My router passes the router checker, but other tools say dns hijack vulnerability

jraju
jraju Posts: 22 New Member

Hi, 

          While thanking you for providing an excellent tool after some times of deep update, i wish to state that while my router pass your check, some other programs say, that my dns server by ISP has already been hijacked and hence asked me to change the dns to google.com. When changing the same to google dns, scan by the software , does not show any vulnerability. It shows two sites as hijacked domains. It selects some sites for purpose of its scan and two of them are said to be hijacked domains. what is the connection between my dns server and hijacked domains. Are they hijacking my dns or these domains are compromized by some attackers to use.

                    I have done maximum to change default user pw, enabled dos settings, disabling tr069 etc , but still face this issue.

Comments

  • Ukko
    Ukko Posts: 3,611 Superuser

     

    Spoiler

    Hello,

     

    Not an answer, but just as temporary suggestion:

     

    --> Because I not sure if there will be proper response from F-Secure team (at least, briefly) - maybe you able try to use feedback-mail, which noted under this page:

    https://www.f-secure.com/en/web/labs_global/router-checker

     

    As direct letter to F-Secure Router Checker team with explanation. And maybe they able to investigate such situation more (with required information)?

     

    Thanks.

     

     

  • jraju
    jraju Posts: 22 New Member

    Hi, Thanks for reply. But once i sent to support, about my query. I was not informed of any reply. But anyhow, the answer was there in the website. I asked for ! in the router scan, that could not fully scan my computer. After sevendays, i went to the same page, and found it was working. Definitely i will raise this issue in feed back. But aside from that , would you be able to answer the general queries raised over there regarding dns hijack, leaving the specifics Do you mean support ? where is feed back in that page.

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    Just as clarification - I'm not an official F-Secure stuff. So - there is just my own suggestions as F-Secure user (their home solutions and user of this community);


     

    Spoiler

    Yes, such situations possible there (when support-request with no result) but it should not be like that; But I also have such experience. And, yes, community can be also helpful and useful;


    With my experience this URL: https://www.f-secure.com/en/web/labs_global/router-checker

    About common description for F-Secure Router Checker; And there available next part of page:

    Giving Feedback
    
    We would appreciate your feedback on this service! Please send your comments via e-mail to:

    where added mail-address as picture (as prevent spam maybe). With my own view - situation, when some tools give a notification that there can be troubles (DNS  hijack), but with F-Secure Router Checker there all OK -> it something which can be as useful feedback for improve such service. At least, under community was something as potential point to research (trouble, which asked by user) - but I not sure if there was something as investigation; and it not quite good.

     

    Sorry if I wrong understand your reply - but my meanings was about something as "creating letter to this certain mail-address" (as direct?! contact for F-Secure Router Checker team) with your information and query (what if they able to create some proper advices);

     

    Also (with provided URL) there available legacy tool -> "Legacy Tool: DNSChecker" - which maybe can not be too much useful (but as try - you able to check it);


     

    As my own suggestion about your experience... it not really clear about some points (but I'm also not really friendly with this things):

     

    --> which tools give a notification/prompt that there troubles (DNS hijack)? and, yes, when there noted hijacked websites - maybe it means that certain resources was 'hacked' (?!) generally;

    --> when you noted that "vulnerability" - does it mean that there just potential "vulnerable"-point for such attack (?!) and it was detected?

    --> when you use F-Secure Router Checker ( https://campaigns.f-secure.com/router-checker/en_global/ ) with button "Check your router"; With my experience - if there all OK - it give such notification: that there "no troubles found" and spoiler "> See technical details of the results";

     

    Where "technical details of the results" about additional information (DNS IP, ISP and related things); If you do not use VPN (or other) - there should be information about your ISP; Or information, which expected by you. Does it valid with your experience?

     

    Thanks. 

  • jraju
    jraju Posts: 22 New Member

    Hi, Ukko,I saw all your points . the avast scan shows the vulnerability of dns hijack. I think, that it scans certain web addresses and prompts you the alert.

    By changing the dns to google dns, the alert vanishes with no problem report.In Your link, only community link was given. But there must be some administrator for the forum as such. They must see the contents of each of the users and take necessary action. Just by giving, that they want feedback, but do not get any response is not a nice thing.

