I was using the net like normal last night when I suddenly had connectivity issues, and my browser was redirected to a page warning me that a "Router Behind Router" was detected; a third-party router was suddenly detected. No one in the house made any hardware changes or added any new devices, and there were no other internet issues.
All devices were affected. We have two desktop PCs (I was on one), a couple phones, a couple tablets, a Roku, and wireless Epson printer connected like always. I dug through the router and found no evidence of a rogue device within the connected and recently connected clients list (wired or wireless) but this left our net mostly crippled since 4 AM last night (for some reason Google and gmail would occasionally work {not cached, actual live operation}).
I have an app on my phone that's usually pretty good at detecting Ettercap type MITM attacks when I tested it and didn't make a peep during this, so does this sound like a definite sign of some sort of honeypot situation?
I came home today and found that a family member followed the prompts and (most likely) clicked "disable" (in the option below) which has me concerned that a rogue device has now been given permission to re-route all of our traffic. This allowed their internet to work, albeit a bit glitchy. I looked around the settings again and it appears that they had clicked "disable" which unintuitively actually ALLOWS the mystery 3rd party router, but the checkbox in the settings that detects 3rd party routers and redirects you to a local warning page within the router, was now unchecked. (They changed their story and think they clicked "resolve" now, so I don't even know which they clicked. I told them to not touch it til I came home initially.) The problem with that is one option simply stops the redirect to the warning page by ignoring (what it thinks is) the third party router, and the other option opens up the first computer at the top of the list in full DMZ Mode. (What the hell?!)
What is going on? Why wouldn't this device be exposed in the device list in the router? How screwed are we? U-Verse is new to me, and I mostly hate it. I hate the router they assigned us, and am not used to not having full control over a simple standalone DSL modem with a separate router.
I lost the battle when we switched services, so here I am.
This is pretty bad, right? What do I do here? Simply factory reset the router and change pws and all that jazz? Firmware update? Will it even matter at this point?
UPDATE:
Now my public IP address is being read from all websites as well as local scan like a giant mac address?!?
Service: Basic AT&T U-Verse Internet (6-10 mbps-ish) and 1 Voip line (no TV)
Devices:
- 2 wired PCs*
- 3 wireless mobile
- 1 Roku operating wirelessly (but on that note, the Roku also shows up as it's own access point for some reason, though it always did in the year they've had it).
- Router/Modem Combo (ATT 5031NV-030)*
*Running on powerline adapters, unfortunately. Not my choice, she said the installer insisted.
Some of the router log from near the time this began
All devices were affected. We have two desktop PCs (I was on one), a couple phones, a couple tablets, a Roku, and wireless Epson printer connected like always. I dug through the router and found no evidence of a rogue device within the connected and recently connected clients list (wired or wireless) but this left our net mostly crippled since 4 AM last night (for some reason Google and gmail would occasionally work {not cached, actual live operation}).
I have an app on my phone that's usually pretty good at detecting Ettercap type MITM attacks when I tested it and didn't make a peep during this, so does this sound like a definite sign of some sort of honeypot situation?
I came home today and found that a family member followed the prompts and (most likely) clicked "disable" (in the option below) which has me concerned that a rogue device has now been given permission to re-route all of our traffic. This allowed their internet to work, albeit a bit glitchy. I looked around the settings again and it appears that they had clicked "disable" which unintuitively actually ALLOWS the mystery 3rd party router, but the checkbox in the settings that detects 3rd party routers and redirects you to a local warning page within the router, was now unchecked. (They changed their story and think they clicked "resolve" now, so I don't even know which they clicked. I told them to not touch it til I came home initially.) The problem with that is one option simply stops the redirect to the warning page by ignoring (what it thinks is) the third party router, and the other option opens up the first computer at the top of the list in full DMZ Mode. (What the hell?!)
What is going on? Why wouldn't this device be exposed in the device list in the router? How screwed are we? U-Verse is new to me, and I mostly hate it. I hate the router they assigned us, and am not used to not having full control over a simple standalone DSL modem with a separate router.
I lost the battle when we switched services, so here I am.
This is pretty bad, right? What do I do here? Simply factory reset the router and change pws and all that jazz? Firmware update? Will it even matter at this point?
UPDATE:
Now my public IP address is being read from all websites as well as local scan like a giant mac address?!?
Service: Basic AT&T U-Verse Internet (6-10 mbps-ish) and 1 Voip line (no TV)
Devices:
- 2 wired PCs*
- 3 wireless mobile
- 1 Roku operating wirelessly (but on that note, the Roku also shows up as it's own access point for some reason, though it always did in the year they've had it).
- Router/Modem Combo (ATT 5031NV-030)*
*Running on powerline adapters, unfortunately. Not my choice, she said the installer insisted.
Some of the router log from near the time this began
Facebook
Twitter
Instagram