Eircom D1000 Zyxcel Router "hacked" by neighbour?

zozimus10

Perhaps this is better in Information Security? - mods please move it if necessary.

Interesting one here! A non-techie friend was sent out a new router after complaining to Eircom about intermittant loss of internet access. I told them its very easy to replace, switch all the cables into the new one, but they asked me to do it.

Before I go any further this is NOT the old Netopia WEP Eircom SSID hack.

So I dully replaced the router. It was a Zyxcel D1000 (the latest Eircom type?), it had WPA2-PSK, etc. I considered changing the WPA2 passcode and the router admin password, but didnt think it was an immediate necessity. Wanted to see how the thing worked first. All working fine for about 20 mins, then internet access went. Not long after that, the eircom SSID disappeared, and a new strong SSID was visible from my computer/devices calling itself "evil" (?!), this was open and offered internet access. And another different Eircom SSID which was protected.

I suspected something funny was up so I switched off the router, and both new SSIDs disappeared. Switched it on, and they reappeared after a minute. I connected by LAN cable and logged onto the router admin webpage and changed the admin and SSID passwords. (thankfully these hadnt been changed). I turned off wifi and WPS on the router. I looked for evidence in the logs, but couldnt see anything relevant. Not sure how I'd trace a MAC address to someone if I spotted an odd one. I noticed the default firewall level had been lowered one notch to allow access to devices on the network.

In the end I just decided to reset the router to factory defaults, then immediately changed all the passwords again, and turned off WPS. I've been told all has been working fine since then.

But, I'm still very surprised by the experience. Are Eircom's latest routers that vulnerable out of the box? Is their implementation of WPA2 comprised? Or was it a WPS hack? From what I've read, successfull attacks (brute force, etc) on either take more than an hour, and this happened much quicker.
And how lucky/unlucky was it to plug in a new router and have someone lurking nearby looking for mischief? If I hadnt been there, i guess it could have been given back to Eircom as being faulty. Perhaps the previous intermittant connection loss on the old router was due to someone attempting to hack/mess with it? e.g. setting up a fake SSID of the same name to collect traffic from devices?

Any thoughts people? Thanks!

zozimus10

Any thoughts/ideas, before I start drawing up a list of suspects (e.g. young men) in the living in close proximity?

stooge

seems unlikely the ssids were coming from your router despite them disappearing when you turned it off. would be interesting to check periodically at the hosue to see if those SSids return. The only explanation I can think of for it being your router was than someone had installed custom firmware/custom configuration before you bought it i.e. it was a refurb from eircom. hacking a router like that, especially just after setting it up, seems the least likely reason. IMO of course!

zozimus10

Sorry, may have neglected to say that I could see SSID of the router had been changed when I logged onto the web page. But I couldnt see how it appeared to be broadcasting 2 SSIDs though.
The router wasn't bought, it was sent directly by Eircom as a replacement.

Very strange really!

Knasher

I'd be very doubtful that the router was hacked within 20 minutes, not exactly sure how it could happen, but it would make more sense to me if the router was a refurb from eircom, and the previous customer had that as their ssid...

TerryHealy

You need to check DHCP. Spot anything other than your devices you have an issue!

stooge

Knasher wrote: »

I'd be very doubtful that the router was hacked within 20 minutes, not exactly sure how it could happen, but it would make more sense to me if the router was a refurb from eircom, and the previous customer had that as their ssid...

+1 I was going to reply with exactly the same comment. Only thing to add is maybe get your logs saved somewhere and ftp off for viewing. That way you can see if any undesirable activity is happening.

kingtiger

wpa 2 can be easily hacked with the right equipment, all you need is a few bits of software that are readily available on the internet and a wireless adapter that supports packet injection

I have done it with a Nexus 7 with a custom rom and a RTL8187 wireless USB adapter, its so easy thats its actually quite frightening

(only used it for test purposes, no PMs please as I won't give out any info"

Dermot McDonnell

kingtiger wrote: »

wpa 2 can be easily hacked with the right equipment.... its so easy thats its actually quite frightening..

This is true especially if WPS has been enabled for sometime. Reaver or bully will likely crack it in a couple of hours. If not, cracking WPA2 can be done but it takes longer depending on the nature of your password.

Once wifi access is achieved, taking control is trivial.

Search "ZyXEL P-660HN-T1A Authentication Bypass".

Reported by Michael Grifalconi last May.

Regards,

Dermot

Nonoperational

Yes, but it's highly highly that a new router was hacked within 20 minutes of being switched on.

Dermot McDonnell

It would be perfectly possible to gain privileged access to the new router, in the circumstances described by the OP, in a lot less than 20mins.

AlanS181824

Very interesting story OP!

