Need Help With Router HiJack/Exploit

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Need Help With Router HiJack/Exploit

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Need Help With Router HiJack/Exploit
Need Help With Router HiJack/Exploit
2019-10-25 04:51:11 - last edited 2019-10-28 20:48:39
Model: Archer C3200  
Hardware Version: V1
Firmware Version: 0.9.1 0.1 v004b.0 Build 170707 Rel.58427n

Hi.

 

I am having issues with my network being hijacked.  I am aware of this as when I log into my email web interface, I get the last login information and it does not match my ISP server or my DNS settings (through my ISP) when I am connected through my TP-Link Archer c3200 WiFi Router.

 

As you can see from the 2 screenshots attached; one shows the correct information when I hard line directly to my ISP provided Fiber gateway ([s]MY IP[/s].utopia.xmission.net), the second shows the address I am being re-directed through when I am connected to my router (e221*DOT*mailout*DOT*ekwin*DOT*twelvehorses*DOT*com).   I cant find anything other than the WHOIS which also shows the owner has another URL out of Denmark  'twelvehorses*DOT*de'.

 

I get the same result from any computer or device attached to my router (as far as being redirected).  This lets me know that the redirect is coming through my router as one of those devices is my phone and it shows the proper IP info when not using the router.  I only get redirected through the suspicious IP/URL when connected to my router.  

 

How do I get things under control?

 

Note:  Replaced part of the suspicious URL characters with *DOT* so others dont accidentally click or copy to a illicit URL site.

 

CORRECT IP/URL WHEN NOT USING TP LINK ROUTER VIA DIRECT GATEWAY

 

 

ILLICIT URL WHEN USING TP LINK ROUTER

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:Need Help With Router HiJack/Exploit-Solution
2019-10-28 18:29:58 - last edited 2019-10-28 20:48:39

@Tony @IrvSp 

 

WHEW!!!

 

So in contacting my ISP today, I got someone who did more checking into things than the last agent I was working with.

 

As it turns out, the webmail server was doing a basic IP check then using a reverse domain lookup to verify.  12 horses was a very old client which they let go, probably due to 12 horses being malicious in their activities.  The IP they had been assigned via static IP had just not been cleared out of the naming system on XMission's side :P  .  

 

When the webmail server did the IP check and reverse domain check it then probably noted the old record on their server that hadn't been fully audited and that's why it gave me the 12 horses.  As well, ICANN may still hold old records which may have also attributed to the bad reverse domain lookup results.

 

They assigned my router MAC a different IP in the DHCP assignments (reserved DHCP) and I got a different last known login location using the same router.

 

They thanked me for helping them see they needed some further auditing on some of the older IP ranges they have used.  I wish I could have gotten this agent from the start as it is unusual to get anything but the best support from any of their agents!

 

Now aside from that, a member of Avast did some really advanced checking into things and found the domain is parked yet also infected with a clickthrough hijack link somehow.  So even though my router is just fine, we did end up finding a URL that is being used for malicious intent:

 

Avast Forum Thread - this is a link to the Avast members post but a couple of others did some amazing reseacrh if you want to view everything we did on this.

 

I am very relieved to know I wasn't dealing with some new NextGen exploit and ended up a target.

 

Either way... THANK YOU TO ALL WHO WORKED ON THIS.

Recommended Solution
  0  
  0  
#22
Options
22 Reply
Re:Need Help With Router HiJack/Exploit
2019-10-25 14:35:10
Twelvehorses I think is a marking firm. One other thing to try is use a PC directly connected to your modem and see if it still happens. I think the also have a VPN service. Are you running a VPN or enabled it in the router?
  1  
  1  
#2
Options
Re:Need Help With Router HiJack/Exploit
2019-10-25 15:09:26

@IrvSp 

 

I think you meant they are a ‘marketing firm’ and not ‘marking firm’.  I am guessing this as through my own research I can see they have created several social pages about their supposed services, yet they do not have any actual up and running web site by themselves.  

Additionally, the web site they do list is only an unsecured HTTP:// site, there is no actual secure HTTPS://.  

I have attempted to connect to the website, but it does not bring up anything… it’s a completely blank page so I am assuming the site is meant to infect a network for phishing/malicious purposes; which is what I am dealing with.  However, I only attempted after noticing I am somehow being redirected through them so this was not something initiated by me clicking on their website.

None of their listings mention anything about a VPN service either and likewise, I am not currently using any VPN services.  Also, I definitely would NEVER use one being ran through an unsecure website either.  I also have the DNS set on my router and my network adapter manually, as that is a security measure everyone should take.  I don’t know how they are manipulating it so I am going through them.

