How to Check Your Router for Malware

As a standard feature, consumer router security isn’t exactly top notch, which can lead to your router being easily compromised by hackers. In this post we’re going to show you how to check if your router has been attacked and what you can do to protect yourself.

How hackers can compromise your router

One thing hackers often do is they change the DNS server settings on your router, which will then point to a malicious DNS server instead. Afterwards, when you attempt to connect to a website the malicious DNS server will send you to a phishing website, which still has the same URL address and looks completely legit, it is actually fake.

This malicious DNS server doesn’t even have to respond to all queries, it could time out on most requests and then redirect queries to your ISP’s default DNS server. So if your DNS requests are unusually slow, it could mean your system has been infected.

One thing to look for is the fact that the phishing website won’t have HTTPS encryption, but most people don’t really know about this or forget to check. And besides, SSL-stripping attacks can even remove the encryption in transit.

Others things attackers might do is inject advertisements, redirect search results, or try to install drive-by downloads. If, for example, you see advertisements that look out of place (pornographic ads on a serious website like The Huffington Post or are a good indication something is wrong, most likely on your end), then either your computer or your router has most likely been infected.

Many attacks use something called cross-site request forgery (CSRF), which basically means the hacker embeds malicious JavaScript onto a web page, and then that piece of software attempts to load the router’s web-based administration page and change settings.

Since the JavaScript is running on a device that’s inside your local network, the code can access the web interface which would otherwise only be available inside your network.

Finally, some routers might have their remote administration interfaces activated together with default usernames and passwords – the problem is bots can scan for these routers on the internet and gain access to them.

How to check to see if your system has been compromised

The clearest sign that your router has been compromised is that its DNS server has been changed. To see this, go to your router’s web-based interface and check its DNS server setting.

To begin with, go to your router’s web-based setup page (check your network connection’s gateway address or use the router’s documentation to find out how to do that). After you’ve signed in, look for a “DNS” setting (you can often find this in the WAN or Internet connection settings screen).

If this is set to “Automatic”, everything should be OK – the DNS is coming from your ISP. If, on the other hand, it is set to “Manual” and there are custom DNS servers entered there, there’s the possibility that you have a problem.

Now, if you’ve configured your router to use trustworthy alternative DNS servers (like and for Google DNS or and for OpenDNS), this is perfectly fine. But if you don’t recognize the DNS servers, your computer could be infected with malware. A good idea would be to enter the DNS server addresses into a search engine and see if they’re legit or not.

What to do if there’s a malicious DNS server configured

The solution to this problem is fairly straightforward: disable the malicious DNS server and set your router to either use the automatic DNS server from your ISP, or enter the addresses of trusted DNS servers like Google DNS or OpenDNS here.

Just to be on the safe side, you can also wipe all your router’s settings and factory-reset it before you set it back up again.

How to protect your router from attacks

While you can never be completely safe from every kind of external attacks, there are some things you could do to make it harder for hackers to compromise your router.

First of all, always install the latest firmware updates for your router – this will ensure any flaws which have been patched won’t cause any problems. Also, you should disable remote access to the device’s web-based administration pages and change the router’s password, so the hackers can’t just gain access to it if they know the default code. Finally, turn off UPnP, which has proven to be quite vulnerable in the past.

You may also like:

Upgrade firmware on Cisco-Linksys Router This is a short tutorial on upgrading the firmware on your Cisco-Linksys router. Instructions will work for the following models: - E4200 - E3000 -...
HSRP Configuration on Cisco Devices HSRP (Hot Standby Router Protocol or Hot Standby Redundancy Protocol) is a protocol of the FHRP family (First Hop Redundancy Protocol) developed by Ci...

Add Your Comment