wrt54G unreachable after hack attack but wired internet working

Hi,

I have a wrt54g v2.2 that was hacked into a few weeks ago. Ever since the wireless does not work and I cannot access it through 192.168.1.1. The attack happened in Canada and I brought the router with me to the Netherlands to try to fix it. The output of route -n is the following:


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         82.204.106.1    0.0.0.0         UG    0      0        0 eth0
82.204.106.0    0.0.0.0         255.255.255.128 U     1      0        0 eth0

I can ping 82.204.106.1 no problem but cannot access this address through the browser navigation bar. Any idea how I can access the router’s setup page so I can get it back in shape?

Thanks in advance.

Z.

When you can ping it, but it does not answer a browser trying to connect to it at port 80, it is most probably not listening at port 80. In other words, it’s HTTP server does not function.

A try without yout browser is to telnet to it:

telnet 82.204.106.0 80

but I am afraid it will say “connection refused” or time out.

This can only be cured on the device itself. Maybe there is some overal system reset on the hardware. There are manuals downloadable from Linksys.

Do not try to load your ISP’s gateway in a browser. It will not work, and it has nothing to do with your router.

Your routing table appears to be correct for eth0 configured with DHCP.

If you cannot access http://192.168.1.1 via a browser then we can take a lot of time digging deeper, or take hcvv’s advice to reset the router.

If you were indeed hacked I vote for a reset, set everything as you see fit and CHANGE THE DEFAULT PASSWORDS ON THE ROUTER! The only way someone could change your settings is by discovering the password of the router admin page.

I suppose we can’t rule out hardware failure, but let’s not yet.

Mike

IMHO there is some misunderstading here. Fom the first post I concluded that the LAN has 82.204.106.0 /25 as network… And that 82.204.106.1 is the router/gateway which has the problem.

**I made a crucial typo in my advice! **It should be

telnet 82.204.106.1 80

But I see no case for using 192.168.1.1 in what the OP explained

I also doubt if the routing table given by @zuze11 is complete. Please zuze11, allways post (wthin the code tags) the complete prompt, command and output inclusdng the next prompt. Thus we can see that it is complete, who did it, what was the working directory and more. And you still only have to sweep once with the mouse (and can omit sentences like “The output of route -n is the following:”, because it is all there to be seen allready.

zuze11 wrote:

> I can ping 82.204.106.1 no problem but cannot access this address
> through the browser navigation bar. Any idea how I can access the
> router’s setup page so I can get it back in shape?

You can hard reset the router, linksys WRT54 series should have a reset
button on the back panel. The reset button is inside a small hole in the
casing/panel. You will need something like a tooth pick or a paper clip to
use the reset button.

Unpower the router and using a paper clip or toothpick press and hold the
reset button while you power the device back on, keep the reset button
pressed for 30 seconds or so then release.

This will reset the operating system to it’s factory defaults and you should
now be able to access the admin page on 192.168.1.1/24

Cheers the noo,
Graham

did you try https? but anyway I sugest you to hard reset it and if
you’re familiar with linux, you can install openwrt on it.

I did reset the router, several times and nothing changed. Port 80 seems to be closed but I got partial success with 82.204.1.1 on port 23 for telnet. It would not recognize the default password for wrt54g (admin or even Admin) and the original password I had for the router as well.

Connection to 192.168.1.1 times out with both http and https.

Connection to 82.204.106.1 and 82.204.1.1 cannot be established with both http and https.

The router was hacked indeed and whoever did managed to break into an old XP laptop, presumably the weakest link on the network. It’s also possible they got in from the xp laptop. Got all sorts of security warnings on that one, which is how I found out about the hack job. The hacker also killed the wireless service on the router and seems to have changed the password. My own linux box was isolated from the network when that happened so I turned off the router to stop the damage. The xp laptop was completely useless and we had to format the drive and reinstall from scratch.


ziad@linux-ec5v:~> telnet 82.204.1.1 23
Trying 82.204.1.1...
Connected to 82.204.1.1.
Escape character is '^]'.


