8800NL Compromised - DHCP DNS Resolvers Changed

[Enverex]

So I recently had to have the modem take over DHCP duties as my home server is currently offline. It was fine for a few days, but then suddenly sites stopped working (or responded with an invalid certificate). I checked the DNS resolvers on one of my machines and they were wrong, so I check the router and it seems the DNS resolvers set for the DHCP server page had been changed to two malicious ones.

This is incredibly concerning for a few reasons; Remote management was already turned off (and had never been turned on) and the admin password had been changed to something cryptic (which only I have access to).

Is there some sort of remote exploit available for the 8800NL routers? I'm already running the latest version of the firmware (2.32e) so there's no much more I can do here.

[billion_fan]

So I recently had to have the modem take over DHCP duties as my home server is currently offline. It was fine for a few days, but then suddenly sites stopped working (or responded with an invalid certificate). I checked the DNS resolvers on one of my machines and they were wrong, so I check the router and it seems the DNS resolvers set for the DHCP server page had been changed to two malicious ones.

This is incredibly concerning for a few reasons; Remote management was already turned off (and had never been turned on) and the admin password had been changed to something cryptic (which only I have access to).

Is there some sort of remote exploit available for the 8800NL routers? I'm already running the latest version of the firmware (2.32e) so there's no much more I can do here.

The only time I have seen routers compromised is when the firewall is disabled on the WAN interface

Also run a port scan and see if any ports are open eg 22, 23, 80 etc

[alexp999]

So I recently had to have the modem take over DHCP duties as my home server is currently offline. It was fine for a few days, but then suddenly sites stopped working (or responded with an invalid certificate). I checked the DNS resolvers on one of my machines and they were wrong, so I check the router and it seems the DNS resolvers set for the DHCP server page had been changed to two malicious ones.

This is incredibly concerning for a few reasons; Remote management was already turned off (and had never been turned on) and the admin password had been changed to something cryptic (which only I have access to).

Is there some sort of remote exploit available for the 8800NL routers? I'm already running the latest version of the firmware (2.32e) so there's no much more I can do here.

The only time I have seen routers compromised is when the firewall is disabled on the WAN interface

Also run a port scan and see if any ports are open eg 22, 23, 80 etc

Could it be the Billion router is compromised by the same vulnerability as Draytek?

https://www.draytek.com/en/about/news/2 ... ek-routers

[billion_fan]

So I recently had to have the modem take over DHCP duties as my home server is currently offline. It was fine for a few days, but then suddenly sites stopped working (or responded with an invalid certificate). I checked the DNS resolvers on one of my machines and they were wrong, so I check the router and it seems the DNS resolvers set for the DHCP server page had been changed to two malicious ones.

This is incredibly concerning for a few reasons; Remote management was already turned off (and had never been turned on) and the admin password had been changed to something cryptic (which only I have access to).

Is there some sort of remote exploit available for the 8800NL routers? I'm already running the latest version of the firmware (2.32e) so there's no much more I can do here.

The only time I have seen routers compromised is when the firewall is disabled on the WAN interface

Also run a port scan and see if any ports are open eg 22, 23, 80 etc

Could it be the Billion router is compromised by the same vulnerability as Draytek?

https://www.draytek.com/en/about/news/2 ... ek-routers

Our engineers have checked this and said our Billion devices are not compromised (see below)





In terms of draytek's case, the hacker may use CSRF to tamper with http's request and modify the dns to generate follow-up problems.

The last time we encountered a similar problem, our code should currently have no way to execute any scripts, but we still advise customers

1. Remote access try to disable, if you want to open only accept specific ip access

2. Change the password to a more secure configuration. Do not use the default setting.

3. If the website has https, it is safer to use https instead of http