IP based virus?

emosun · June 14, 2017, 10:13am

We having an issue where when going to a site such as ebay.com , it goes straight to a "login" page. which is obviously not real becuase ebay.coms main page isn't just a login screen. Same with amazon.com , it goes straight to a fake login page for amazon.

The only way I have found to get the machines working again is to use cyberghost which then allows me to access all pages normally which leads me to believe these machines have some sort of virus based on the ip they have?

I'm a noob with this and google didn't really help me here. clearly it's some sort of virus thats looking for login credentials just dont know how to fix it correctly. these machines only got this problem within the last month and never had issue like this before.

these are all just windows 7 machines on a home network.

emosun · June 14, 2017, 10:20am

google mention it could be a dns hack on the router? if that makes any sense to someone

Dje4321 · June 14, 2017, 10:45am

check 2 things

DNS settings at the router and machines
HOSTS file which might be redirecting you to a target website

emosun · June 14, 2017, 12:39pm

Well for now I just reset the routers reset button and it seems to have fixed it. I'll check the dns settings

Vendetta · June 14, 2017, 12:42pm

If you type in the IP address of google etc will it take you to the real site? If so it is defiantly a DNS issue.

Peanut253 · June 14, 2017, 12:43pm

If it is an issue with the router, either upgrade the firmware (routers can have security vulnerabilities) or replace it with a dd-wrt model or PF sense.

Also check to make sure uPnP/remote management/SSH/Telnet are disabled.

emosun · June 14, 2017, 1:51pm

I should have tried that when it was happening but I will know to try it if it happens again.

emosun · June 14, 2017, 1:54pm

I can't change the routers firmware as we have a sort of delicate setup right now as far as every device being compatible with its current firmware and settings. But should we ever not need these specific devices anymore I could consider changing it in the future to different firmware.

blackfire · June 14, 2017, 2:43pm

make sure you are not using default router user and password. this is becoming a very common attack vector.

BarkingMad · June 14, 2017, 3:31pm

^ This

Disconnect the router from the Internet. Reboot it. Then change the default user/password, before plugging back into the Internet.

Bots can pwn your router literally within seconds of connecting to the Internet, if it is using the default login credentials.

Of course some home routers are so buggy, that a bot may be exploiting a back door in your router. ; (

If the problem persists after changing the login credentials, you need to either make a trip to the router store, or deploy a pfSense box.