Avast writes that the router is vulnerable, infected, configured incorrectly. How to check your router to infection VPNFilter how to clean the TP Link router from viruses

In the light of the frequent cases of DNS substitution, malware on Internet user devices, a security issue arises Wi-Fi routers. How to check the router for viruses? How to remove the virus in the router? The question is complicated and simple at the same time. The solution is!

The virus itself on most modern routers to record itself can not be due to a small place in the memory of the router himself, but can zombie a router to participate in botnet. As a rule, it is a botnet for the attack on various servers, or to redirect and analyze the flow of information from you from you.

Your passwords and personal correspondence can get into the hands of intruders!

It must be fixed as quickly as possible.

• Reset Routher Settings
• Firmware router
• Repeated

Reset Routher Settings

You can reset the router settings by pressing the Reset button. Usually this button is placed behind the router, where and LAN ports. Usually, the button is recessed in the hole to avoid accidentally pressing, so you have to use toothpick. it remove the router set-changed by the virus, and installs the factory in their place. Must warn you that if you do not know how to configure the router, then drop His settings you not worth it!

Firmware router

Sometimes the virus "pours" changed firmware on the router. Remove the viral firmware from the router, you can flashing the router again.

Connect the computer with the LAN cable router. LAN cable goes complete to any router. Or via Wi-Fi, if the capabilities of the cable connection are. It is better to connect the cable! Wireless connection It is considered unstable and not suitable for the firmware of the router.

Once we have connected to the router, open the browser (Chrome, Opera, Mozilla, IE) and enter the address in the address bar router asus., Asusov is 192.168.1.1, on the page that opens, you will need to enter a login and password to enter the router settings. Login: Admin, Password: admin. If the login and password are not suitable, then ask someone who set up a router, maybe he changed them.

Download the firmware from the manufacturer's website and select the firmware on the disk with the help of the router settings page. For the absolute majority of routers, the firmware stages are the same.

To protect against Trojan.rbrute Trojan.rbrute, TP-LINK Routers, you need to perform several simple conditions. The virus is distributed by the scanning of IP addresses by the N-m-Range, after which the password selection begins by Brutforce. Attack is exposed to almost all popular models tP-LINK routers. Breaking through the settings of the Trojan device changes the address of the DNS provider to the addresses of attackers.

Your router is infected if:

When trying to enter any Website, be it remont-sro.ru or the Gmail.com service opens the fake loading site Google Chrome. or other suspicious resources. Initially, the redirect worked only for user requests containing Facebook or Google, but now Troyan reacts to any of them. The indication on the modem remains the same, "Internet" is stable, the computer shows that the connection is made, the authorization is passed, but the Internet itself does not work, but only shifts on advertising and / or fake boot pages

Item 1. Reset. Migration modem
The instruction has prepared a specialist GTP COO Korchagin Maria

If you cannot go to the modem settings through 192.168.1.1, then try to do it through the address 192.168.42.1

On this page settings are indicated. only For Internet services. To configure IP-TV and Wi-Fi download full manuals

Russian version - http://yadi.sk/d/jc6l6fpvrbu9p.

English version - http://yadi.sk/d/j6ly7ba4rbu8r.

1. To correctly reset the settings on the modem should clip the needle / paste / toothpick button Reset. In a small recess. Hold from 5 to 15 seconds until the display disappears on the device. Light bulbs should go out as after the usual reboot of the router

2. To configure the modem, connect the cable to any LAN port, do not configure the connection by Wi-Fi connection.

3. Go through the browser Internet Explorer. In the router interface, at: 192.168.1.1. A dialog box opens. In the "User Name" and "Password" fields, enter Admin / Admin, respectively. Opens start page router (see below)

On this page you will see which settings already exist:

4. Before you begin to configure the router, you must delete all previously created settings, for this you need to go to the section "Interface Setup" -\u003e "Internet", Select the "Virtual Channel" - PVC0, Press the "Delete" button at the bottom of the page. So we do with each virtual channel (there are only 8 of them).

As a result, this is what should happen (go back to the section "Condition"):

5. Now go to the section "Interface Setup"then choose the subsection "The Internet" (See Screenshot below). Indicate the parameters as in the screenshot below (user and password: RTK), then save all the parameters by clicking the "Save" button.
On this setting in PPPoE mode ended.

Paragraph 2. Changing the password on the entrance to the router

To change the password, go to the section "Operation of the device", then "Administration"where the password in the router is actually changing (come up sophisticated password) (See Screenshot below). Then click the button "Save"

Item 2.5 List of passwords that are not recommended to put on the entrance to the router

111111
12345
123456
12345678
ABC123.
Admin.
Administrator.
Password.
QWERTY.
root
TADPASSWORD.
TrustNo1
Consumer
Dragon.
Gizmodo.
iqrquksm.
Letmein.

