I have had the same problem with PClinuxOS and Firefox 30 I am wondering if a full factory reset of the router has been tried as a possible solution?

xarnaye. It is not a real message from Mozilla guys. This "error" looks like a new malware (indetectable at the moment). Happens the same if you have other navigator like Chrome.

I'm not sure but I suspect the malware is in router/modem. I have 3 pcs and 1 tablet in the same network with the same problem. I hope somebody help us becouse Wikipedia, Youtube, Yahoo and Facebook are blocked by this "virus".

Has anyone contacted their internet provider or the router manufacture?

FredMcD some of us have contacted our ISPs - i'm still waiting to hear back from mine. As far as i know, no one has suggested contacting the router manufacture so i don't know if any has.

I contacted tp-link - no answer from them. But if you read their article carefully - http://uk.tp-link.com/article/?faqid=569 - they admit that their routers have a problem. Admin password is not checked when you read the ROM out of the router, so wrongdoers can connect from the web, read your router, scan your admin password from the ROM they've read, then use that password to update your router's settings, so that your DNS points to a malevolent DNS, which will then try to get you to click "upgrade Mozilla" links which will install malware onto your PC. As far as I could see, the malware in that link is not known. If you cannot understand the problem anyone - better you buy a new router rather than risk this. If you've picked up malware from one of the links that evil twin DNS sent you, you need some virus fixing. I couldn't see anywhere that said what that malware was though. I find these routers shoddy. I think this firmware was done by a summer student, because this does seem like a schoolboy error on tp-link's part (though possibly they buy in their firmware, the Algerian who found this problem suggests that.)

Just to say this thread is escalated, and it is cross linked to a post started by one of the Firefox Admins. In due course some Firefox staff should be following up on this.

Hey just thought i'd let everyone see the response from my ISP.

Thank you for your email and for bringing this to our attention.

I went through the thread that you've provided and as per one of the reply it says that UniBlue is a type of Malware. You might want to have your computer cleaned out first prior to attempting any troubleshooting with the connection itself. If you've done this already, we may need to refresh your connection by performing a hard reset on your modem. Before performing this step, please provide to us the make and model of your modem so that we can provide to you the steps on how to reconfigure it.

I don't think its that helpful but i thought i'd share it anyway. Has anyone else heard back from their ISP? At this point mum and i are considering just buying a new modem - DEFINITELY NOT a TP-Link!

Hello! I was not able to solve the DNS issue on the TP-Link router. But since I changed the router by another router from siemens, the issue disappeared.

Since I live in Germany I tend to involve Police with "Anzeige gegen Unbekannt". Could they be successful getting the hacker through the Google Analytics account?

Would anyone join this approach?

Greetings, Fredmobbing

This post is all just speculation on my part, whilst waiting for Admin Staff to post. Remember to sign in and vote on this thread using the button [I have this problem too]

• This is a security issue rather than a Firefox problem.
• I am hoping one of the Admin staff is going to step in with suggestions.
• It may be that we try to summarise the known advise, and are able (or YOU are able to) find a security related forum that is already dealing with and solving this issue.

More questions for those that have posted It may help to say

• What the Internet Service Provider (ISP) is
• and what the router is that you are using. (Make, Model & whether it is documented anywhere as being affected).

If someone is able to hack TP-Link routers there may well be other Routers and ISPs affected.

But also there may well be more than one issue affecting people in this thread. it is probably unlikely everyone has the sameTP-Link router and TP-link firmware. I suppose one possibility is that malware exploiting the TP link routers, or other malware may attack routers having a weak or default password. Such malware may use the same DNS or Links

Suggested actions for now

1. Look for malware scan with multiple and up to date tools. (You may need to use an unaffected device to get hold of the tools.) See the-edmeister's post-594370 up thread
2. Check and report your DNS setting and at least temporarily try using the free Google DNS service see the two adjacent posts by abecrabt post=594807 & 813
   • Also See Using Google Public DNS https://developers.google.com/speed/p.../using
     Which explains also how to check and change DNS settings.

Posting dodgy links It may well be usefull to post information about sites or links but not wish others to risk clicking them accidentally. If so please break the link to make it not clickable. One easy method that still allows the link to be seen and cut and pasted is to insert a pair of apostrophise around each dot. (2x ' each side of the dot, not 1x double quotes " ) Demonstration

• This site
  support.mozilla.org
• Could write as
  support<dot>mozilla<dot>org
• Write as
  support''.''mozilla''.''org
• Forum software converts that in preview and final post to pasteable but not clickable
  support.mozilla.org

I don't think anyone should use this router without being quite sure they've understood the problem and have successfully upgraded firmware and set up the firewall.

