You probably heard the advice given earlier this week to reset your router due to some malware referred to as "VPNFilter" infecting a large number of routers. I do not want to second guess this advice, but instead, outline a couple of issues with "resetting" a router. First of all: Pretty much all router malware (Mirai variants, TheMoon and various Linux Perl/bash scripts affecting routers) will not survive a simple power cycle of the router. However, the vulnerability that allowed access to the malware will. Secondly, some configuration changes may survive. In particular changes to DNS settings that are often done without actual malware, but by using CSRF vulnerabilities in the routers web-based admin interface. My main problem with having thousands of users reset their routers to factory default settings is that they inadvertently may reset it to use a simple default password. So here are some generic step-by-step instructions on what to do:
For a simple reset that will take care of > 99% of malware I see on routers:
--- |
Johannes 4105 Posts ISC Handler May 31st 2018 |
Thread locked Subscribe |
May 31st 2018 2 years ago |
Hi Johannes
Very good post. But I don't think changing the IP scheme is a good general recomendation. If you change IP for router LAN interface you need to change more items on the configuration, such as DHCP pool IP range or other options. As a general advice it is going to complicate the steps providing some (very little) benefit. The risk is that, after doing these steps, the router "just don't work", and the user will be forced to undo everything and return to an insecure status. |
Anonymous |
Quote |
Jun 1st 2018 2 years ago |
I personally like my wrt1900ac equipped with bleeding edge lede/openwrt.
Iwould never use a router that wasn't customized with ddwrt or openwrt(preferably) Also I know for most routers to verify if the bin file is for their router they only check a few bits at the beginning of the file. I would highly recommend getting a customizable openwrt or ddwrt friendly router. Some of them are literally ten dollars on eBay. and FYI the super paranoid way to re flash a firmware is through serial cable attached to the motherboard... I have had to unbrick my wrt1900ac and have come close with my wrt3200acm |
jACKtheRipper 63 Posts |
Quote |
Jun 4th 2018 2 years ago |
FWIW, the last time I updated my Cisco RV325's firmware, it broke the SOHO router -- I could no longer CONNECT to it. Momentarily panicked, I then luckily had the presence of mind to immediately factory reset the router and load up (1) the previous firmware update (which thankfully "took") and (2) the last known good startup configuration. I make startup-configuration backups after even the smallest configuration changes. Writing down all the configuration settings is not feasible.
|
robv 22 Posts |
Quote |
Jun 4th 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!