Malware Infected Router
Malware Infected Router
Good Day Netgear Community
AC1200 / 6220 Nighthawk Dual Band Router & Gateway
Interesting, confusing and alarming security situation. Gone through many months of security concerns and problems from buggy computer, malfunctioning internet, URL redirects, double websites, trojan injected downloads, .dll script modification/additions, API versions of accounts, the list is quite extensive actually.
Well, the scenario at question. I ran a windows defender scan and found a trojan and malexploit.js files (something like that; have a screenshot somewhere). When I ran this scan, saw the exploits, it crashed my internet immediately. No internet access to either one of my nighthawk routers. Then after some time / troubleshooting, when I did get upstream/downstream, my pc warned me of a potential malware threat associated with my router address: 192.168.0.1.
I know routers can be infected / impacted by attackers, but I do not know how that actually happens. Is the firmware update file impacted? Is it a physical modification? Is it distributed to the gateway address under a script type attack or something else? How difficult is it to impact someone's router from outside the network? Is it something you have to be on the network to do?
If someone could provide info / details as to how this would happen, potential troubleshooting tips, etc. it would be very alleviating and helpful.
This prompted me to get a new modem/router from my ISP so they could maybe troubleshoot, but it doesn't want to allow me access to certain configuration options and shows up in my customer portal incorrectly. It is an Xfinity XFi but doesn't show up to Xfinity as an XFi (as one would think it would) it shows up as a Technicolor device. Makes me think I am on a hotspot version of my own internet without ability to connect to the main provision from comcast....
Also of interest note for digest: my pc says windows 10 home but my store says it is not compatible with this device. In advanced system information for connectivity with an "old-looking" interface, my pc says windows professional (not to my knowledge). It also says Windows NT a few places too. My pc says hypervisor detected (not to my knowledge). Have seen through IBM security repetitive failed user login events stating RedHat as if through some AWS cloud distribution of something (not to my knowledge). I feel like I am in a FreeBSD Jail or something. Or multiple because I have seen loading prompts relative to AWS, Azure, Google Cloud and with CloudFront and CloudFlare coming up quite a bit. This accompanied with a redirect error stating tokens can't be issued for this API version of a microsoft account when trying to look at details for a browser extension.
Also on the browser point, anyone offer feedback whether the following browser details are "normal," as this is what it says my browser details are:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4476.0 Safari/537.36"
Thanks to anyone and all for help, insight or feedback
All the Best,