[svlug] Intrusion detected: What's the best response
sanatan at gmail.com
Mon Jun 9 01:37:06 PDT 2014
Yesterday, my router was hacked.
The router's logs are terrible, not much information there.
However, I am sure that there was an intrusion because the router
permits only one login as admin irrespective of protocol
(telnet/https). When I tried to log in last night, the login was
rejected saying that the admin was already logged in from an IP which
I later traced as being in China.
My response was to disconnect the router from the phone line, so I
am no longer connected to the internet at home (this email is being
written at work).
The router is a DrayTek Vigor 2830VN+, and is normally configured
to reject incoming connexions. That's why I am mystified how this was
possible in the first place.
In any case, here's my diagnosis of the situation, any suggestions
would be most appreciated:
* I should assume that the router is compromised and should be discarded.
* Potentially, all the home boxes are compromised, to be checked
by a careful analysis of the logs.
The boxes are two linux (Debian/Testing) and one Win XP laptop. It'll
be tedious but I am comfortable figuring out if anything went wrong
there and fixing (suggestions still welcome).
It's the router I am most worried about, especially the nature of the
hack. Should I shell out £££ (= $$$) for a new one?
Thanks for any suggestions!
3, Admirals Court,
30, Horselydown Lane,
London, SE1 2LJ.
More information about the svlug