                             when i close, a feed back window asks me for a feed back, which i gave and successfully submitted. But i do not know anything after that. I do not think it nice to more information of the other programs here, as both are having similar products

  • Ukko
    Ukko Posts: 3,611 Superuser
    @jraju wrote:

    Hi, Ukko,I saw all your points . the avast scan shows the vulnerability of dns hijack. I think, that it scans certain web addresses and prompts you the alert.

    By changing the dns to google dns, the alert vanishes with no problem report.In Your link, only community link was given. But there must be some administrator for the forum as such. They must see the contents of each of the users and take necessary action. Just by giving, that they want feedback, but do not get any response is not a nice thing.

                             when i close, a feed back window asks me for a feed back, which i gave and successfully submitted. But i do not know anything after that. I do not think it nice to more information of the other programs here, as both are having similar products


     Hello,

     

    Yes, on current time and today - I also able to see just community-reference (from URL page);  Smiley Sad

    Eventually I used F-Secure Router Checker page yesterday and mail-address was there yet! So, it changed today/yesterday... or maybe you always was with more updated page-view (than with my experience);


    And sorry for my fresh reply. Most likely you able to re-ask some certain points there (with your next reply) and I also will expect that there can be response from official F-Secure team; About general meanings of topic or certain points. It will be nice and good.


    I also did brief search about Avast DNS Hijack router scans and there some stories by different users. And with my understanding - there can be quite many potential reasons for their "notification" about troubles (including situation when it not reasonable; and more like "false positive").

    At least, if we ignore points like ISP, router with certain firmware, suspicious extensions/addons under browser or malicious software under system --> which able to perform some "strange" activities for Avast checks. There was also point with VPN as trigger for such notification. With my understanding - worst point there that they do not provide any technical words about trouble. What "certain trigger" or something else. As it was suggested there -> Forum for Sky Wireless router (?!) with related topic about Avast scan  - even there can be false-positive -> maybe anyway you able try to launch some "doublecheck"-scanners like Malwarebytes AdwCleaner or tools like HitmanPro; As additional to full scan by your main security solution (and other ticks - which you already did);

     

    Thanks.

  • jraju
    jraju Posts: 22 New Member

    Hi, ukko,

                     I further gone deep in the matter. It is ares scanner that means ip address scanner that gives this alert. When all ips has resolved to get the ip from the web address, i find that there are two domains that is not resolved to prompt, that it goes elsewhere prompting dns hijack. The dns just changes your domain name to ip to fetch you the correct and corresponding ip. So, i think that the scan tests for resolving name to ips and if there are no return response, or not resolved it shows the alert. but the alert is not shown as vulnerable, it says dns hns hijacked, meaning that the system is already compromized. Here , i get confused with one software saying that there is no problem and other says that it has....I did not get useful reply from the vendor

  • Ukko
    Ukko Posts: 3,611 Superuser

    @jraju wrote:

    So, i think that the scan tests for resolving name to ips and if there are no return response, or not resolved it shows the alert. but the alert is not shown as vulnerable, it says dns hns hijacked, meaning that the system is already compromized. Here , i get confused with one software saying that there is no problem and other says that it has....I did not get useful reply from the vendor


    Hello,

     

    I think that there should be.. additionally.. design like "return unexpected response"; If they will check that, for example, "google.com" return proper IP (but not third-party page); Generally if there configured any "own" redirects (by any of layers) it can be suspicious for such checks.

     

    With my previous reply I noted URL for Sky-forum, where also discussed Avast with certain "DNS hijacked"-trouble.  Some responses was with meanings that there possible if their "router" perform some 'internal' redirects (when there troubles with network connection); Most likely it can be valid for most of routers, ISP-configurations; And also with meanings that trouble (for user) fixed by removing potential adware under system (?!);


    Difference between "check"-results probably based on situation that F-Secure Router Checker just perform another kind of "validation". With general view that there "known" DNS-server (or trusted and with proper-result); As it noted under web-page: "router configured to use an authorized DNS server";

    But... I not sure if there should be something else or handling situations (which "trigger" Avast prompt for DNS Hijack - if there not "false positive"/wrong detection); So - quite good to get proper response/clarification from F-Secure Router Checker team.

     

    Sorry for my long replies. Smiley Sad

     

    Thanks.

