Suspected (DNS) exploit kit on ASUS RT-N66U

[DarkBBQ]

Hi

Installed the lastest firmware (380.58) and erased nvram through SSH.

nslookups from console does not resolve into expected domains (except for IPv6). For example google.com does not resolve into a 1e100.net domain (which it does outside my network).
Tried changing DNS to both 8.8.8.8 and to openDNS. Restarted dnsmasq. Even set cache to 0 (disabled it).

The wrong domains are still resolved.

Here is a nslookup dump
Name: www.google.com
Address 1: 2a00:1450:400f:805::2004 arn06s07-in-x04.1e100.net
Address 2: 83.140.66.45 83.140.66.45.biz.sta.port80.se
Address 3: 83.140.66.57 83.140.66.57.biz.sta.port80.se
Address 4: 83.140.66.42 83.140.66.42.biz.sta.port80.se
Address 5: 83.140.66.53 83.140.66.53.biz.sta.port80.se
Address 6: 83.140.66.34 83.140.66.34.biz.sta.port80.se
Address 7: 83.140.66.38 83.140.66.38.biz.sta.port80.se
Address 8: 83.140.66.29 83.140.66.29.biz.sta.port80.se
Address 9: 83.140.66.15 83.140.66.15.biz.sta.port80.se
Address 10: 83.140.66.59 83.140.66.59.biz.sta.port80.se
Address 11: 83.140.66.30 83.140.66.30.biz.sta.port80.se
Address 12: 83.140.66.27 83.140.66.27.biz.sta.port80.se
Address 13: 83.140.66.23 83.140.66.23.biz.sta.port80.se
Address 14: 83.140.66.44 83.140.66.44.biz.sta.port80.se
Address 15: 83.140.66.19 83.140.66.19.biz.sta.port80.se
Address 16: 83.140.66.49 83.140.66.49.biz.sta.port80.se

So it does not seem to be DNS-poisoning but rather a more elaborate exploit kit.

I should add that I'm more of a newb than a pro on these matters.

Please advise...

Thanks

 

[RMerlin]

Are you sure it's not your ISP manipulating DNS queries (since you are in the same country as these results)? Might be worth checking with them.

Only way to rule it out would be to setup a VPN tunnel, and see if DNS queries done through this tunnel are still affected.

 

[DarkBBQ]

I will check that out. If you could point me in the right direction, I would be very interested in how they would be able to come about such manipulations. Thanks! I'll be back.

 

[DarkBBQ]

Are you sure it's not your ISP manipulating DNS queries (since you are in the same country as these results)? Might be worth checking with them.

Only way to rule it out would be to setup a VPN tunnel, and see if DNS queries done through this tunnel are still affected.

I contacted my ISP. They say they are not manipulating my DNS queries in any way.

If I set up a VPN tunnel on the router; will DNS traffic go through the VPN or do I need to set up an external VPN? If I have to set up an external VPN I think I would rather share my mobile internet an feed it to the router as WAN. A different ISP.

 

[ColinTaylor]

Who is your ISP? Those addresses belong to a Swedish ISP called Port80.

 

[DarkBBQ]

My ISP is Bahnhof.se. They are not affiliated in any way with port80.se (afaik). And coincidentally, port80.se (availo) is not a public ISP but rather a data center provider. Availo (through IP-only) is actually a competitor to Bahnhof and many companies in Sweden use both to achieve critical redundancy.

And I also just tested to plug in my linux/lubuntu box directly to where my fiber comes in and nslookup gives the correct *.1e100.net domains for google.com. No port80.se

Only my router produces the port80.se domains for google.com

 

[RMerlin]

Post the result of these commands, from the router:

cat /etc/dnsmasq.conf
cat /tmp/resolv.conf
cat /etc/resolv.conf
cat /tmp/resolv.dnsmasq

Also, check the SHA256 signature of the firmware you downloaded, and compare it to what I posted on http://asuswrt.lostrealm.ca/download .

