Router Malware Infected ?

IP Newbie asked 2 years ago

Has anyone here ever heard of spyware that can be put into the flash memory in an ADSL router and/or how to get rid of it?

I have been getting the router security log reporting of packets sent outbound to an IP address (on port 8080) that has nothing to do with the router's operation. It sends packets out to the address about 3 times in a row after the router is powered up, but never gets an inbound response.

It happens after the router is first powered up in the following order (from the security log):
1) primary DNS server (port 53)
2 secondary DNS server (port 53)
3) NIST (time) (port 123)
4) Dest IP: 192.41.9.51 Port: 8080 (outbound)

To test for a solution, I have completely reset the router back to factory setting (which I thought would clear it's flash memory) and unplugged it's power for several minutes. To be sure that it wasn't coming from my computer, I turned it completely off at the same time. I then restarted the router (but not the computer). I let the router go through it's startup sequence and go online. I waited another 5 minutes after that before I started my computer. After finally restarting the computer, I checked the security logs of the router and found that the router still sent 3 packets to the unknown IP address on port 8080, a full 5 minutes before the computer was started up. Unless my logic is completely upside down or something, no spyware/malware could have been coming from the computer (a very old desktop Compaq w/Win98SE (I.E. the power was OFF)).

I have also performed another test where I would power the router up only (with the computer off), then push the manual RESET Button on the back. This is also supposed to clear the memory and reset back to factory. After allowing 5 minutes for the router to go online, I would start the computer, check the router's security log & find the same packets sent to the IP address nearly 5 minutes before the computer was even started.

I tracked & traced the offending IP Address down and I am sure that it has nothing to do with the ISP's DNS, Gateway, ect... My IP address is dynamic and changes every time I turn off or restart the router, so a hacker shouldn't be able to locate me, right?

There is only my one old computer connected to the router, which goes straight out to the phone line... no possibility of another computer on a LAN or anything causing the problem. This is NOT a wireless router. It's a direct wired-in connection from: computer>router>phone line.

The only guess that I've been able to come up with is that someone has put something directly in the flash memory of the router some way or another. Is there any procedure for completely flushing the Flash & restarting? Or is there something else that might be going on here?

Thanks

p.s. One other thing that noticed while I was messing around with my username & password:
after I saved my username & password (in the browser popup window) the website name: "dev.pdvel.com" rolled across the status bar at the bottom of the popup browser window (for just a split second). The router was offline at the time & I searched through my entire hard drive for any variation of that name and found none. After I looked online, I found a lot of positive information on the guy & I kinda doubt that he has anything to do with the problem I am having. Maybe he is someone who helped design the software for the router? I was wondering if any of you guys knew him. I think he's kinda famous in programming, but I just don't know & I hate to even mention the name of anyone that has worked in the business so long...

1 Answers
Shnerdly Staff answered 2 years ago

Thanks for your question IP Newbie.

"There is only my one old computer connected to the router, which goes straight out to the phone line... no possibility of another computer on a LAN or anything causing the problem. This is NOT a wireless router. It's a direct wired-in connection from: computer>router>phone line."

First, based on the quoted paragraph, I suspect we are talking about a modem, not a router.

In order to offer any kind of an opinion, we would need to know the make and model of the modem. It may be something in the modem registering itself with your ISP which is typical of DSL connections

Know the answer? Login or sign up for an account to answer this question.
Sign Up