Router was hijacked


This is a very long story starting back in January 2019. I'll try to give the condensed version, lol.

Let me start off by saying that up until a couple months ago... I didn't even know "hijacking" was a thing. If I sound uneducated on the subject, it's because I truly am. I've been doing a lot of research but I still am unable to find Sold Proof of my suspicion....

And now my question. Is there a way to find out how/who hijacked my router? DSL tech said the router had been "walled garden"... I guess it's kinda like my ISP put my router in time out. I had rest the router SEVERAL times but all this strang stuff kept happing on the computers AND my phone.

The DSL guy reset it two different ways and both times it went from Walled garden to live data by itself. His reaction was pretty entertaining, lol. He said that should never happen....I got a new router...and now it's started all over again. I'm pretty sure my new phone and the other computers are compromised again.

If a person were to have access to said devices, is it possible for them to get in my phone via the router? I have tons of screen shots starting back in January. The mac address for the router changes in some of them. And the SSID's 2, 3 and 4 had been configured with static this and tunnel that.

I tried tech support but it was a joke. How do I get my sanity back and stop this from happening?

Carlo_from_Fing[Deleted User]VioletChepil

Best Answers

  • Marc
    Marc Moderator, Beta Tester Posts: 3,026
    250 Answers 1,000 Likes 2500 Comments 250 Awesomes
    edited October 27, 2019 #2 Answer ✓
    Hi @Samanth3rz, this is an edit in case you see this twice.  I’m assuming the new router was a different model to what you had.  Also assuming you changed the default password of the router admin and SSID and WiFi passwords were changed as well?  I am thinking that if the above was done and they are still getting in, that your issue is an inside job.  Meaning that something already on your network is doing the exploiting.
    Is your phone the only thing that has been breached?  What make and model is it?  Does it have the latest and greatest version of its OS?  Are the patches up to date?  Same for the PC’s as you mentioned they might be breached as well?  
    The problem with these types of intrusions/infections are that no matter what you replace or do, if the original infection is still present, it will keep attacking anything that is vulnerable.  Some in these forums have suggested a methodical approach where as you disconnect everything, remediate by resetting each device with a clean version of their os, and add back one at a time.  It might not be a bad idea if you can do it.  Make sure as you add them back that you have put in complex passwords, antivirus and anti malware software that is up to date etc...
    Thats Daphnee, she's a good dog...
  • Tobias
    Tobias Member, Beta Tester Posts: 2
    Photogenic First Answer First Comment
    edited October 28, 2019 #3 Answer ✓

    if it’s an external attack/vulnerability on your modem, then your ISP needs to fix via configuration or firmware update. The ISP should be able to put their network engineers on this and figure out where the attack is coming from and other customers should be affected as well.

    Other thoughts:

    The angle I’m thinking is that you may bring in a compromised device (phone / laptop) or one of your desktops /cameras/IOT devices is compromised and that device changes your router/modem settings since the router/modem password is reset to default after factory reset.

    to recover, I’d try:

    Start with a known-clean device (non-jail broken phone or tablet. Reset router/modem to factory default, immediately change default password to a password you don’t use anywhere else using the known-clean device. Change WiFi password and SSID to something you have never used before. Setup guest network if available. To connect devices you don’t own/control, only allow them to use the guest network, not your main network.

    Add your other devices one by one: if possible, add one device back to your WiFi network - if WiFi devices only need internet connectivity, join them to the guest network. Wait for 30 mins to an hour. Check router settings from known-clean device. If all is good, add next device to network. Wait. Check. Repeat.



  • VioletChepil
    VioletChepil London, UKMember Posts: 2,471
    100 Answers 500 Likes 1000 Comments 100 Agrees
    Thanks @Marc for the great feedback on this. 
    Yes, I'm curios to know - do you still have access to the Admin password of the router etc. or was it changed?

    Community Manager at Fing

  • VioletChepil
    VioletChepil London, UKMember Posts: 2,471
    100 Answers 500 Likes 1000 Comments 100 Agrees
    @Samanth3rz I've just moved this post over to the devices/security category too as it'll get more visibility on the site and hopefully more help/responses from other members too! 

    Community Manager at Fing

  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    @Marc and @Tobias are spot-on with this.  If this is truly an issue where your router is being hacked, your ISP should be responsible for doing anything that they possibly can to ensure your privacy and safety.  If they won't assist you, ask to see if you can purchase your DSL modem/router and if they would set it up for you.  You can even post your questions here on our forum, we're more than happy to help.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
  • Komo
    Komo Member Posts: 30
    10 Comments Name Dropper 5 Likes Photogenic

    Network security is just one issue when it comes to being hacked. This same thing has happened to me. I have persistent rootkits. This means even if I change the router, the code that has been injected into my devices will only find the network I connect to and hijack the router all over again. It also infects other devices with pivot attacks because devices can communicate to one another via sound, Bluetooth, Wi-Fi, etc.

    You can get some control back by using firewall rules and whitelisting devices and services. However, it only hinders this type of attack. It doesn’t get rid of it. Also, if your car uses Bluetooth check to make sure your car has not been compromised as well. Don’t connect any devices to your car until you find out. There is a good tool called Kayak that lets you analyze this.

    [Deleted User]