IP based virus?

We having an issue where when going to a site such as ebay.com , it goes straight to a "login" page. which is obviously not real becuase ebay.coms main page isn't just a login screen. Same with amazon.com , it goes straight to a fake login page for amazon.

The only way I have found to get the machines working again is to use cyberghost which then allows me to access all pages normally which leads me to believe these machines have some sort of virus based on the ip they have?

I'm a noob with this and google didn't really help me here. clearly it's some sort of virus thats looking for login credentials just dont know how to fix it correctly. these machines only got this problem within the last month and never had issue like this before.

these are all just windows 7 machines on a home network.

google mention it could be a dns hack on the router? if that makes any sense to someone

check 2 things

DNS settings at the router and machines
HOSTS file which might be redirecting you to a target website

Well for now I just reset the routers reset button and it seems to have fixed it. I'll check the dns settings

If you type in the IP address of google etc will it take you to the real site? If so it is defiantly a DNS issue.

If it is an issue with the router, either upgrade the firmware (routers can have security vulnerabilities) or replace it with a dd-wrt model or PF sense.

Also check to make sure uPnP/remote management/SSH/Telnet are disabled.

I should have tried that when it was happening but I will know to try it if it happens again.

I can't change the routers firmware as we have a sort of delicate setup right now as far as every device being compatible with its current firmware and settings. But should we ever not need these specific devices anymore I could consider changing it in the future to different firmware.

make sure you are not using default router user and password. this is becoming a very common attack vector.

1 Like

^ This

Disconnect the router from the Internet. Reboot it. Then change the default user/password, before plugging back into the Internet.

Bots can pwn your router literally within seconds of connecting to the Internet, if it is using the default login credentials.

Of course some home routers are so buggy, that a bot may be exploiting a back door in your router. ; (

If the problem persists after changing the login credentials, you need to either make a trip to the router store, or deploy a pfSense box.

1 Like