DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Draytek 2925 hacked

More
22 May 2018 00:21 #91692 by olicuk
Replied by olicuk on topic Re: Draytek 2925 hacked
Does anyone know whether the rogue DNS server was successfully used to redirect any traffic to sites which may have intercepted /captured user data, banking details etc? For example I presume if the DNS had issued a fake IP for a bank it would be possible to create a proxy site for that bank that logs on to and presents data from the real bank.... but captures login details and the like for later exploit. Similarly it could be used to proxy and capture logins to Amazon, Paypal, eBay, Office 365, or anything else.... no doubt many other capabilities too. Keen to know if everyone who has used a network behind a hacked router should be recommended to change *everything*!

Please Log in or Create an account to join the conversation.

  • davsands
  • Topic Author
  • Offline
  • New Member
  • New Member
More
22 May 2018 12:15 #91714 by davsands
Replied by davsands on topic Re: Draytek 2925 hacked
I've not personally gone in to try and see what's being redirected. I did run a few NSLOOKUPs yesterday to see if the IP was still active, and it is. But its not easy to pin-point what's being re-directed.

I think the key here is, just keep on-top of the new firmware as they come out and report any/all problems back to Draytek and hopefully post back to this forum?

Please Log in or Create an account to join the conversation.

More
23 May 2018 18:17 #91743 by destroyer
Replied by destroyer on topic Re: Draytek 2925 hacked

olicuk wrote: Does anyone know whether the rogue DNS server was successfully used to redirect any traffic to sites which may have intercepted /captured user data, banking details etc? For example I presume if the DNS had issued a fake IP for a bank it would be possible to create a proxy site for that bank that logs on to and presents data from the real bank.... but captures login details and the like for later exploit. Similarly it could be used to proxy and capture logins to Amazon, Paypal, eBay, Office 365, or anything else.... no doubt many other capabilities too. Keen to know if everyone who has used a network behind a hacked router should be recommended to change *everything*!


Users would have seen a certificate warning in their browser if that is the case. Anything HTTP etc could have been compromised but generally all banks and reputable sites running on HTTPS would have shown certificate warnings if redirects were in place hence you'd hope users noticed..

Please Log in or Create an account to join the conversation.

More
23 May 2018 19:04 #91744 by prushmere
Replied by prushmere on topic Re: Draytek 2925 hacked

Destroyer wrote: ..you'd hope users noticed..



How long have you been working in IT? :lol:

Please Log in or Create an account to join the conversation.

More
24 May 2018 17:40 #91768 by admin
Replied by admin on topic Re: Draytek 2925 hacked
Well, surely a fake site can also issue a fake certificate, or rather a real certificate which matches their IP address or even just redirect to a cleartext page. Most people probably don't actively look for the padlock...and also probably type www.lloyds.co.uk into their browser rather than https and get used to it redirecting to TLS.

Forum Administrator

Please Log in or Create an account to join the conversation.

  • davsands
  • Topic Author
  • Offline
  • New Member
  • New Member
More
25 May 2018 12:56 #91788 by davsands
Replied by davsands on topic Re: Draytek 2925 hacked
Think Letsencrypt and/or Man-in-the-middle attacks. It's easy to see how things can be compromised.

Please Log in or Create an account to join the conversation.

Moderators: Chris