Has anything happened since do you know?

zozimus10

Last I heard, all working fine for last few days since the the new router was wiped, and passwords reset.

charlie_says

Turn off WPS for a start, it's highly vulnerable. If your router was attacked in a short time then that is the likely culprit.

Also your WPA2 password, try to make it at least a sentence of 4+ easily remembered words. The longer the better, but make it easy to remember. Shorter but more complex passwords are generally easier to brute force than something like the above, and they are hard to remember.

Also those D1000 boxes are crap. I've seen some weird routing problems on them when UPnP is turned on, which are annoying to track down. I'd turn that off also with that model.

pbarr

I've just come on this thread after a Google search. My D100 router is showing the evil network also along side the Eircom one. Its been there this past few weeks and like the op it goes when you switch off the router and comes back when you switch on. I know for certain that the router wasn't hacked by anyone because we live out in the country and nobody else was near it, unless it was done remotely. I'm going to reset it to factory settings to see will that get rid of it.

apm0003

Sounds like the makings of a good horror film ... first sign of the impending doom is the appearance of a mysterious SSID ...

h57xiucj2z946q

pbarr wrote: »

I've just come on this thread after a Google search. My D100 router is showing the evil network also along side the Eircom one. Its been there this past few weeks and like the op it goes when you switch off the router and comes back when you switch on. I know for certain that the router wasn't hacked by anyone because we live out in the country and nobody else was near it, unless it was done remotely. I'm going to reset it to factory settings to see will that get rid of it.

Just curious if there is malware now that is configuring your router.

pbarr

Chloe Unsightly Finch wrote: »

Just curious if there is malware now that is configuring your router.

I really don't know but it must be. I haven't reset the router yet but I'm assuming that will get rid of it.

h57xiucj2z946q

pbarr wrote: »

I really don't know but it must be. I haven't reset the router yet but I'm assuming that will get rid of it.

Can you run some anti virus scans with malware bytes or something, or even post a log from HiJack This: http://sourceforge.net/projects/hjt/


It would be worse if the modem/router has a weakness or vulnerability where it can be configured via the public internet without the owners intention. If that is the case, you probably got picked off by an IP range scan.

Also, for the evil AP, what password is it setting, or are there any configurations stand out that you can google around to get more info ?

Bog Standard User

zozimus10 wrote: »

Perhaps this is better in Information Security? - mods please move it if necessary.

Interesting one here! A non-techie friend was sent out a new router after complaining to Eircom about intermittant loss of internet access. I told them its very easy to replace, switch all the cables into the new one, but they asked me to do it.

Before I go any further this is NOT the old Netopia WEP Eircom SSID hack.

So I dully replaced the router. It was a Zyxcel D1000 (the latest Eircom type?), it had WPA2-PSK, etc. I considered changing the WPA2 passcode and the router admin password, but didnt think it was an immediate necessity. Wanted to see how the thing worked first. All working fine for about 20 mins, then internet access went. Not long after that, the eircom SSID disappeared, and a new strong SSID was visible from my computer/devices calling itself "evil" (?!), this was open and offered internet access. And another different Eircom SSID which was protected.

I suspected something funny was up so I switched off the router, and both new SSIDs disappeared. Switched it on, and they reappeared after a minute. I connected by LAN cable and logged onto the router admin webpage and changed the admin and SSID passwords. (thankfully these hadnt been changed). I turned off wifi and WPS on the router. I looked for evidence in the logs, but couldnt see anything relevant. Not sure how I'd trace a MAC address to someone if I spotted an odd one. I noticed the default firewall level had been lowered one notch to allow access to devices on the network.

In the end I just decided to reset the router to factory defaults, then immediately changed all the passwords again, and turned off WPS. I've been told all has been working fine since then.

But, I'm still very surprised by the experience. Are Eircom's latest routers that vulnerable out of the box? Is their implementation of WPA2 comprised? Or was it a WPS hack? From what I've read, successfull attacks (brute force, etc) on either take more than an hour, and this happened much quicker.
And how lucky/unlucky was it to plug in a new router and have someone lurking nearby looking for mischief? If I hadnt been there, i guess it could have been given back to Eircom as being faulty. Perhaps the previous intermittant connection loss on the old router was due to someone attempting to hack/mess with it? e.g. setting up a fake SSID of the same name to collect traffic from devices?

Any thoughts people? Thanks!

call eircom there is a firmware update to fix that evil wifi ssid bug. your modem wasnt hacked... its a bug in one version of firmware. so if you have firmware version 2.00aadu2do it has the bug

you can also get the fixed version here 2.00aadu4do

connect a laptop to the modem via ethernet cable

download the fixed firmware

reset your modem

open your web browser and enter 192.168.1.254

enter the wifi key as the password. click skip & skip

then go to maintenance and firmware update

click browse and select the file you downloaded then click upload.

the modem will do the rest then reboot.

once it reconnects your modem will no longer have the evil wifi ssid bug