Weird website issue - seem to be something with the router..

[dave14305]

I still think there’s some malware on your network or on your router, since you’re not just being redirected to a different homepage for the site you want, but it looks like a search results page for cialis. It doesn’t help that it’s http instead of https. Something else could be messing with the page in-transit.

 

[ex313]

I still think there’s some malware on your network or on your router, since you’re not just being redirected to a different homepage for the site you want, but it looks like a search results page for cialis. It doesn’t help that it’s http instead of https. Something else could be messing with the page in-transit.

This is the URL of the content that is being displayed:
https://www.spiceoflifepharmacy.com/?search=cialis

Its a legitimate site. Both of these sites I have not visited before today.

How do you go about sniffing the router out for malware?

 

[dave14305]

This is the URL of the content that is being displayed:
https://www.spiceoflifepharmacy.com/?search=cialis

Its a legitimate site. Both of these sites I have not visited before today.

How do you go about sniffing the router out for malware?

I may be jumping to conclusions, so let’s go back to basics. Would you post screenshots of:

1. WAN DNS settings page.
2. LAN DHCP DNS settings.
3. LAN DNSFilter page.

Do you use any USB drives and Entware? What about AIProtection?

 

[ex313]

Here are the screen shots you wanted.
No USB drives, No Entware and AiProtection is not enabled.

 

[Adamm]

Definitely some sort of DNS hijacking malware, although the cause is hard to determine as the information you have posted is conflicting.

1) Turn on AiProtect
2) Turn on DNSFilter and set to "Router" mode
3) Update your webui username and password, along with your wireless password. The weak indicator is there for a reason

In theory that should mitigate the issue by forcing DNS requests to the correct servers until you find the source of the malware.

 

[ex313]

What information are you seeing that is conflicting?

I enabled the AiProtection and DNSFilter. I have WAN Remote Access disabled. We are on a large piece of property, so there is nothing but local traffic on the router - no neighbors etc can access the network - so the Wireless passwords are not really much of a concern. I updated user/login for the webui.

 

[martinr]

Even with the smallest of suspicions about malware on the router, I wouldn’t sleep easy until it had been factory reset, with all settings input manually afterwards.

 

[ex313]

cleared history, cache, cookies - flushed dns cache and I am still getting that website. So all those changed had no affect on what the router is doing.

 

[martinr]

What information are you seeing that is conflicting?

I enabled the AiProtection and DNSFilter. I have WAN Remote Access disabled. We are on a large piece of property, so there is nothing but local traffic on the router - no neighbors etc can access the network - so the Wireless passwords are not really much of a concern. I updated user/login for the webui.

can you be 100% certain that Web access from the WAN has never been enabled? Is SSH access from the WAN enabled?

Just knowing that that the router has been connected to the Internet with default admin/admin username and password would be enough to frighten me into doing a factory reset.

 

[ColinTaylor]

cleared history, cache, cookies - flushed dns cache and I am still getting that website. So all those changed had no affect on what the router is doing.

Can you try it from a browser that is running in "safe mode", "incognito" or whatever your browser calls it, just to eliminate a browser plugin as the cause.

 

[dave14305]

can you be 100% certain that Web access from the WAN has never been enabled? Is SSH access from the WAN enabled?

Just knowing that that the router has been connected to the Internet with default admin/admin username and password would be enough to frighten me into doing a factory reset.

I agree that unless you can find a rational explanation outside of the router, you should consider your router compromised.

1. Download a fresh version of the firmware via a reliable network (VPN or over https, etc.). Verify sha-256 hash of the .trx file.
   
2. Unplug the router WAN cable from the modem.
3. Plug a LAN cable from a safe PC/Mac with a clean virus/malware scan.
4. Login to the router and factory reset / initialize.
5. Reflash the firmware.
6. Factory reset again.
7. Change the default password.
8. Setup manually (do not restore any settings backups).
9. Consider installing the Skynet script by @Adamm to more aggressively block known malware IPs in or out of your network.

This is not a comprehensive step-by-step, but it looks like you've been advised in earlier threads to follow @L&LD's minimal and manual configuration procedure before.

 

[ex313]

can you be 100% certain that Web access from the WAN has never been enabled? Is SSH access from the WAN enabled?

