Hitron Router Man-in-the Middle Attack

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I've Been Here Awhile
Posts: 3

Hitron Router Man-in-the Middle Attack

Hi,

I received this message from Norton giving a man-n-the-middle message. I live in Waterloo region so should I call the local police about it, or is it something you can handle? I tried restoring windows but it doesn't help. Please advise as soon as possible! Thankyou.

 

manInMiddle_alert.jpg

Moderator
Moderator
Posts: 258

Re: Hitron Router Man-in-the Middle Attack

 Hey @vasya1!

 

Welcome to the community!

 

Though Rogers isn't able to provide direct assistance with such concerns you may be able to find assistance from our community here as to what steps you can take.

 

That said I would recommend ensuring that any/all devices connected on your network have the most recent security updates as needed. Are you using your own router by chance?

 

@RogersAndy

Resident Expert
Resident Expert
Posts: 6,262

Re: Hitron Router Man-in-the Middle Attack

@vasya1 I’m assuming that you’re trying to connect to a web site and Norton 360 or Norton Security is responding with that warning.  For whatever reason, the web site that you’re trying to access has been deemed “not safe” by Norton.  That could be for any number of reasons.  You would have to be absolutely sure that the web address is correct and that the site that you eventually end up at is the real site.  Its possible that this is a false positive alert, but, just the same you should be very cautious if you proceed to that web site.  If this is a false positive, then the web site administrator would have to discuss the issue with Norton.  However, there is also the possibility that the web site has been compromised, which would explain the warning.  That does happen, more frequently than desired. 

 

In terms of your own security there are a number of items to check:

 

  1. The first item I would check if the web site in question starts automatically when you start your web browser, is the Home page setting on the browser. Depending on the browser that you use, look for the browser settings and check the Home page or Start pages.  Delete any or all that are not required, or that you feel are causing problems.
  2. Using a pc or laptop connected to your modem or router via ethernet, log into the modem or router, and check the DNS addresses in use. In the case of the Hitron modem, that’s located in BASIC …. DNS.  There are to settings for the DNS Obtain, Auto or Manual.  In Auto the modem will use the Rogers Domain Name Servers to convert any entered web address into its numerical equivalent, so that web browsers or applications are pointed to the correct site.  In Manual, the modem will use the entered Domain Name Address to do that conversion.  What you want to see in those entry windows are DNS Addresses that you recognize as a true Domain Name Server, not a rogue server that is set up to redirect your web address entries to false web sites.  The Rogers server addresses are:
    1. IPV4: 71.255.204
    2. IPV4: 71.255.198
    3. IPV6: 2607:f798:18:10:0:640:7125:5204
    4. IPV6: 2607:f798:18:10:0:640:7125:5198
    5. There are other DNSs which can be used such as Google: IPV4:  8.8.8 and 8.8.4.4 and IPV6: 2001:4860:4860::8888 and 2001:4860:4860::8844
    6. There are others such as OpenDNS, Cloudflare, and many others. Google is probably the most popular, as a guess.
  3. Next you should check your wifi paramaters as indicated in the following post: https://communityforums.rogers.com/t5/Internet/slow-wifi/m-p/429489#M54216
  4. Your Wifi network names should be long, random, and should completely fill the 32 character limit. Since you very rarely have to fill in the network name in a device, my advice is to make this completely random.  The network name shouldn’t identify you or your home. The network passphrases should also be random, although this is more of a pain.  If you don’t want to randomize this field, use a long expression of some type that makes sense to you, which can be easily remembered.  Passwords these days should be at least 25 characters in length.  This particular field is 63 or 64 characters in length, depending on the character set that is used.  Setting these two fields as indicated will required you to log into the new networks with your mobile devices.  The purpose of randomizing these fields and using very long character sets is to prevent hackers from hacking into your wifi network and modem by using easily obtained hacking lists which combine simple network names and passphrases and their generated keys.  Long random fields makes this tougher to do, not impossible, but tough enough that someone will look for another network to hack.  This is also in conjunction with the changes to the wifi settings indicated in the previous paragraph. Reboot your modem or router after these changes are done.  For the modem, the reboot function is located in ADMIN …. DEVICE RESET …. Reboot.
  5. Next, you should check your pc or laptop to ensure that its own DNS setting has not been hijacked. Go to START …. CONTROL PANEL …. NETWORK and SHARING CENTER.  Select Change Adapter Settings on the left hand side to bring up the Network Connections Panel.  Right Click on the Ethernet Network that is shown and select Properties.  You should have to enter the system password as you should be using a user account, not the administrator account for everyday activities.  When the Ethernet Properties panel comes up, select Internet Protocol Version 4 (TCP/IPv4) and select the Properties button just to the lower right on that panel display.  That will bring up the selections to Obtain and IP address automatically and to Obtain DNS server address automatically.  What you’re checking for at this point is to ensure that the Obtain DNS server address automatically hasn’t been changed without your knowledge, which could result in your pc or laptop using a rogue DNS address.  When those fields are empty, the pc or laptop will use the DNS address as supplied by the modem or router.  So you need to know at this point that the modem’s or routers DNS addresses are correct.  If so, you can leave these fields empty.  If you want to use a specific Domain Name Server, such as Rogers, Google, OpenDNS, etc, etc, you would select “Use the following DNS server addresses” and enter those addresses into the entry windows.  When you’re done select Ok at the bottom. 
  6. Next select Internet Protocol Version 6, further down, and do the same check. The DNS fields should be set to Auto, or filled with an address that you recognize and approve of.  When you’re done select Ok at the bottom.
  7. Next is to check the Windows Hosts file. An example of what this file looks like is contained here:  https://gist.github.com/zenorocha/18b10a14b2deb214dc4ce43a2d2e2992     What you want to see is that the file only contains addresses that you approve of.  In the case show, there are 177.xx.xx.xxx addresses used by that particular user.  Windows uses the hosts file as a first source for web address to IP address conversion.  So, if a web address is contained in that file, Windows won’t use any external source.  So, you want to ensure that the Hosts file only contains addresses that you approve of.  What you might see is something like this:

127.0.0.1              www.007guard.com

127.0.0.1              007guard.com

127.0.0.1              008i.com

 

Those 127.0.0.1 addresses are internal loop back addresses which prevent any browser or application from navigating to an external address.  Those addresses are a very short example of long list of addresses that have been added to my Hosts file by Spybot.

 

To modify that file follow the instructions as indicated here: 

https://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/

 

When you start notepad, enter the following address in the address field: 

c:\Windows\System32\Drivers\etc\hosts

 

That should take you directly to the Hosts file.  When you’re done modifying the Hosts file, save the file.

 

Reboot the pc or laptop at this point.

 

Now, its possible that after all of this, you might still see the suspicious network warning, which I would interpret as an indication that the site in question has been compromised in some fashion, or that a false positive has been declared by some other company and not cleared by Norton as of yet. 

 

Hope this helps.  Please let me know if you have any questions.

 



I've Been Here Awhile
Posts: 3

Re: Hitron Router Man-in-the Middle Attack

Thanks for your reply. I'll go through your instructions. I'll also contact Norton to find out if there are any logs that captured info on this. We just rent the Hitron, it isn't ours. Thanks!