Hijacked router

Wallly · July 17, 2014, 8:43am

Hi all.

Unsure if this is the correct forum but I’m in need of assistance. I recently signed up with a new ISP here in Spain and logging into the webadmin of my TPLINK router, I observed that RouterOS firmware has been flashed onto it. This may have been done while the technician was configuring the router with it’s stock interface (although I didn’t notice him doing so) or remotely. The ISP uses WIMAX and the antenna on my roof is plugged into a LAN port on the router. When I disconnect this cable, I am unable to ping the box from any of my machines. I do not have the password to access the webadmin of RouterOS (that’s been changed too) and I am a little concerned about the security aspect of this setup. As I’m not fluent in Spanish, I’m hoping someone may take the time to explain this setup to me in a language I understand

Thanks in advance,

Ben

cdiedrich · July 17, 2014, 8:51am

I doubt your TPlink router is flashed to RouterOS.
I’d rather assume your ISP is using routerboard hardware.
I don’t think the cable from your roof is placed correctly in a LAN port.
Move it to the WAN port, reboot your router and see what happens.

-Chris

normis · July 17, 2014, 9:10am

Maybe you are seeing the Hotspot login page? RouterOS can’t be flashed onto other devices.

Wallly · July 17, 2014, 9:16am

Hi Chris,

Thanks for the reply. There is no other hardware here bar the data/power splitter that powers the antenna and connects to the LAN port. When I connect this cable to the WAN port, again I am unable to ping the router. Since the first reboot after installation, default gateway shows RouterOS interface as opposed to TPLINK. This was the first I’d ever heard of Mikrotek.

Ben

Wallly · July 17, 2014, 9:20am

Normis:

When I enter 192.168.1.1 into the address bar, this is the message I get, with logon box and other links.

“RouterOS v6.15 You have connected to a router. Administrative access only. If this device is not in your possession, please contact your local network administrator.”

normis · July 17, 2014, 9:30am

you are connecting to the ISP router, not your TPlink.
Maybe the TPlink is configured in bridge mode, transparently forwarding you to the next device.

Wallly · July 17, 2014, 9:34am

Ok, that makes sense. Do you have any idea how I can access the TPLINK so I am able to administer my network?

normis · July 17, 2014, 9:37am

That would depend on the TPlink model and how it’s configured, maybe you can find a manual for it?

cdiedrich · July 17, 2014, 9:42am

Umm…
So your TPlink router initially also managed a 192.168.1.0/24 network?
Try disconnecting the cable from the roof, reboot your TPlink and see if you can access it then.
Then change its IP range from 192.168.1.0/24 to something not colliding with the Mikrotik Router, for example 192.168.7.0/24.
Then connect the roof cable back to the WAN port and try again.

-Chris

Wallly · July 17, 2014, 10:17am

Using traceroute, the first hop beyond my router is 192.168.153.1. I presumed this is where I was being forwarded to yet when I access that, it’s RouterOS again but a different version 6.12, as opposed to 6.15 at 192.168.1.1. Is this significant?

The router is TL-WR741ND, I looked through the manual (http://www.tp-link.com/resources/document/TL-WR741ND_V4_User_Guide_1910010596.pdf) but can’t find anything about bridging. There is a section on static routing but no info. on how to access the router.

Chris: The router is configured 192.168.1.0/24 with static IP addressing. When I unplug the aerial from the LAN port (and reboot), I cannot access the router at all. It’s weird.

Another thing is, which initially made me think the TPLINK had been flashed was that after the aerial installation I accessed it with the stock interface. It was only after a reboot that RouterOS appeared.