  • Laksh
    Laksh Posts: 4,224 Former F-Secure Employee

    Hi jraju,

     

    Apologies for the delay in replying here. I have already highlighted your post in order to get more information about the Router Checker. Once I have an update about this, I will get back to you with further information.

     

  • jraju
    jraju Posts: 22 New Member

    Hi, I also want to mention about one strange scenario.

                       You have protected your router by changing the admin password and other enable protection from Denial of service attacks and other settings, so that you are safe.

                          Everybody knows that external ips are allocated to the users by their ISP for each log in, for dynamic ip address users. i do not go deep in to the allocation, but is it not that if a compromised computer user ip is given to you on your log on time, will the security settings work and can one say that he is safe from router and network attacks,  I raise this question, as no fault of a user, his computer is getting spam alert from some of the genuine sites he often visits to provide more capcha options, maths questions to gain access , or to log in after some time to get a different dynamic ip which is not affected by any attack like spammers etc.

                           Is my presumption correct?or the system has nothing to do with external ip login please any expert advice

  • jraju
    jraju Posts: 22 New Member

    can i expect a detailed reply from any one user or moderator

  • Ukko
    Ukko Posts: 3,611 Superuser

    jraju wrote:

    Hi, I also want to mention about one strange scenario.

                       You have protected your router by changing the admin password and other enable protection from Denial of service attacks and other settings, so that you are safe.

                          Everybody knows that external ips are allocated to the users by their ISP for each log in, for dynamic ip address users. i do not go deep in to the allocation, but is it not that if a compromised computer user ip is given to you on your log on time, will the security settings work and can one say that he is safe from router and network attacks,  I raise this question, as no fault of a user, his computer is getting spam alert from some of the genuine sites he often visits to provide more capcha options, maths questions to gain access , or to log in after some time to get a different dynamic ip which is not affected by any attack like spammers etc.

                           Is my presumption correct?or the system has nothing to do with external ip login please any expert advice


     Hello,

     

    If you mean your latest^ reply -> I able to think about it with next points:

     

    --> probably compromised IP (dynamic) should not be with any result as network/router attacks; at least, with common configuration (?!);

     

    --> also compromised IPs probably should be handled by ISP and with steps to 'fix';

     

    But - maybe I wrong understand your ask;

    Does there general ask or it based on certain tool (as there F-Secure Router Checker)?

    And since "compromised" probably will trigger this points like you noted (with 'more attention' from services), but not sure if it should be as potential another step to perform any router/network troubles directly;

     

    Maybe - there will be normal official response or from experienced users. After some time... while it not comes yet - I placed my reply (sorry for that);

     

    Thanks!

  • jraju
    jraju Posts: 22 New Member

    Hi, Infected ips, i mean, when you generally browse a site, you are not allowed by the site spam filters, which says that you are a spammer and ask you to provide more security checks before allowing, like doing maths, or some capcha checks. Some sites do say to log in after few minutes to log in to non affected ips. if this is the case, then  i have a doubt about all security features, when user do not have any control on the ips, he is externally allotted by the ISP.

                         Is my understanding not correct, in the sense, that no ip would be affected

  • Ukko
    Ukko Posts: 3,611 Superuser

    So, it likely that if there "compromised IP" (used for scam/rogue/spam previously and than you get it) -> websites will be with 'additional security checks' or block access; But it also can be with "shared IPs";

     

    Generally (as I able to think) there some points:

     

    --> ISP should control it;

    --> Websites/services should do "blocking" more properly and avoid kind of 'false-positive' (it possible that some of them - able to use 'too much setting');

    --> "Dynamic IP" can be compromised with different 'meanings';

     

    I think - that it possible... that while your system is safe and with security-tweaks --> websites able to block access to their website (or give the double-checks) based on certain dynamic-IPs;

     

    If you got such experience - good to contact ISP and ask them about this!

     

    At least, there anyway possible troubles... and ISP should strongly monitor/check/inform (but did not always do that) such things as "their IPs" (potential "blocklists") and even more "antibot"-checks;

     

    Usually current home security solutions also will provide "antibot"-checks - but not all of them able to be with "enough level"; And each situation should be with investigation - if based on your local steps (like "security settings" for your software/hardware; scanning system by security software) there can be "normal view" - good to contact ISP as trigger their own investigation if there something wrong with your configuration/system (as unusual traffic; or if there "compromised IPs" in use);

     

    Sorry for my reply - since I maybe do not answer directly to your ask!