 

[DarkBBQ]

Post the result of these commands, from the router:

cat /etc/dnsmasq.conf
cat /tmp/resolv.conf
cat /etc/resolv.conf
cat /tmp/resolv.dnsmasq

Also, check the SHA256 signature of the firmware you downloaded, and compare it to what I posted on http://asuswrt.lostrealm.ca/download .

I checked the signature before I installed using QuickHash. No discrepancies. Uploaded using web GUI.

cat /etc/dnsmasq.conf:

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=0
min-port=4096
dhcp-range=lan,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative

cat /tmp/resolv.conf

nameserver 208.67.222.222
nameserver 208.67.220.220

cat /etc/resolv.conf

nameserver 127.0.0.1

cat /tmp/resolv.dnsmasq

(this file is empty)

 

[RMerlin]

Check if you have any suspicious iptables rules related to DNS:

iptables -L -vn | grep domain
iptables -t mangle -vn | grep domain
iptables -t nat -vn | grep domain

If one of these returns a rule, check its whole table by removing the "| grep domain" pipe.

 

[john9527]

nameserver 208.67.222.222
nameserver 208.67.220.220

These are the OpenDNS nameservers....I'd try checking making sure you use your ISP's DNS (no DNSFilter set and Connect to DNS servers automatically set to Yes on the WAN page). This should behave the same way as when you plugged in your laptop directly.

 

[DarkBBQ]

Check if you have any suspicious iptables rules related to DNS:

iptables -L -vn | grep domain
iptables -t mangle -vn | grep domain
iptables -t nat -vn | grep domain

If one of these returns a rule, check its whole table by removing the "| grep domain" pipe.

None returned a rule (added "-L" to the second and third command line).

 

[DarkBBQ]

These are the OpenDNS nameservers....I'd try checking making sure you use your ISP's DNS (no DNSFilter set and Connect to DNS servers automatically set to Yes on the WAN page). This should behave the same way as when you plugged in your laptop directly.

Problem was first observed while using the setting you are suggesting (IPS DNS). Then also checked with googleDNS and openDNS. Flushed in between. (and also checked with cache disabled)

 

[Zirescu]

Are you using Ad-blocking or DNScrypt?

 

[john9527]

Do you have IPv6 enabled? If so, please try it with IPv6 disabled. The way Windows works, it will always go to the IPv6 nameservers first.

EDIT: Windows is also stubborn about releasing the IPv6 nameservers. EIther Disable/Enable your network adapter or better yet reboot your client after disabling IPv6 on the router.

 

[ColinTaylor]

Actually, this looks to be normal behaviour! I've just tried it on my router which is set to use my ISP's (ntl) DNS servers and get a similar result.

admin@RT-N66U:/# cat /tmp/resolv.conf
nameserver 194.168.4.100
nameserver 194.168.8.100


admin@RT-N66U:/# nslookup www.google.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.google.com
Address 1: 2a00:1450:4009:811::2004 lhr26s02-in-x2004.1e100.net
Address 2: 62.252.173.173 m429-mp1-cvx1c.lan.ntl.com
Address 3: 62.252.173.172 m428-mp1-cvx1c.lan.ntl.com
Address 4: 62.252.173.162 m418-mp1-cvx1c.lan.ntl.com
Address 5: 62.252.173.157 m413-mp1-cvx1c.lan.ntl.com
Address 6: 62.252.173.152 m408-mp1-cvx1c.lan.ntl.com
Address 7: 62.252.173.178 m434-mp1-cvx1c.lan.ntl.com
Address 8: 62.252.173.148 m404-mp1-cvx1c.lan.ntl.com
Address 9: 62.252.173.177 m433-mp1-cvx1c.lan.ntl.com
Address 10: 62.252.173.187 m443-mp1-cvx1c.lan.ntl.com
Address 11: 62.252.173.163 m419-mp1-cvx1c.lan.ntl.com
Address 12: 62.252.173.153 m409-mp1-cvx1c.lan.ntl.com
Address 13: 62.252.173.183 m439-mp1-cvx1c.lan.ntl.com
Address 14: 62.252.173.158 m414-mp1-cvx1c.lan.ntl.com
Address 15: 62.252.173.182 m438-mp1-cvx1c.lan.ntl.com
Address 16: 62.252.173.167 m423-mp1-cvx1c.lan.ntl.com
Address 17: 62.252.173.168 m424-mp1-cvx1c.lan.ntl.com

Looks like it's been going on for a couple of years: https://support.opendns.com/entries/24915609-OpenDNS-Google-and-local-ISPs-

So it's some sort of peering arrangement between Google and the regional network operator.

