Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
General
Off-Topic
Even after doing 2 factory resets on my neighbors
Rainmaker51
Asus RT-AC66U wireless router, everytime they go to Amazon, whether it's on a directly connected PC or his Apple devices, it takes them to a "bogus" Amazon site that just tries to steal their credit card info. This is the case because they did enter the info the first time this happened. Fortunately, the bank caught it and deactivated the card.
When he plugged the PC directly into their Comcast modem, it went to the correct Amazon site. The wireless router was powered off at that point. Turn the router back on, disconnect from the Comcast modem, and it goes back to the fake site.
Scratching my head here, what step(s) did I miss?
Find more posts tagged with
Comments
the_Grinch
Did you check to see if there was anything in his host file that points to the DNS on the router? Seems to me that there is some kind of DNS redirect going. I would modify the DNS on his computer to point to 8.8.8.8 (it will bypass the router's DNS) and see if you can get to Amazon. Worse comes to worse buy a new router (it's clearly owned) or attempt to flash a newer legit version of firmware on it.
Rainmaker51
Thank you, Grinch. It is using 8.8.8.8 as it's secondary DNS, and the Comcast one is the primary. I can make the changes on the router so he doesn't have to worry about manually changing all of his PC's. Thank you for the feedback!
Mooseboost
Just a reference:
Massive campaign uses router exploit kit to change routers' DNS servers
I know several ISPs that were effected as well as a slew of residential routers. Not saying this is the case here, but I am always aware of checking the DNS now when I noticed spoofed pages.
the_Grinch
I was saying changed it on one of his PCs just to see if that is the issue. If you go into TCP/IP settings and change just the DNS settings, it will by-pass the router (which seems to be the issue) and if it works then you know there is a DNS setting in the router screwing it up. If you truly factory reset it twice then I suspect the firmware has been compromised and that will need to be fixed.
Rainmaker51
I will do it that way, Grinch. It does seem easier. Thanks, again.
And thanks also, Mooseboost. Very interesting.
W Stewart
This makes me think you're neighbor probably bought some sketchy router online with compromised firmware or that he flash the router himself with firmware from a sketchy source.
tpatt100
I have an Asus router as well and noticed some messed up search results as well. I also got a Google captcha request due to unusual traffic. Just started happening yesterday, ran the usual stuff like Malware Bytes and came up with nothing.
Rainmaker51
Upon further review, the primary DNS setting in the router's config was NOT a Comcast address, but it resolved to something called "BingoHosting.com" Got that cleared out, just waiting for them to see if that fixes the issue, which I'm sure it will.
tpatt100, you may want to check your router's DNS entries.
echo_time_cat
Although it looks like you've narrowed the issue, I'm just wondering how exactly you were doing the 'factory reset'?
Was it simply holding down the reset button, or were you using the combination of that and pulling the power cord?
Rainmaker51
The way I did it was holding the reset button in for 30 seconds, then I pulled the power cord. All the settings were wiped out successfully, but I manually entered those bogus DNS numbers thinking that the primary was a legitimate Comcast address. I knew the secondary one was Google's. Only until I saw some responses here did I stop to think that the problem could've been with that DNS address, and it was. Just checked, and the real Amazon site appears to be back.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