     

    Thanks!

  • jraju
    jraju Posts: 22 New Member

    Hi, I understand what you mean. But i want to know, is my presumption of user external ips getting infected correct? or that is wrong?

  • Ukko
    Ukko Posts: 3,611 Superuser

     

    -> not sure that there proper wording for such situation about "infected external IPs";

     

    Probably there can be response (later) with proper words about your ask.

    But just because there was small discussion already - I will place "my try" to do suggestion:

     

    ----> We talk about situation like (?):

    - home user got certain IP from ISP ('dynamic IP');

    - user tried to use some websites or services and it not possible (blocked access based on 'IP' or there more security-checks as captcha or so);

    - it possible to meet this (and generally - it more as prevention against 'botnets' probably); if certain IP listed under blacklists or so;

     

    ----> Your ask can be about "does ISP do this specially?!":

    - I think that it possible, but I not sure that it should be like that;

    - ISP should monitor/check and prevent any 'not valid' actions under their "network" (and control their IPs for prevent any 'exploiting it'); AND, at least, to inform user if there detected something wrong with system (where not really "Dynamic IP" is trouble);

     

    -----> Your ask can be about "does 'such situation' based on troubles with external IPs?!":

    - I think that if there is dynamic IP it more likely to get such situation; based on some limitations with ISP;

    - But anyway - good to be sure that system with all security options and there not required any 'fix'-steps;

     

    -----> Your ask can be about "does it possible that known-trouble-dynamic-IP will hack something?!":

    - I think it should not be valid... since with default configuration or things like NAT - there maybe missing some potential steps to perform some actions based on this point;

    Such as "exploiting" this design under your device;

     

    Generally for proper answer with certain situation - good to ask ISP ("there blocking access to websites based on IP", but "you perform all available security options under device; or ANY of devices with such IP will be with this view"); Maybe I else one time.. wrongly understand your main ask. Smiley Sad

     

    Sorry for that. Most likely - there can be response later from experienced users

    Or just re-ask it else one time and I will do not response to it (since required another response); Or just re-ask later (as 'up' this topic);

     

    Thanks! Smiley Sad

  • jraju
    jraju Posts: 22 New Member

    Hi, ukko, see for your self this link. There is some  point in my repeating about external ips . Just check that this site shows the affected ips, of spam or other things near your ips in any country.

    https://www.projecthoneypot.org/home.php

    and click dashboard and you see

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    So - it can be quite useful webpage/service for administrators/owners of website/server OR for users - who want to re-check 'status' of suspicious activities. Where they able to get some known 'triggers', rules and knowledge about spam/tricks/rogue actions; Practically as "traditional signature"-based design work.

     

    But - if I normal understand - there just next meanings about IP/nicknames/other (if we talk about user's system IPs - but not like domain's IPs):

     

    --> Or someone do this malicious/suspicious actions specially (under certain IP);

    --> Or system of another users was with malware or 'hacked/hijacked' and there some actions based on this view (as part of botnets or 'malware'-activities); Under their certain IPs;

     

    It can be that 'blacklisted' IP can be re-used by someone else (later); But -> it should be controlled by ISP;

    Also -> probably there can be a lot of companies with their own "blacklists" (which will be more as "rogue"-company, than trusted one); So - quite likely that - such blaklists/spamlists not always properly show 'current information/status' of IP;

     

    If  certain "dynamic IP" used by spammers/rogue-tricks previously - but on current time... not -> there just all common suggestions about security for user's own system.

    Probably with default and common sense settings for things like user's routers/network -> "previously" spammed IP should not create something additional as troublepoint (except - that website able to think that there is "spam IP" and block-access based on this);

     

    This situation also valid for websites/domains.

    There can be good valid safe website. Then someone hack it and exploiting it for 'distribute' malware. Website can be marked as harmful by security companies. Then website fix this trouble... but it still can be marked as harmful (or even more - hacked by someone... else one time);  And usually - this is main reason for rogue/spam/scam activities ;

     

    Sorry for my reply.

     

    Thanks!

This discussion has been closed.