User Access Verification

Password: 
Password: 
Password: 
% Bad passwords
Connection closed by foreign host.
ziad@linux-ec5v:~> 


ziad@linux-ec5v:~> telnet 82.204.106.1 80
Trying 82.204.106.1...
telnet: connect to address 82.204.106.1: Connection refused
ziad@linux-ec5v:~> 

ziad@linux-ec5v:~> telnet 192.168.1.1 23
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection timed out
ziad@linux-ec5v:~>


ziad@linux-ec5v:~> /sbin/route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         82.204.106.1    0.0.0.0         UG    0      0        0 eth0
82.204.106.0    0.0.0.0         255.255.255.128 U     1      0        0 eth0
ziad@linux-ec5v:~>

Thanks for all the info. To start with the last, your route -n. It seems to be complete. I was missing the local route (to 127.0.0.0). Strange to me, but not connected to your problem.

While your system thinks the gateway is 82.204.106.1, the only reaction you get is from the telnet to 82.204.1.1. When you are very confident that that is not another system/router in the LAN you are now, we can assume that the address of the hacked router is now 82.204.1.1.

What about the linux-ec5v system. Is it configured to use DHCP or not? Because the Gateway address in the routing table must come from somewhere. And when it is not from the hacked one, it is either from another DHCP server/router (which would trouble our view), or from fixed configuration.

On 08/03/2012 01:26 PM, zuze11 wrote:
>
> I did reset the router, several times and nothing changed. Port 80 seems
> to be closed but I got partial success with 82.204.1.1 on port 23 for
> telnet. It would not recognize the default password for wrt54g (admin or
> even Admin) and the original password I had for the router as well.

Was that reset the long one? A simple reboot will change nothing. Once it is
reset, the default (from the factory) settings should be in place. As I recall,
the last time I had to do that, the reset button had to be held for a minute.

@henk, I am connected to the LAN in my building. It’s one of those typical open wired connections in student buildings in the Netherlands.

The wired connection is set up for automatic dhcp, IPv4. Speaking of 82.204.1.1, it might actually be another system on the LAN. I have no way of verifying it is the router. My IP address is 82.204.106.39.

IP Address Lookup - Whois Information for 82.204.1.1

IP Address Lookup - Whois Information for 82.204.106.39


ziad@linux-ec5v:~> /sbin/ifconfig 
eth0      Link encap:Ethernet  HWaddr F4:6D:04:4A:F6:27  
          inet addr:82.204.106.39  Bcast:82.204.106.127  Mask:255.255.255.128
          inet6 addr: fe80::f66d:4ff:fe4a:f627/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:783505 errors:0 dropped:0 overruns:0 frame:0
          TX packets:260554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:645423950 (615.5 Mb)  TX bytes:19198365 (18.3 Mb)
          Interrupt:46 Base address:0x4000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:200 errors:0 dropped:0 overruns:0 frame:0
          TX packets:200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:15523 (15.1 Kb)  TX bytes:15523 (15.1 Kb)

wlan0     Link encap:Ethernet  HWaddr 48:5D:60:C8:0B:F5  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

ziad@linux-ec5v:~> ping 82.204.1.1
PING 82.204.1.1 (82.204.1.1) 56(84) bytes of data.
64 bytes from 82.204.1.1: icmp_seq=1 ttl=251 time=6.87 ms
64 bytes from 82.204.1.1: icmp_seq=2 ttl=251 time=7.17 ms
64 bytes from 82.204.1.1: icmp_seq=3 ttl=251 time=6.97 ms
64 bytes from 82.204.1.1: icmp_seq=4 ttl=251 time=6.98 ms
64 bytes from 82.204.1.1: icmp_seq=5 ttl=251 time=6.85 ms
64 bytes from 82.204.1.1: icmp_seq=6 ttl=251 time=6.99 ms
64 bytes from 82.204.1.1: icmp_seq=7 ttl=251 time=6.94 ms
64 bytes from 82.204.1.1: icmp_seq=8 ttl=251 time=6.92 ms
^C
--- 82.204.1.1 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7009ms
rtt min/avg/max/mdev = 6.850/6.964/7.177/0.102 ms
ziad@linux-ec5v:~> 

@lwfinger, I honestly tried every reset trick in the book, short of throwing the router under a runaway train. Nothing worked. Maybe someone would be aware of such hacker tricks to take control of a router. Somehow the router system was altered in a way that the usual factory defaults cannot be recovered anymore.

