Hacked Linksys router with 213.109.65.26 DNS IP

I just worked on a computer that kept visiting infected websites and it didn’t make sense to me, since it was in a professional office on the owner’s computer.Траверсы

I was attempting to update MalwareBytes’ Antimalware, but it gave the error: MBAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest).

In Googling the error, there was a little bit about router poisoning.  I logged into the router using admin as the password, and found the DNS address assigned as 213.109.65.26.  This isn’t OpenDNS’s IP that I set last year..  This router even had a unique password (it is a Linksys BEFSR81 v3 FW 2.50.2) before.  I wonder if there is a vulnerability allowing the password to be reset to admin?

After I changed the DNS IPs back to OpenDNS and renewed the computer’s IP, I was able to update Malwarebytes’ Antimalware.  It found msxml2.dll as infected with Trojan.FakeAlert, which was not found by ESET NOD32.

This seems to be just the beginning of the next wave of getting people to visit infected and phish websites — ROUTER POISONING.  In this case, you could run 20 antivirus programs, or even reload the operating system and the problem would persist…

Sorry, this is an instructional guide on how to fix the router, but a street sign showing you what to search for…

10 replies
  1. kahall says:

    Just and FYI. Same problem today with a client. Router DNS changed to 213.109.66.237 and 72.202 which is close to what you guys found. What a pain.

  2. Brian says:

    Same problem, my office computers. Changed dns servers to 213.109.65.28 and 213.109.72.203. Also infected and destroyed a win XP laptop that had all current malware and anti-virus. Managed to corrupt the boot sector somehow. These Russians need to be killed.

  3. potoole says:

    Add me to the list of router infected dns “213.109.x.x” user. I download about a dozen of the best tools and couldn’t find it. It’s got every one of the pcs and laptops on my home network. grrrrrrr..

  4. Mick says:

    Add another Netgear! Hit the customer’s pc with my holy trinity of tools: Malwarebytes, Super Anti Spyware, and Viper Rescue. Still kept getting infected and redirected. Nuked and paved the pc and delivered back to customer. Redirects happened as soon as he connected to his Netgear wireless. Checked the DNS in the router and they were set to 213.109.66.237 and 213.109.72.202!! These twinks cost my customer $ 325 for my time. Bastards!!!!

  5. Ted says:

    Cisco Linksys hit within the office setting with 213.109.67.169 & 213.109.73.170 — Resetting to OpenDNS safe-IPs.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *