Announcement

Collapse
No announcement yet.

dlink consumer router - redirects to it's logon page

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • dlink consumer router - redirects to it's logon page

    I have a client I recently provided a new laptop to. Obviously, this laptop is the spawn of satan.

    They have a dlink router and it seems, from time to time, they start getting those wonderful "certificate cannot be trusted" warnings. If they click to continue (they did this under guidance, not being told to arbitrarily click those links) they end up at a logon page for the router.

    this seems to happen intermittently - i definitely couldn't reproduce it when i was there last.

    It's a reasonably new laptop, however it does happen on all laptops in the house (they use wireless..)

    my research so far is only dragging up stuff about how dlink redirect some searches to dlinksearch.com (or something) and I can't find anything specific about this.

    so.. throw your ideas at me !

    I will be considering resetting the modem to defaults when im there ne\xt
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: dlink consumer router - redirects to it's logon page

    Flash with the latest firmware assuming there is one. Other than that get rid of it and buy a new router.

    Comment


    • #3
      Re: dlink consumer router - redirects to it's logon page

      This could very well be signs of a cross-site request forgery (XSRF) attack.

      These attacks work like this: As the client is accessing a compromised/infected site, the browser is redirected to the target site. The idea is to exploit the fact that some users may already be logged in to the target site with valid credentials, in which case the redirect may cause certain operations to be performed on the attack target with the user's account.

      In this case, the attacker may be attempting to reconfigure certain LAN routers by redirecting users to "http://192.168.0.1/<someURL>" (or whatever is the default address of the router being attacked), which in your case results in a HTTPS redirect, a certificate warning and the user being presented with the router login page. The users obviously aren't logged in to the router, and even if they were, your router may not be the make and model the attacker is targeting.

      You should try to find out how the clients are being redirected. It could be a compromised web site (or ad site), or malware on the workstations. A dump of the actual request would reveal if this is an attempted attack or something else entirely.
      Last edited by Ser Olmy; 15th March 2014, 05:29.

      Comment


      • #4
        Re: dlink consumer router - redirects to it's logon page

        commonly, they are garden variety website:

        theage.com.au; news.com.au; gmail; ISP or bank pages.

        I'm going to upgrade their firmware.. but the problem is trying to capture the issue as it only happens when i'm not there.

        wireshark portable would be ideal, but that would suggest getting them to run it when it happens.

        when it does happen - it seems to start happening for any page they have.

        i will run malware bytes again on tuesday though..


        the XSRF code.. is it able to actualy determine what the router gateway ip address is ? or does it just guess defaults ?
        IE, if it was to put the gateway on .48 instead of .1 or .254.. would it fail ?
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: dlink consumer router - redirects to it's logon page

          I agreed with Ser Olmy, it sound like that individual laptop is infected with malwares especially with that profile. Try to delete user temp files especially the Internet Explorer temp files.

          I have seen this numbers of times. And its always the user profile infected. You can try to logon as a different profile on that laptop and see if it still have the same issue, the chances are you won't have the same issue.

          If users profile is infected. You can try to to clean up with malwarebytes or recreate new profile and only migrate the important data (docs,desktop,fav)

          H.N

          Comment


          • #6
            Re: dlink consumer router - redirects to it's logon page

            tested and proven:

            if the internet circuit drops, the router will redirect you to it's own logon page
            i demonstrated this by pulling out the phone cable and waiting for it to lose sync


            stupid modem.

            it happened with a brand new, out of the box laptop as well, at the same time
            i can correlate with them when the errors occured with the logs in the router showing sync drops then PADI/PADO errors
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: dlink consumer router - redirects to it's logon page

              I had to try this myself, and you're absolutely right, provided you use the DNS forwarder in the router. Once the Internet connection goes down, the D-Link will respond with its own IP address to ANY A record query.

              I didn't quite get the same result you did, though, as I wasn't prompted for a username/password to log on to the router. Instead, the web server in the D-Link served a custom "page not found" message. Could be because I moved the management web interface to a non-standard port.

              Comment


              • #8
                Re: dlink consumer router - redirects to it's logon page

                Originally posted by Andy
                but the problem is trying to capture the issue as it only happens when i'm not there
                Damn, bit late but for future use, get the onsite users to take a photo of the "error" with their phone and MMS (or TXT and attach) the image to you. Have been trying to get my users to do the same and one occasion saved me a 2 hour round trip drive when I could remote in and fix the problem in less than 5 minutes.

                As for your D-Stink, my preferred Router is TP Link (3 year warranty and cheap and have never had one fail in the 7 years I've been using them) and some time ago, Netgear (LOVE their ReadyNAS box too). The routers both use the same GUI and it is real easy to use unlike that hideous (personal observation and opinion only) menu on the 2Wire.
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment


                • #9
                  Re: dlink consumer router - redirects to it's logon page

                  Funnily enough, I've seen Netgears do this too recently. I stopped using the venerable DG834 a while back since something seems to have changed with UK ADSL and made them unreliable, particularly with TalkTalk and stubborn customers who refuse to move to a proper ISP. The current model Sky box does this too.

                  Been using Draytek 120Ys recently where there's an ethernet firewall behind them (Watchguard or similar) as then there's no NAT to the internet, or Draytek 2830s for smaller networks.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment

                  Working...
                  X