Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
33

Draytek router hacked

20 comments
77% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1

For what it's worth, the rogue dns server appears to be buried in chinatelcom somewhere- the last hop with a name I see is:

chinatelecom-ic-312676-las-b3.c.telia.net 100.017 ms

38.134.121.95 100.643 ms

level 1
Original Poster13 points · 3 months ago

This is in a business environment.

https://www.abuseipdb.com/check/38.134.121.95?page=1#report

2 of our draytek routers have had their DNS settings changed but the syslog show that no one signed on.

level 2
CCNA9 points · 3 months ago

Well that's just no fucking good at all.

level 2
Lord of the STPs3 points · 3 months ago

Did your routers have their management interface exposed to the internet?

level 1

Thank you for sharing!

Draytek has provided a vulnerability bulletin and software update:

https://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks

In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers.   The recent attacks have attempted to change DNS settings of routers. 

I recommend patching as soon as possible.

level 1
Original Poster5 points · 3 months ago

We are just going through this at the moment, if you have a Draytek I suggest you check it asap.

level 1

thanks, so that's why this happened not too long ago. That'll be a nice round of updates.

Anyone know of a good centralized management suite for these things?

level 2

Draytek ACS allows for their routers and APs to be managed centrally. This is how we're upgrading all of our router's firmware. After testing, of course.

level 1

We found one of these Draytek pieces of crap in one of our customers, insisted they replace it. No clue who is buying this garbage, or why they would buy this over an edgerouter or a pfsense solution.

level 2
14 points · 3 months ago

An exploited vulnerability does not mean that DrayTek routers are "garbage"...

Backdoors (...) have been found in Cisco products multiple times. MikroTik recently released (twice in a month) patches for RouterOS because critical and exploited vulnerabilities were discovered. Does that make Cisco or MT garbage?

Vulnerabilities (and severe ones) have been found in both Ubiquiti products and pfSense. That doesn't of course make any of them garbage.

The hacks about Vigor routers were found yesterday and today a new firmware along with steps for security checks were released by DrayTek. Imo the way and most importantly speed they treated this flaw is great.

level 3

No I thought they were garbage long before the exploit.

level 4

Haha. Yeah, Draytek are terrible. In the UK, it seems all 2bit IT support companies force them upon their customers as the best thing sinced sliced bread. They're just poo. To even try and compare them to Cisco or Mikrotik is a little bit daft.

level 5

Mikrotik had same issue last month?!

level 5
4 points · 3 months ago

What makes them poo?

They're at least better than the ones ISP's generally issue, and a bit more budget friendly than the bigger names.

level 1

Do fixes like this migrate to new products?

level 1
1 point · 2 months ago · edited 2 months ago

I have today seen a linux server with the default nameserver changed to the rogue ip in /etc/resolv.conf. Interesting Point: the internet gateway is a attacked vigor 2920 with changed dns settings for dhcp server but the dhcp server was disabled. I`m still trying to figure out how the linux box got those entries with dhcp not enabled (it is itself a dhcp server).

level 1
Comment deleted3 months ago(3 children)
level 2

OP Linked to Draytek's own support/security advisory page......They are the vendor....

level 2
Original Poster6 points · 3 months ago

Yes they are fully aware.

level 2
CCNA1 point · 3 months ago

lol.

level 1
Comment deleted3 months ago(0 children)
level 2
3 points · 3 months ago
Community Details

127k

Subscribers

635

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.