DNS Hijack

[Marcus103]

Hi,

I ran my Avast Wifi inspector which noted I have a DNS hijack to my router; 2 hijacked domains, onclickads.net and popcash.net. It notes that port 53 is vulnerable and gave a vulnerable ID of CVE-2017-14491. I also have Zemena Anti-logger which after scanning found 5 chrome shortcuts which were suspicious browser settings, which it could not remove, as well as the DNS hijack. It can't repair/remove the chrome shortcuts after clicking next, and consequently after repairing the DNS the same DNS hijack remains on rescanning. Also even after resetting my chrome browser settings, it still scans and finds the chrome shortcuts with suspicious browser settings. I also have Heimdal agent which picks up and blocks any potential drive-by exploits from the 2 above-mentioned hijacked domains.

Any help would be greatly appreciated in how I could deal with the DNS hijack.

Thank you

[REDACTED]

Regarding the DNS hijack,

Hard reset the router (by pressing the dedicated "reset" button) and after it finishes clearing out the setting, the DNS should go back to the default one, or if this is too drastic you can just change the DNS in the router's setting to OpenDNS (recommended), Google DNS, etc,...

Regarding the vulnerability,

Find the router's model on the manufacturer's website and download and install the latest firmware update for the router.

[Marcus103]

Hi razorpop,

I did consider hard resetting the router but instead I had already changed the DNS in the router to Google DNS before posting.

As for the router, which is a Bright box 2 (Modem/router) as supplied by my ISP EE, they don't provide a firmware update for the router. They push on firmware updates themselves. They have been told of the vulnerability CVE-2017-14991 that exists on their router but no firmware update has yet been provided even now. I know this because my DNS masq is version 2.65 and all versions prior to 2.78 are outdated and vulnerable.

I have thought about buying a more appropriate modem/router that is compatible to use for my EE home broadband for which firmware updates can be applied by the User as and when it is required.

[Asyn]

Hi guys, Avast can only detect router issues, it's up to the manufacturers to fix them.
If you got your router from your ISP, ask them to switch it to a non-vulnerable model.

[Marcus103]

Asyn,

Much though I appreciate your answer, I have already stated that my ISP push firmware updates themselves as and when they decide and thought they provide the Brightbox 2 router free of charge, it is however the only one they provide at this time for fibre optic at this time. So unless there is another viable solution, my only option is to buy a new modem/router that would be compatible with my ISP's connection.

[Asyn]

Details here: https://forum.avast.com/index.php?topic=215664.msg1449477#msg1449477

[Marcus103]

Thanks again Asyn,

I have seen all the info on CVE-2017-14991 already elsewhere. However one piece of info I recently found out, though not confirmed for certain, is that the vulnerability is reputed to only be able to be exploited by an attacker remotely within range of a user's router; in my instance I have Heimdal installed and I believe that affects the IPv4 settings and uses my DNS to resolve the addresses. Hence the two PMS DNS entries that Rogue Killer found when I also ran it. Whether the vulnerability can be exploited out of range through the user's ISP admin router page by way of a cross-scripting bug stealing the user's authentication cookies is another thing but the current lack of firmware patching for the Brightbox 2 router for the above-mentioned vulnerability is still exploitable.

[Asyn]

You're welcome.