I have also attempted conencting directly through my ISP provided gateway and everything is fine when I do that.  This was covered in my description above.  It only occurrs when connected through my TP Link router, regardless of the device I use, and this is how I know it is the router and not the devices I use to connect to the router.

I do appreciate your looking into this although I had already done that much and came up with some very shady results.

  0  
  0  
#3
Options
Re:Need Help With Router HiJack/Exploit
2019-10-25 15:36:31

@PlayerOne 

 

Sorry, I didn't make the connection that you used a PC to the modem with and the gateway e-mail entry.

 

Using Web e-mail will always be on the ISP's in-house connection. No suprise you saw that. It would use the IP Address of the WAN of the modem I would think?

 

Going through the router and modem could be different if using Outlook or Thunderbird though. Even a phone or tablet's email client.

 

You might find this interesting, https://spyse.com/search/domain?q=e221.mailout.ekwin.twelvehorses.com, and it seems to be a 'security' company? Dosarrest Internet Security LTD? The IP Address is 69.172.201.153. I'll assume that doesn't match your WAN IP Address in the Router or Modem?

  1  
  1  
#4
Options
Re:Need Help With Router HiJack/Exploit
2019-10-25 19:45:51

@PlayerOne 

 

Do a tracert while connected to the modem and through the router,  you can direct message me the results or send a email to: ussupportteam@tp-link.com

 

Have you performed a factory default on the router, and also updated the firmware or reflashed the last version to see if you get a different result?

  1  
  1  
#5
Options
Re:Need Help With Router HiJack/Exploit
2019-10-25 20:02:26

 

Tony wrote

@PlayerOne 

 

Do a tracert while connected to the modem and through the router

 

@Tony 

 

What tracert is it you want me to perform?  The tracert to my ISP... to the illicit domain I seem to be re-directed through... my own IP assigned by my ISP?

 

I just want to perform what you are asking correctly so the results dont cause further confusion.

  0  
  0  
#6
Options
Re:Need Help With Router HiJack/Exploit
2019-10-25 20:55:43

@PlayerOne 

 

Are you only seeing it when accessing your email or other sites as well?

 

Mainly to any website site, to track to see the path of the packets, both while connected to the modem, and also through the router.

  1  
  1  
#7
Options
Re:Need Help With Router HiJack/Exploit
2019-10-25 21:33:16 - last edited 2019-10-25 21:35:26

Tony wrote

@PlayerOne 

 

Are you only seeing it when accessing your email or other sites as well?

 

@Tony 

 

When I visit other web sites, they dont tell me the last location I logged in from.  Only my web mail notifies me of the last IP I logged in from.  I dont know how I would test from other web sites as they are not set up to give this information.. even here, I dont get a notification of the last IP I logged in from.

 

I did attempt to reset my router as well as re-apply the latest firmware.

 

It was a little bit odd after I got everything set back up then re-connected the router to the internet.  My device had internet for about a minute then it lost it, like the router was resetting again even though it wasnt.  I am still getting the pop up from my web mail with the same info as to the twelvehorses*DOT*com last login IP but it should be showing the utopia.xmission.net as the last login IP location.

 

I will attempt some traceroutes and send them to the email you gave me.  Should I mark it  "ATTN: Tony" in the subject line?  How do I make sure it gets to you since you are the one aware of what is going on?

  0  
  0  
#8
Options
Re:Need Help With Router HiJack/Exploit
2019-10-25 21:49:05

@PlayerOne 

 

There are many ways to see your IP address.

 

Sites like Facebook and Google's GMAIL will show you.

 

Sites like this will as well:

 

https://whatismyipaddress.com/

https://www.whatismybrowser.com/detect/ip-address-location

https://www.iplocation.net/find-ip-address

https://www.expressvpn.com/what-is-my-ip

 

These should match the IP Address shown in the router (WAN IP Address).

 

Have you checked the DNS being the same when connected to the router and just the modem? Windows use in a CMD prompt IPCONFIG /ALL.

 

 

  3  
  3  
#9
Options
Re:Need Help With Router HiJack/Exploit
2019-10-25 21:54:31

@PlayerOne 

 

You could just put a link of the forum thread.

  1  
  1  
#10
Options
Re:Need Help With Router HiJack/Exploit
2019-10-25 22:11:58

@Tony 

 

I just sent the email before I read this.  I will resend with the link too this thread.

 

Thanks for your assistance.

  0  
  0  
#11
Options