Even after doing 2 factory resets on my neighbors

Rainmaker51Rainmaker51 Member Posts: 13 ■□□□□□□□□□
Asus RT-AC66U wireless router, everytime they go to Amazon, whether it's on a directly connected PC or his Apple devices, it takes them to a "bogus" Amazon site that just tries to steal their credit card info. This is the case because they did enter the info the first time this happened. Fortunately, the bank caught it and deactivated the card.

When he plugged the PC directly into their Comcast modem, it went to the correct Amazon site. The wireless router was powered off at that point. Turn the router back on, disconnect from the Comcast modem, and it goes back to the fake site.

Scratching my head here, what step(s) did I miss?

Comments

  • the_Grinchthe_Grinch Member Posts: 4,164 ■■■■■■■■■■
    Did you check to see if there was anything in his host file that points to the DNS on the router? Seems to me that there is some kind of DNS redirect going. I would modify the DNS on his computer to point to 8.8.8.8 (it will bypass the router's DNS) and see if you can get to Amazon. Worse comes to worse buy a new router (it's clearly owned) or attempt to flash a newer legit version of firmware on it.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • Rainmaker51Rainmaker51 Member Posts: 13 ■□□□□□□□□□
    Thank you, Grinch. It is using 8.8.8.8 as it's secondary DNS, and the Comcast one is the primary. I can make the changes on the router so he doesn't have to worry about manually changing all of his PC's. Thank you for the feedback!
  • MooseboostMooseboost Senior Member Member Posts: 775 ■■■■□□□□□□
    Just a reference:

    Massive campaign uses router exploit kit to change routers' DNS servers


    I know several ISPs that were effected as well as a slew of residential routers. Not saying this is the case here, but I am always aware of checking the DNS now when I noticed spoofed pages.
    2020 Certification Goals: OSCE GXPN
    Blog: https://hackfox.net
  • the_Grinchthe_Grinch Member Posts: 4,164 ■■■■■■■■■■
    I was saying changed it on one of his PCs just to see if that is the issue. If you go into TCP/IP settings and change just the DNS settings, it will by-pass the router (which seems to be the issue) and if it works then you know there is a DNS setting in the router screwing it up. If you truly factory reset it twice then I suspect the firmware has been compromised and that will need to be fixed.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • Rainmaker51Rainmaker51 Member Posts: 13 ■□□□□□□□□□
    I will do it that way, Grinch. It does seem easier. Thanks, again.

    And thanks also, Mooseboost. Very interesting.
  • W StewartW Stewart Member Posts: 794 ■■■■□□□□□□
    This makes me think you're neighbor probably bought some sketchy router online with compromised firmware or that he flash the router himself with firmware from a sketchy source.
    Being a sys admin sucks but I love it
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    I have an Asus router as well and noticed some messed up search results as well. I also got a Google captcha request due to unusual traffic. Just started happening yesterday, ran the usual stuff like Malware Bytes and came up with nothing.
  • Rainmaker51Rainmaker51 Member Posts: 13 ■□□□□□□□□□
    Upon further review, the primary DNS setting in the router's config was NOT a Comcast address, but it resolved to something called "BingoHosting.com" Got that cleared out, just waiting for them to see if that fixes the issue, which I'm sure it will.

    tpatt100, you may want to check your router's DNS entries.
  • echo_time_catecho_time_cat Member Posts: 74 ■■□□□□□□□□
    Although it looks like you've narrowed the issue, I'm just wondering how exactly you were doing the 'factory reset'?

    Was it simply holding down the reset button, or were you using the combination of that and pulling the power cord?
  • Rainmaker51Rainmaker51 Member Posts: 13 ■□□□□□□□□□
    The way I did it was holding the reset button in for 30 seconds, then I pulled the power cord. All the settings were wiped out successfully, but I manually entered those bogus DNS numbers thinking that the primary was a legitimate Comcast address. I knew the secondary one was Google's. Only until I saw some responses here did I stop to think that the problem could've been with that DNS address, and it was. Just checked, and the real Amazon site appears to be back.
Sign In or Register to comment.