Re: man in the middle

Entire Conversation:
http://groups.google.com/group/microsoft.public.security/browse_frm/thread/9914c00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76



Kerry Brown wrote:
It sounds like your router may have been compromised.

Unplug one of your computers from the router. Do a clean install of
Windows on this computer making sure you delete all partitions then
recreate them during the install. Leave this computer unplugged
from the router. Don't worry about updating it just yet. On a
different computer download the latest firmware for your router.
Burn this file to a CD or copy it to a flash drive. Make sure there
are no other files on the CD or flash drive. Unplug all of the
computers from the router. Unplug the router from the Internet.
Reset the router to the factory defaults. Plug in the computer with
the fresh Windows install. Use it to flash the router with the
downloaded firmware. Reset the router again. Set a password for the
admin account. Plug the router back in to the Internet and update
this computer. Do not plug in any of the other computers until they
have been wiped clean and a fresh install of Windows done.
The key is to flash the router with a clean computer then set a
password on the router before reconnecting to the Internet.

BoaterDave wrote:
I feel there is much merit in what you say. FYI I did raise this
topic here
http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
before I became persona non grata at AumHa.
Are you aware of any way to check whether or not a router has been
compromised - *before* one follows the procedure you have outlined.
I should be interested to learn more about this subject. Do you (or
anyone else reading here) have any pointers as to where to begin?

I found this item which I found interesting - others may too:-
http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026

A fairly recent news item here, too:
http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html

While I know of no way to find out if a router has been compromised - if
there is even one ounce of suspicion that it could have been compromised -
it would be better to reset the router to defaults, set a new password
(strong one) on it, leave remote management turned off, make sure wireless
(if a feature of said router) is using WPA or WPA2 at least for security,
etc.

What makes that even better is doing that 'offline' - the router does not
need a Internet connection for any of that.

In this particular case (that where the original poster seems to have been
targeted in some way - or overlooking some part of re-securing their entire
system (not just the computer)) - the advice is spot-on in my opinion.
Start from the first piece of equipment you can control and work your way
through to the last - keeping them all 'offline' until you have changed the
setup on all of them and secured them to the best of your ability.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


.