[svlug] Intrusion detected: What's the best response

[Ivan Sergio Borgonovo]

On Mon, 9 Jun 2014 09:37:06 +0100
Sanatan Rai <sanatan at gmail.com> wrote:

> Hi All,
>    Yesterday, my router was hacked.

>     The router's logs are terrible, not much information there.
> However, I am sure that there was an intrusion because the router
> permits only one login as admin irrespective of protocol
> (telnet/https). When I tried to log in last night, the login was
> rejected saying that the admin was already logged in from an IP which
> I later traced as being in China.

>     My response was to disconnect the router from the phone line, so I
> am no longer connected to the internet at home (this email is being
> written at work).
> 
>     The router is a DrayTek Vigor 2830VN+, and is normally configured
> to reject incoming connexions. That's why I am mystified how this was
> possible in the first place.

google "router hacked" and get tons of answers.

>     In any case, here's my diagnosis of the situation, any suggestions
> would be most appreciated:
> 
>      * I should assume that the router is compromised and should be
> discarded.

If as you said you found there was someone logged in from China yes,
you've to assume it was compromised.

It is hard to say if it has to be discarded or not. They could have
reprogrammed the firmware in a way that any future attempt to reflash it
will silently fail. This is surely possible but I can't quantify how
probable it is.

>      * Potentially, all the home boxes are compromised, to be checked
> by a careful analysis of the logs.

All distribution I consider worth to be installed digitally sign their
packages so even making you believe you're connecting to a legitimate
repository changing DNS won't work.
Still having control of your router could be a good starting point to
build up something more sophisticated. I'd be especially concerned
about the XP box.

> The boxes are two linux (Debian/Testing) and one Win XP laptop. It'll
> be tedious but I am comfortable figuring out if anything went wrong
> there and fixing (suggestions still welcome).

> It's the router I am most worried about, especially the nature of the
> hack. Should I shell out £££ (= $$$) for a new one?

You'll have to do your own research... if you look for "Draytek
exploit" you'll find several documented.
The question you'd answer is "is there a trojaned firmware around
that resist reflash?".

SOHO routers use common chips with available toolchain. That makes
reasonably easy to build trojaned firmware. What I really don't know
is if it is easy to make a router resistant to reflash.
Generally there should be a non flashable part of memory that's there
to avoid you brick your router with a not working firmware and you'll
have to reflesh your router with the "emergency" procedure that
generally involve pressing a button during boot up.

But I don't know how really unflashable that part is.
On the other hand most of the worm running on SOHO router that I'm
aware of, are just binaries that don't go the extra mile of reflashing
the firmware.

Still if you're sure you were running the latest firmware for that
router even knowing you can safely reflash it won't protect you from
being cracked again.

>     Thanks for any suggestions!

Next time consider something that can be flashed with openwrt[1]
(cheaper and easier) or build your own router with embedded commodity
hardware that run debian.
While there is a plethora of board that could nearly fit, they don't
really fit and you'll have to add some extra money and effort before
you turn them into a low power consumption router that has the same
feature of your router.

[1] with few extra money you can add an external pbx box and install
asterisk on the router

-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it