On 08/03/2012 11:36 PM, zuze11 wrote:
> Somehow the router system was altered in a way that the usual factory
> defaults cannot be recovered anymore.

don’t you at some point need to seriously consider hardware failure/damage…

or seek help from a large group of Lynksys gurus, maybe:
http://homesupport.cisco.com/en-us/wireless/lbc/wrt54G

(i mean, if your wrt54G was today not working while connected to a Win7
machine would you think your best possible help would be at
http://www.micr0$0ft.com/support?)


dd

Hardware failure is indeed a possibility, although remote. All these problems started directly after the hack attack.

What windows 7? I run an OpenSUSE system.

I am now convinced that 82.204.1.1 is the router in your LAN annd not the hacked router.

I was allready wondering how you determined that it would have another address. You can not connect it as it came from Canada in the LAN you now use. It has a completely different address (was that 192.168.1.1?).

I also guess that the network manager of your LAN will not be content with you connecting systems with an address not used in the LAN (or with a fixed address at all). But maybe (s)he will not notice.

The only way I see you can connect from your system to the hacked router (when indeed still having 192.168.1.1) in this LAN is by configuring your system with YaST not to use DHCP, giving it an adress like 192.168.1.2 and not giving it a default gateway (or and routing).

Better would be to take a cross cable and to connect both together, creating your own LAN. Thus not using the buildings LAN for experiments. The configuration would be the same as above.

EDIT: I am confused about the different networks involved. **We need to know **
. what was the ntwork in Canada?
. what is the network now?
but the first is most important because the hacked router will still have an address in that range and thus can not be accessed from a sytem in your present LAN configured by your present DHCP server.

On 2012-08-04 09:06, zuze11 wrote:

> Hardware failure is indeed a possibility, although remote. All these
> problems started directly after the hack attack.
>
> What windows 7? I run an OpenSUSE system.

No, you run a router, and that router does not run openSUSE, so you need to ask in router’s
forums, not here.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2012-08-04 10:26, hcvv wrote:

> The only way I see you can connect from your system to the hacked
> router (when indeed still having 192.168.1.1) in this LAN is by
> configuring your system with YaST not to use DHCP, giving it an adress
> like 192.168.1.2 and not giving it a default gateway (or and routing).
>
> Better would be to take a cross cable and to connect both together,
> creating your own LAN. Thus not using the buildings LAN for experiments.
> The configuration would be the same as above.

Yes, absolutely, that router should not be connected to any LAN nor the internet. It should
only be connected to one computer used for investigation, on the inside (LAN ports), and
another on the WAN. If the router is compromised, who knows what it could do to the LAN?

I would try nmap to see what ports and IPs are open on that router.

More info:

wikipedia
How to Reset the Linksys WRT54G Wireless-G Router

It is not press and power up. It is power up, wait, then press for 30". Maybe if it has been
re-flashed, the new firmware does not listen to the factory reset.

Linksys WRT54G Setup

Cisco

Cisco: how to reset

Press for 10", the power led should be blinking. Older models need 30" press.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2012-08-04 13:18, Carlos E. R. wrote:
> On 2012-08-04 09:06, zuze11 wrote:
>
>> Hardware failure is indeed a possibility, although remote. All these
>> problems started directly after the hack attack.
>>
>> What windows 7? I run an OpenSUSE system.
>
> No, you run a router, and that router does not run openSUSE, so you need to ask in router’s
> forums, not here.

Perhaps here


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Hello zuze11,

Are you still alive, or have you been thrown out of the student house for manipulating their LAN?

I have rethought this thread and come to the conclusion that most of us came to the wrong conclusion that you were trying to connect to the hacked router in a testing environment. You weren’t. You only tried to hack the Dutch router of the LAN in Amsterdam. :frowning:

When you brought your system from Canada to the Netherlands and started it in Amsterdam, it was DHCP served by the Dutch router with an IP address in the Dutch LAN and it’s gateway. This is what your route -n shows. Then you tried to connect to the gateway from that listing: the Dutch gateway. (This may be noticed by the Dutch network manager and seen as braking of rules).