All these passwords, the virus already "knows" and the selection of the password will take 1 second. Password should be put not only from some numbers or letters. Specialists must be present (lattices. Stars, interest, quotes) and the letters of various registers (capital and lowercase). The more diverse password, the longer it will have to "brother" (if it succeeds).

Dear readers. In order to save your time. Immediately about the main thing. All of the following helps with Trojans or viruses on a computer for 5-7 days. During this period, scans from the Internet are going, but after hacking, a suspicious silence comes - there are no scans - they no longer misses the infected router in the PC, he accepts commands and executes them. This affects the speed of the Internet - it falls.

If your router is already infected, then theft of FTP, postal and other passwords is the closest time.

Already in 2009 Someone DRONEBL informed the world about (beginning?) The epidemics of viruses that affect routers. His news appeared after the attack on the site, the administrators of this site revealed that this is a fundamentally new view among DDOS Atak.. The attack was produced by infected routers. So now, the "family" of zombie cobs, gained replenishment - zombie routers. A botnet network was discovered, which consisted of home contaminated routers! Named this network "PSYB0T". So officially began the epidemic of the viruses of the router.

Hacking occurs by scanning the ports of the router and capture control over it. Unfortunately, articles are fruitful in the internet exactly how that or another model of the router to hack the easiest. But it is there that can be found as to protect against this misfortune. After setting the control over the router, espionage began for the contents of the passing traffic. Password theft. Accession to the general malicious activity botnet networks in the world internet. Scan ports of a home PC, and here I will stop more. The author was able to track that the presence network connection A hacked router leads to such problems. When reinstalling the firewall in the system "NOTOTE" appear viruses. When you try to install a debunt or Ubuntu with simultaneously downloading updates during the installation process, these systems are established incorrectly. Namely

1. The launch of the installed FireStarter is not possible - the administrative function is launched and all. Those., Something starts with the admin privileges, but what is unknown. Firestarter simply does not start.
2. If there is an Internet connection, DeadBeef does not start, when it is turned off the router, it immediately turns on.
3. Part of the applications requiring admin privileges are launched without a password request, the rest do not start at all.
4. After writing this article, these items became less pronounced. That is, there will be problems, but they will look different.

Re-installation on the same computer, with the same installation diskWhen the router is turned off, successfully happened. The system (verified in Ubuntu) worked as a watch. It's not surprising, because the first routers were the first to be vulnerable operating system Linux Mipsel. Of course, the harm that comes from the zombie router, "diverse" what I noticed and described here, but what on this moment rich, those and share ...

The installed Windows (when the infected router is disabled) "survived", but Agnitum Outpost Firewall Pro from the first minutes after installation, detected port scans. Those. Router attacks port (s).

Fig. Scanning my ports from the Internet and, finally, from an infected router.

As can be seen in the picture, 04/27/2017 at 23:51:16 and there was already scanned with a zombie router. Before that they went scans from Kaspersky Security Network - 130.117.190.207 (firewall does not like them, but this is the norm when Kaspersky installed) and it is not clear from where. And on 04/27/12, a reset of the router settings to the factory (Huawei HG530) was performed. Since then, only from Kaspersky Security Network - 130.117.190.207 and ARP_UNWANTED_REPLY - the author turned on the ARP filtering. Therefore, the router's attempts once again "talk" with a PC (this is the normal activity of the router - but now Agnitum skips only those ARP answers that come in response to the request of my PC), as well as attempts by some personalities to intercept traffic with a fake ARP response blocked by firewall. If someone thus captures my traffic and will skip it through your computer, then I will be in the role of an office employee who uses the Internet, while the sysadmin of this company sees all my actions, making up a detailed report for the head. How many letters (to whom, about what) is written how much chatted in ICQ. Of course passwords from mail, etc. Also can steal.

The result - from the moment I beat my router and did what I will describe below, there are no attacks from the Internet. "Powder" is eliminated, the router is clean and performs only what is created for what. But the Trojan on the PC should also be deleted, otherwise it will already restore hackers to your IP.

Those who are manufactured by network equipment do not offer protection measures. In the instructions for routers there is a description, how to enter a login and password to access the provider, but no words that the default admin password cannot be left in the router! In addition, routers necessarily have elements remote controlwhich are often included. Anti-virus software manufacturers are silent. Involuntarily arises the question of which it is profitable.

Ways of infection.

