Need Help With Router HiJack/Exploit
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi.
I am having issues with my network being hijacked. I am aware of this as when I log into my email web interface, I get the last login information and it does not match my ISP server or my DNS settings (through my ISP) when I am connected through my TP-Link Archer c3200 WiFi Router.
As you can see from the 2 screenshots attached; one shows the correct information when I hard line directly to my ISP provided Fiber gateway ([s]MY IP[/s].utopia.xmission.net), the second shows the address I am being re-directed through when I am connected to my router (e221*DOT*mailout*DOT*ekwin*DOT*twelvehorses*DOT*com). I cant find anything other than the WHOIS which also shows the owner has another URL out of Denmark 'twelvehorses*DOT*de'.
I get the same result from any computer or device attached to my router (as far as being redirected). This lets me know that the redirect is coming through my router as one of those devices is my phone and it shows the proper IP info when not using the router. I only get redirected through the suspicious IP/URL when connected to my router.
How do I get things under control?
Note: Replaced part of the suspicious URL characters with *DOT* so others dont accidentally click or copy to a illicit URL site.
CORRECT IP/URL WHEN NOT USING TP LINK ROUTER VIA DIRECT GATEWAY
ILLICIT URL WHEN USING TP LINK ROUTER
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
WHEW!!!
So in contacting my ISP today, I got someone who did more checking into things than the last agent I was working with.
As it turns out, the webmail server was doing a basic IP check then using a reverse domain lookup to verify. 12 horses was a very old client which they let go, probably due to 12 horses being malicious in their activities. The IP they had been assigned via static IP had just not been cleared out of the naming system on XMission's side :P .
When the webmail server did the IP check and reverse domain check it then probably noted the old record on their server that hadn't been fully audited and that's why it gave me the 12 horses. As well, ICANN may still hold old records which may have also attributed to the bad reverse domain lookup results.
They assigned my router MAC a different IP in the DHCP assignments (reserved DHCP) and I got a different last known login location using the same router.
They thanked me for helping them see they needed some further auditing on some of the older IP ranges they have used. I wish I could have gotten this agent from the start as it is unusual to get anything but the best support from any of their agents!
Now aside from that, a member of Avast did some really advanced checking into things and found the domain is parked yet also infected with a clickthrough hijack link somehow. So even though my router is just fine, we did end up finding a URL that is being used for malicious intent:
Avast Forum Thread - this is a link to the Avast members post but a couple of others did some amazing reseacrh if you want to view everything we did on this.
I am very relieved to know I wasn't dealing with some new NextGen exploit and ended up a target.
Either way... THANK YOU TO ALL WHO WORKED ON THIS.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 5878
Replies: 22
Voters 0
No one has voted for it yet.