When you connected your hacked router to the Dutch LAN, it still had it’s Canadian IP address and as such is completely unreachable by any other system in the Dutch LAN, including yours. This because the routing table (yes the one you showed) tells us that any address not in the Dutch LAN, must go to the Dutch gateway. The Dutch gateway (and the internet behind) will have severe problems in finding your Canadian router because you took it away from Canada.

But, when your hacked router has still any life in it (we do not know) and is still be able to run it’s DHCP server, it will concur with the Dutch router in serving DHCP clients. And those clients (read: fellow people switching their system on inside the building) that are served by your router instead of the Dutch one are in a dead alley! Again a reason for network managers to throw you out of the window directly in an Amsterdam canal.

When all your trials to reset the hacked router did work (again we do not know), it’s IP address will now be the factory default (which might BTW be the 192.168.1.1 mentioned earlier). This does not change the problems this device will present when connected to the Dutch LAN, but it will increase your problems in trying to connect to it.

Thus my sincere advice is:** take that router away from the Dutch LAN!**

And (as I advised earlier) take your system from the LAN, connect the two with a cross-over cable. First see if the router is functioning (miracles happen) and look if your get things from DHCP and when yes, try to connect to the address mentioned in the then route -n.
Whenn not, try to configure your system with an address in the range that was available in Canada and try to connect. When that fails, try with an address in the factory default network (192.168.1.0/24 ?? read the documentation of the router).

Frankly Henk you’re out of line. I mean accusing me of hacking the local network!!!???

The network situation is just fine in my building, my roommates can connect to the internet without any issues and the same applies to other units. 192.168.1.1 is the default ip address used by linksys routers and I believe it is the same for the Netherlands. The router was correctly reset a number of times and should normally work seamlessly within any network. The fact that I cannot reach the router setup page does not mean that the entire building network was messed up by it (I could not reach that router on the Canadian network either). It only means that the router is not listening on its http port 80. I merely need to find a way to get around that.

Anyway, Carlos is right that this thread does not belong here and I am taking this issue to router forums somewhere else.

I’m done here!

On 2012-08-04 23:56, zuze11 wrote:

> Frankly Henk you’re out of line. I mean accusing me of hacking the
> local network!!!???

Not intentionally, but you are endangering it, by connecting a hacked machine to it. That
router may have been flashed, and it may attempt to phone home. You must not connect it to any
LAN/WAN.

> The router was correctly
> reset a number of times and should normally work seamlessly within any
> network. The fact that I cannot reach the router setup page does not
> mean that the entire building network was messed up by it (I could not
> reach that router on the Canadian network either). It only means that
> the router is not listening on its http port 80. I merely need to find a
> way to get around that.

No, the network was not messed, not that we know. But the router was not reset either, not
successfully - that you can not reach the admin page proves it.

> Anyway, Carlos is right that this thread does not belong here and I am
> taking this issue to router forums somewhere else.

Yes, that is wise. WHen you get results, we would be interested to learn the end of the history :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Hm, I see that I am not able to make clear what I want to make clear. In short this is:

1). You never tried to test any connection (ping/http/telnet) to that device in the Dutch network, everything was lost somewhere in the Dutch router (or beyond).

  1. The fact that nobody asked any questions about your activities on the Dutch LAN may be due to a lot of things (including a sleepy manager), but an alert manager could value you trying to telnet into his router as “hacking”. Though I may have exaggerated a bit here to get my message through.

  2. I warned you to connect a working DHCP server to the Dutch LAN, but we do not know if your device is working and also which is the fastest DHCP server of the two. Thus you mentioning of no problems found is good, but proves nothing against what I said.

And as a follow up on point no 1) above. To convince me I am wrong, can anybody following this thread explain to me how a system in a LAN with IP address range 82.204.106.0/25 and having as routing table


ziad@linux-ec5v:~> /sbin/route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         82.204.106.1    0.0.0.0         UG    0      0        0 eth0
82.204.106.0    0.0.0.0         255.255.255.128 U     1      0        0 eth0
ziad@linux-ec5v:~>

can ever connect using ping/telnet/http to a system connected physicaly to that same LAN, but having address 192.168.1.1?