[svlug] Intrusion detected: What's the best response

Sanatan Rai sanatan at gmail.com
Mon Jun 9 01:37:06 PDT 2014

Hi All,
   Yesterday, my router was hacked.

    The router's logs are terrible, not much information there.
However, I am sure that there was an intrusion because the router
permits only one login as admin irrespective of protocol
(telnet/https). When I tried to log in last night, the login was
rejected saying that the admin was already logged in from an IP which
I later traced as being in China.

    My response was to disconnect the router from the phone line, so I
am no longer connected to the internet at home (this email is being
written at work).

    The router is a DrayTek Vigor 2830VN+, and is normally configured
to reject incoming connexions. That's why I am mystified how this was
possible in the first place.

    In any case, here's my diagnosis of the situation, any suggestions
would be most appreciated:

     * I should assume that the router is compromised and should be discarded.
     * Potentially, all the home boxes are compromised, to be checked
by a careful analysis of the logs.

The boxes are two linux (Debian/Testing) and one Win XP laptop. It'll
be tedious but I am comfortable figuring out if anything went wrong
there and fixing (suggestions still welcome).

It's the router I am most worried about, especially the nature of the
hack. Should I shell out £££ (= $$$) for a new one?

    Thanks for any suggestions!

Sanatan Rai
3, Admirals Court,
30, Horselydown Lane,
London, SE1 2LJ.

More information about the svlug mailing list