Just knowing that that the router has been connected to the Internet with default admin/admin username and password would be enough to frighten me into doing a factory reset.

Those were never enabled - and the default password was changed, I only retained the admin username.

 

[ex313]

Can you try it from a browser that is running in "safe mode", "incognito" or whatever your browser calls it, just to eliminate a browser plugin as the cause.

I did and tried it again from my android phone on wifi - and it still brings up the erroneous page.

 

[ex313]

I agree that unless you can find a rational explanation outside of the router, you should consider your router compromised.

1. Download a fresh version of the firmware via a reliable network (VPN or over https, etc.). Verify sha-256 hash of the .trx file.
   
2. Unplug the router WAN cable from the modem.
3. Plug a LAN cable from a safe PC/Mac with a clean virus/malware scan.
4. Login to the router and factory reset / initialize.
5. Reflash the firmware.
6. Factory reset again.
7. Change the default password.
8. Setup manually (do not restore any settings backups).
9. Consider installing the Skynet script by @Adamm to more aggressively block known malware IPs in or out of your network.

This is not a comprehensive step-by-step, but it looks like you've been advised in earlier threads to follow @L&LD's minimal and manual configuration procedure before.

I did this this morning. Gives me the same result. I did not install any additional scripts.

Is there some other cache or portion of VRAM that needs to be wiped out?

 

[ex313]

Rolled the router back to 384.10. Did a rear button 5 second reset and a power reboot.

And no change.

 

[Adamm]

Rolled the router back to 384.10. Did a rear button 5 second reset and a power reboot.

And no change.

Why roll back to such an old version, very counter productive. Install the newest firmware (384.13) then in the WebUI;

1) Goto > Administration > Restore/Save/Upload Setting
2) Tick "Initialize all the settings, and clear all the data log for AiProtection, Traffic Analyzer, and Web History."
3) Click "Restore"


After the router nuke's its-self, configure everything from scratch including the tips posted above. Don't restore any old config files. This will put your router in a fresh state and effectively rule out it being the cause or not.

 

[martinr]

Those were never enabled - and the default password was changed, I only retained the admin username.

Great. I hadn’t realised that specific security check treats changing the default username just as seriously as changing the default password. That’s good news.

 

[dave14305]

Other ideas:

• Enable DNS Privacy with Cloudflare or Quad9 on the WAN page to encrypt outbound DNS to the WAN.
• Try browsing the https://heroesforhire.biz/ (their https certificate is for .biz, not .us). Very broken-looking page on my PC.
  
• What DNS is your PC using when you plug directly into the modem? Maybe something is redirecting 1.1.1.1.
  
• Is your modem just a modem, or a modem/router combo that may be doing something funky before your ASUS router?

 

[ex313]

Why roll back to such an old version, very counter productive. Install the newest firmware (384.13) then in the WebUI;

1) Goto > Administration > Restore/Save/Upload Setting
2) Tick "Initialize all the settings, and clear all the data log for AiProtection, Traffic Analyzer, and Web History."
3) Click "Restore"


After the router nuke's its-self, configure everything from scratch including the tips posted above. Don't restore any old config files. This will put your router in a fresh state and effectively rule out it being the cause or not.

I did the rollback just to try another piece of firmware to see if it made a difference.

I did that to initialize all settings and formatted the JFFS partition as well - several times.

 

[ex313]

Other ideas:

• Enable DNS Privacy with Cloudflare or Quad9 on the WAN page to encrypt outbound DNS to the WAN.
• Try browsing the https://heroesforhire.biz/ (their https certificate is for .biz, not .us). Very broken-looking page on my PC.
  
• What DNS is your PC using when you plug directly into the modem? Maybe something is redirecting 1.1.1.1.
  
• Is your modem just a modem, or a modem/router combo that may be doing something funky before your ASUS router?

-I enabled - no change
-Browsing to that url - I get anther page off the same erroneous site (see screengrab)
-Whatever DNS I have set. I can do that cloudflare or google through the adapter settings. If I leave it on auto I end up with Charter/Spectrum DNS servers - seems to be behaving correctly
-Yes its just a model - no other features just a lan port that goes into the AC-1900P