse had promotions all the time and when you had one expire if there were others active you could have it. Not with Spectrum. Have a real problem? Don't expect it to be fixed the first time. It took months of visits and h/w replacement to fix my last modem Internet drops and slow speeds. Only fixed when the outside main box had been determined to be a problem, not the one in front of the house, one blocks away where all the local boxes terminated. Last time they replaced my modem (voice problem) the new one would not work on all our cordless phones. One tech came out, replaced the modem, which fixed it partially, and then 'logged' it was user hardware problem, and we were charged $49.95 for the visit. It took a few phone calls to get that removed (they never gave us back the $3.50 in taxes) and someone in here who could fix the problem by putting in a GOOD modem and KNEW the model they were putting in my home had problems with some phones.
I had a problem with an modem I had in here that needed to sync the time every 2 hours. Great, but I had a Netgear router with a bug that when time was sync'ed it dropped the Internet. Talk about finger pointing! As it turned out Netgear did fix that problem but we still had the problem on the router. Doing that sync seemed to drop connections on the Internet. It took a switch to a replacement modem of the same model and a tech here during that sync time to realize it was somewhere on Spectrum's end. Turned out the configuration file used on the back-end for us was for an older modem we had. That took almost a year to resolve.
You are VERY lucky...
Returning the thread to the original purpose.
- Copy Link
- Report Inappropriate Content
So I tried with my TP-Link Archer C1200) and I began getting the correct information as far as my last login location (my public IP greyed out for security)...
Yet when I switched back to the Archer C3200, it went right back to producing the illicit result...
There is definitly something going on attacking the Archer C3200 that the heightened security of my ISP's webmail server is able to catch even though 'tracert' and simple "What Is My IP' (and other internet tools) can detect. I am willing to do more testing for the next week and leave the bad router connected to find out exactly what is being done to exploit the Archer C3200 in this strange fashion.
I would love to help TP-Link uncover this.
Where do we go from here?
EDIT: Just wanted to add that the C1200 router was set up with the exact same protocols as the C3200; IE DDOS protection, WPA protection, Manual DNS, etc.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 5073
Replies: 22
Voters 0
No one has voted for it yet.