cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5898
Views
5
Helpful
17
Replies

RV340 Router Issue

Lee Cox
Level 2
Level 2

I am thinking my router was hacked last night right after midnight.  Here what I have.  My PC web pages stopped working.  I could ping 8.8.8.8.  My PC is pointing to the router for DNS. I am thinking DNS was changed on the router.  I have firewall rules to block any DNS but 8.8.8.8 and my ISP which have been in place since I set this router up.  When I looked under firewall on the RV340 remote was turned on and I cannot turn it off.  I have included a picture.  I changed the remote to a couple of non-useable IP addresses.  Also looking under system summary VPN status I see 1 VPN has been setup.  I have never setup a VPN on this device. Looking under VPN status the configs do not show.  I did post a message a couple weeks ago about seeing VPN traffic in the logs when I had no VPN setup.

I seem to have an issue posting pictures.  The upload does not work. Since I cannot seem to upload pictures I will tell you under VPN status under System summary it is showing 1 L2TP, 1 PPTP, and 1 SSLVPN.  I have no logs as they have already rolled off.  My logs goes back to 3:00 am.  It around midnight.  Probably planned that way.

I was lucky I had ACLs to block other DNS servers before one of my PCs was hacked.

 

So I guess re-flash and reconfigure?

17 Replies 17

Dennis Mink
VIP Alumni
VIP Alumni

If you have reason to believe it was hacked, yes factory default it and reconfigure.

 

make sure in the furture you verify which ports are open on the outside.  also run a port scan on yourt public IP addresses to make sure you havent made any error in terms of opening like ssh, http etc from outside.

Please remember to rate useful posts, by clicking on the stars below.

I absolutely run no ports open with remote management off.   Somebody has figured out a hole in your code.

I even block rogue DNS servers.  I would rather have the network go offline than to go to a bad DNS server.

I would also recommend doing a firmware upgrade on the device, if you are using older firmware, for sure there are vulnerabilities on that. I would also recommend changing your username and password. Dont use your previous credentials

Be strict as well which IP address are able to SSH/Web UI to the device. Never ever do a remote session via the public IP address nor enable it there.

I am on the latest firmware.  I will look at locking down local access.  I don't think they used the web GUI as setting don't match across web pages.  I think they used VPN some how even though I had none setup.

Well based on this, I guess your network is vulnerable and a target of hackers. I would highly suggest upgrading your interface facing device with an NGFW. A router isn't sufficient anymore to protect your network. ACLs just wont do anymore

I am not so sure they are looking for network access as much they want me to use rogue DNS servers to load up my workstations and devices.

 

The NGFW looks like a little much for my small network.

Now that I have investigated it further it seems Spectrum switched to Docsis 3.1 last night. I am showing a blue light on my Arris SB8200 modem which I had not seen before.  Maybe they killed my DNS.

 

Any way I flashed twice with the latest release RV340 firmware so there would not be any traces left of old firmware.  I setup everything again changing the IP network for my layer 3 switch.

 

I also realized I was not using IPv6 with it unlocked so I created an ACL to deny all access on IPv6.

Based on what you said, they might be attempting DNS Poisoning. This is a big deal considering they can change the IP address reply of a name query. This can be a severe hit on your network. I would highly recommend that you do something about that event. Give it time and they will be able to steal your data considering they have poisoned your DNS and covertly redirect your traffic via the name service

It has happened again tonight.  I faired better maybe because I have tighter controls.  I only seem to have lost DNS as I can ping out on the public network.  I locked IPv6 down with a deny for any.  I have remote access locked to 1 small local network.  I have ACLs which only permit my chosen DNS servers and all other DNS servers are denied.  Will this stop a poison attack?

 

I am seeing a lot of this in the RV340 logs.

2018-09-06T23:54:56-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:54:41-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:54:26-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:54:11-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:53:56-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:53:54-06:00
error
license
smart_agent: SA-Error: %SMART_LIC-3-EVAL_EXPIRED_WARNING:Evaluation period expired on Aug 15 09:39:46 2018 UTC
2018-09-06T23:53:41-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:53:26-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:53:11-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:52:56-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface

It happened again tonight.  I seemed to have faired better as I was only down a short while.  I have an IPv6 ACL denying any.  I have remote access locked to one small local network.  Only DNS stopped. I can ping out.  I guess it could be Spectrum again but I don't see anything in the modem log.  I should add I have ACLs to only permit my chosen DNS servers and deny all others.  Will this stop a poison attack?

 

I am seeing a lot of this in the RV340 logs.

 

2018-09-06T23:54:56-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:54:41-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:54:26-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:54:11-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:53:56-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:53:54-06:00
error
license
smart_agent: SA-Error: %SMART_LIC-3-EVAL_EXPIRED_WARNING:Evaluation period expired on Aug 15 09:39:46 2018 UTC
2018-09-06T23:53:41-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:53:26-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:53:11-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
2018-09-06T23:52:56-06:00
warning
network
dnsmasq: ignoring nameserver 127.0.0.1 - local interface

 

 

Are you sure you want to block IPv6 traffic? Many websites today including google/youtube already use IPv6, you might encounter performance issues with these websites

 

For that log message, have a read on this. Many say it's a bug, but please do read the whole thread, there is more to it.
https://community.cisco.com/t5/small-business-routers/rv340-dnsmasq-ignoring-nameserver-127-0-0-1/td-p/3310643

 

 

If I use a USB memory stick can I expand my logs. Will it slow down my router?  What speed of USB memory stick?  I don't see it in the manual.

 

How do I protect against a DNS poison attack?  Are ACLs enough?

Dont use a USB stick, use a syslog server for that. Setup a syslog server in your network. A workstation OS will do, just install a syslog software on it such as Solarwind Kiwisyslog server and TFTPd syslog server.

You need Application level capabilities for that, your firewall isn't enough. It is not application aware. It just allows whatever TCP/UDP ports you require. Additionally, it's not a stateless firewall

Disable PnP. That did it for me.
Unless, I hope obviously, that you need it.