 

[DarkBBQ]

Are you using Ad-blocking or DNScrypt?

No

 

[DarkBBQ]

Do you have IPv6 enabled? If so, please try it with IPv6 disabled. The way Windows works, it will always go to the IPv6 nameservers first.

EDIT: Windows is also stubborn about releasing the IPv6 nameservers. EIther Disable/Enable your network adapter or better yet reboot your client after disabling IPv6 on the router.

How would Windows effect my router? My router is not running windows... I'm only analyzing this in my router running Asuswrt-Merlin. (but of course, any computer, including windows, connected via DHCP to my router will display the same symptoms, as was the case when this was first discovered.)

 

[john9527]

How would Windows effect my router? My router is not running windows... I'm only analyzing this in my router running Asuswrt-Merlin. (but of course, any computer, including windows, connected via DHCP to my router will display the same symptoms, as was the case when this was first discovered.)

Sorry...brain check on my part...missed that you weren't testing from a client.

 

[DarkBBQ]

Actually, this looks to be normal behaviour! I've just tried it on my router which is set to use my ISP's (ntl) DNS servers and get a similar result.

admin@RT-N66U:/# cat /tmp/resolv.conf
nameserver 194.168.4.100
nameserver 194.168.8.100


admin@RT-N66U:/# nslookup www.google.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.google.com
Address 1: 2a00:1450:4009:811::2004 lhr26s02-in-x2004.1e100.net
Address 2: 62.252.173.173 m429-mp1-cvx1c.lan.ntl.com
Address 3: 62.252.173.172 m428-mp1-cvx1c.lan.ntl.com
Address 4: 62.252.173.162 m418-mp1-cvx1c.lan.ntl.com
Address 5: 62.252.173.157 m413-mp1-cvx1c.lan.ntl.com
Address 6: 62.252.173.152 m408-mp1-cvx1c.lan.ntl.com
Address 7: 62.252.173.178 m434-mp1-cvx1c.lan.ntl.com
Address 8: 62.252.173.148 m404-mp1-cvx1c.lan.ntl.com
Address 9: 62.252.173.177 m433-mp1-cvx1c.lan.ntl.com
Address 10: 62.252.173.187 m443-mp1-cvx1c.lan.ntl.com
Address 11: 62.252.173.163 m419-mp1-cvx1c.lan.ntl.com
Address 12: 62.252.173.153 m409-mp1-cvx1c.lan.ntl.com
Address 13: 62.252.173.183 m439-mp1-cvx1c.lan.ntl.com
Address 14: 62.252.173.158 m414-mp1-cvx1c.lan.ntl.com
Address 15: 62.252.173.182 m438-mp1-cvx1c.lan.ntl.com
Address 16: 62.252.173.167 m423-mp1-cvx1c.lan.ntl.com
Address 17: 62.252.173.168 m424-mp1-cvx1c.lan.ntl.com

Looks like it's been going on for a couple of years: https://support.opendns.com/entries/24915609-OpenDNS-Google-and-local-ISPs-

So it's some sort of peering arrangement between Google and the regional network operator.

Now this was very interesting ColinTaylor. Now, how would I go about verifying this?

And on a side note... just checked nslookup again and this is what I got:

nslookup google.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      google.com
Address 1: 2a00:1450:400f:805::200e arn06s07-in-x0e.1e100.net
Address 2: 216.58.209.110 arn06s07-in-f14.1e100.net

a .1e100.net address... boggle...

 

[ColinTaylor]

The difference is between www.google.com and google.com

# nslookup google.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      google.com
Address 1: 2a00:1450:4009:802::200e lhr25s07-in-x0e.1e100.net
Address 2: 216.58.208.142 lhr25s08-in-f14.1e100.net