Posted by Roy Panetta on 21 May 2018 11:28 AM
DrayTek has become aware of new attacks against web-enabled devices, including DrayTek routers.
In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered.
To check if your router has been compromised, look at the DNS and DHCP settings on your router. If you have a router supporting multiple LAN subnets, check the settings for each subnet. Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have set (e.g. Google 184.108.40.206).
If you see a rogue DNS server setting of 220.127.116.11 – it means that your router settings have been changed. In this case you can correct the changes or restore the router configuration from the last good known backup configuration.
Note that the IP address 18.104.22.168 may not be the only rouge address and so, if you find any DNS IP that is different to your own setting, you should either upgrade the firmware or adjust security settings as described below.
DrayTek has now released new firmware that addresses this security vulnerability. The firmware can be downloaded from: https://www.draytek.com/en/download/firmware/
Updated firmware with the security fix listed below:
Click here to download latest firmware.
To subscribe to our regular news updates click on “Subscribe” on this page or login into your i-helpdesk account and enable the “Subscribe” option.