It is better to see once. For which I offer hyphae animation, with a schematic analysis of the situation. If it is not visible, it hinders the adcloser or something like that - turn it on this page.

There are two of them. First - through WAN, it is the Internet. Those. Hackers find your IP, for example, when you swing or distribute files using a protocol torrent (about it at the end of the article) and scanning your IP find weak points in the protection of the router. But it is less likely. How to close this gate read in this article further.

Or, on our PC there is Troyan. And so it hurts hackers to our dynamic (!) IP. Knowing this address they are already methodically "hammering" router. We read about Trojans in the second way of infection.

The second is through LAN, that is, from your PC. If on your Troyan PC, then the hackers will be able to pick up the password to the router, right from your PC. Therefore, this password should sometimes change. But what about the fact that the infected computer will try to hack a router from which protection is not provided? To begin with, it is necessary to understand that a pure router with an infected PC will last long. The usual bruthent (selection of the password by the method of intoxication) breaks it in a week, and even faster. So, if it is often necessary to clean the router, it's time to think about full cleaning from viruses.

And now the moment. Where on the PC Virus / Trojan? I list the main reasons and in brackets of the solution. Options are:

1 - Installedly blocked Windows (use clean installation discs);

2 - Clean Windows was blocked after installation (or tolerate and reinstall it monthly or buy Windows);

3 - cracked soft (use free programs or buy a paid);

4 - Virus in your personal files (ride all personal files through cleaning, as I described in the cleaning system from viruses);

5 - The system is infected already during use through a flash drive, the Internet, Khrena knows how (Protection - Internet is studying in a safe, flash drive, about the last item, silence).

Separately, I note that finding the IP router, the hackers start scanning it in order to find access to the encrypted password and then capture control using a twisted password. So, do not leave the router on, if you do not need any Internet access now.

BUT!!! Even if you download using virtual Machinewill begin to hammer your router. It will help his shutdown and re-enable during the process and most importantly after the end of the torrent download - the provider will issue a new dynamic IP and hackers after restarting the router only to guess, on which address you are now. And your router, too ... Of course, you will not stay on the distribution - at the end of the download, you should immediately turn off the torrent programloader, and then turn off and turn on the router.

And generally speaking

Do not keep the router included without need! Do not let your property of small-hour hackers once again ... Do not forget to clean the router every time the speed of the Internet connection unreasonably falls. Caution will not harm ...

Well, everything. Now you can take factory instruction To your router and specify the login and password issued by the Internet provider. This is usually done on the Wan Settings tab. Now your router cannot manage via the Internet. At least for now.

Your router is one of the weakest links in your safety and researchers have proven it again.

Sixty-ski security were found in 22 models of routers around the world, mainly in those who provide their customers with Internet providers. The presence of data is vulnerable can provide hackers to hack device, change password, and install and execute malicious scriptsthat change DNS servers. Thus, hackers can redirect you to malicious sites or download malicious code On your computer when you visit official web pages.

Vulnerabilities, as well, allow hackers to read and record information on USB storage devices connected to a hacked router.

Research describes how attackers can access PCs - namely, through the backdoor with a versatile password, which uses the technical provider personnel to remote assistance to customers by phone. This second default access to the administrator rights is hidden from the router owner.

What models of routers were tested?

Researchers tested the following models: AMPER XAVI 7968, 7968+ and ASL-26555; ASTORIA ARV7510; Belkin f5d7632-4; Clinksys WRT54GL; COMTREND WAP-5813N, CT-5365, AR-5387UN and 536+; D-Link DSL-2750B and DIR-600; Huawei HG553 and HG556A; ; NETGEAR CG3100D; OBSERVA Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Sagem LiveBox Pro 2 SP and FAST 1201 and ZyXEL P 660HW-B1A.
Because researchers from Madrid, the main goal of their research was routers, which are provided by Spanish Internet providers, but Linksys, D-Link and Belkin are widely used in Russia and other countries.

How can I protect your router?

In all antivirus Avast. Built in the HOME Network Security (HNS) function, which scans poorly customized wi-Fi network, indicates weak or default passwords Wi-Fi , vulnerabilities in the router, hacked Internet connections, and the included, but not secure IPv6 protocol. This feature also shows a list of devices connected to the network, which will help you control that only the devices known to you are connected to your network. Avast is the only company in the field information securitywhich offers the ability to ensure the protection of this area.

How to scan your home router with Home Network Security?

Open the interface avast.Click the Scan button from the left menu, then select Network Threat Scanning.
Avast scans your router and provide a report on the threats found. In most cases, if the threat is detected, requiring your attention, then Avast will send you to the site of the router manufacturer.