locked out of router settings! ... by a spoofer?

catatom · 10-22-2014, 06:46 PM

I recently started suspecting an attack. Now I find that I can't access http://routerlogin.net, where I would go to adjust the settings. The connection times out immediately. I tried disabling my firewall, allowing netBIOS traffic through the modem, and I checked the hosts file.

Could a spoofer do this to hide and protect their changes? Is it good evidence of spoofing?

coralfang · 10-22-2014, 07:02 PM

Have you tried accessing the gateway directly. eg; 192.168.0.1
It may be a different subnet depending on the device.

Could be that your dns has gone funky, where it is unable to resolve routerlogin.net to an address.
Just a possibility.

////// · 10-24-2014, 06:47 AM

u should google ur router model and check if there are any exploits to it, or if its web configuration page is reachable from the internet etc.

Habitual · 10-24-2014, 03:52 PM

http://kb.netgear.com/app/answers/de...fault-settings

jefro · 10-24-2014, 09:32 PM

Yes a crook or automated crook could have taken control.

Reset to factory settings.

Be sure to consider latest updates if they suggest security.

Be sure to disable any outside access and limit times and ports and protocols.

catatom · 10-26-2014, 06:56 PM

Every site is fine except routerlogin. Apparently I can try entering the router's IP address too. WIll try at home.

ALthough our model seems fine, the model you get if you subtract the "v3" is at its end of life and has four vulnerabilities.

I'm trying to get a reinstall image because my cursor was going berzerk when I connected to any network.

catatom · 10-27-2014, 02:49 PM

I'm not sure which was the router IP, but I entered "route -n" and none of those addresses loaded a page.
I can access the modem through its IP just fine.

jefro · 10-27-2014, 10:10 PM

That domain name is a stub. Basically if you have a new windows computer the computer will use the router as dns. Router will convert that name to it's ip address.

So, just access router by ip forever instead of some dns name.

catatom · 10-28-2014, 05:06 PM

How do I find the router IP address? I tried all the IPs I could find through terminal command lines, but all I got was the modem page and Google (tcpdump).

Habitual · 10-28-2014, 06:33 PM

http://192.168.1.1

michaelk · 10-28-2014, 09:29 PM

Please post the make/model of your MODEM. What do you mean my MODEM page? What is the IP of the MODEM? How is your network physically configured?

Please post the model number of your router.

As stated Netgear SOHO routers typically have a default IP address of 192.168.1.1. The output of the route -n command will show a UG under flags. The address in the same line under gateway should be the LAN IP of your router.

jefro · 10-28-2014, 10:10 PM

Get the mac address and use arp to make a temporary static arp entry. Then make a default ip for that mac in the range of your current subnet.

No matter what the real ip, your static arp would point to the one you set.

catatom · 10-30-2014, 04:30 PM

Quote:

Originally Posted by michaelk

Please post the make/model of your MODEM. What do you mean my MODEM page? What is the IP of the MODEM? How is your network physically configured?

Please post the model number of your router.

As stated Netgear SOHO routers typically have a default IP address of 192.168.1.1. The output of the route -n command will show a UG under flags. The address in the same line under gateway should be the LAN IP of your router.

That address was 192.168.1.254. It was called "home portal" in the unmodified route output. Another output was "link-local" but that IP led nowhere too.

I don't have the model number with me ATM, but the make is
N300 Wireless ADSL2 + Modem Router DGN2200v3

Habitual · 10-30-2014, 05:53 PM

n/m. michaelk already mentioned NetGear.

catatom · 10-30-2014, 05:53 PM

It is netgear.

Jefro, I'll try that. btw, how could I turn off ARP replies to limit my connections to those established manually?