Myself I'm packing it in with this tp-link router. I've lost all faith in tp-link.

I'm suspicious of the quality of the new firmware. Admin pages take a very long time to come up. Once the router completely stopped responding and I had to reset, after which again, it crashed and lost settings.

If it does this - how can we be sure without careful testing that even the firewall (if you can get it to configure,) would really work and stop this attack?

I can't spend forever fiddling with a £35 router/adsl modem. I've gone back to my netgear.

TP-link haven't answered my query and if you look at their instructions to protect:

http://uk.tp-link.com/article/?faqid=569

they have a mistake: it should be WAN not LAN (that screen shows both,) so I don't see how that can be a real screenshot. I don't feel sure that TP-Link actually understand their own problem properly.

The original finder of this problem (as far as we can tell,) the Algerian in Hacker News: http://thehackernews.com/2014/01/TP-LINK-Routers-password-hacking.html# thinks this router has firmware from "Zyxel". I don't understand myself, but I've had it with TP-Link

so mum and i woke up this morning and turned on our computers and they are working fine now. i'm not sure if anyone remembers Lord_Brainstorms post earlier about clicking:

[windows key]+[r] to open the execute window

[c] [m] [d] [Enter] to open the command window 

typed in "nslookup" (without "") to reveal me the standard-server and the address.

There I found the 1st adress >abecrabt< has mentioned: Standartserver: Unknown Address : 94.102.63.137

but when he mentioned it the first time i did what he did and got the same result. This morning i redid it and got back something that says Default server: google-public-dns-b.google.com Address: 8.8.4.4

now i've never had reason to check this stuff before so i'm not sure if this is a good thing or not or what it said before this strange attack occured. also i haven't done anything since reporting this - haven't been able to reset my modem, haven't run anti-virus etc - so i have no idea why its changed to google-public.

so anyone know if this is a good thing? or is the problem now worse?

Resetting, or unplugging the modem should clear out any bad settings. Are you still having problems?

FredMcD - that is not correct. See earlier posts, unplugging is useless, a reset will clear the settings but you are still vulnerable, so that would be inadequate.

xarnaye - I think you should replace your tp-link router. You need to be able to understand how to connect to it, administrated it - check for the DNS settings, restore them to the correct ones, set up the firewall so it can't happen again. If you're struggling with these steps take the easy way out: buy a new adsl router.

xarnaye,

Simple answer the change to google-public-dns-b.google.com Address: 8.8.4.4 is good at least compared with the alternatives that you and some others may have seen which were bad.

Sorry if your own specifc question is getting sidelined somewhat. The question itself is showing

53 replies,     79 have this problem,     674 view 

That is above average for this forum. You have obviously discovered something rather odd, and potentially bad for security is happening.

The average Firefox user normally relies on the Internet Service Provider (ISP) providing a router with default settings and some form of setup routine or software and just leaves it to work.

It is in fact important, and often overlooked that the user change the actual passwords and logins from the Router's defaults. (The same advice is true for the computers BIOS login and the computers Operating System - Windows 7 or whatever).

Mostly the other technical details may be left as they are and you rely on the software to sort it out for you. It appears (subject to further verification) in the case of the TP-Link router there is a particular specific flaw in this that is open to exploits.

Detailed advice and discussions of Routers and Security is outside the scope of this forum, but being able to use Firefox safely is important. I also know Firefox Admin staff are interested in the popups problem. I was hoping one of them would have commented by now I did ping one of the Admins by email but I guess they are busy, and can take a few days or even weeks to respond to forum issues.

Here is some summary & general information

• Domain Name System (DNS)
  • Short explanation of what DNS is http://simple.wikipedia.org/wiki/Domain_Name_System
  • Fuller techi explanation of DNS http://en.wikipedia.org/wiki/Dns
  • Using Google Public DNS This is a useful short but full explanation of the basics and how to change related settings https://developers.google.com/speed/public-dns/docs/using
• TP-Link router and apparent exploit (Thanks to abecrabt) answer-594813
  • Looks like it's this: http://uk.tp-link.com/article/?faqid=569
  • citing this: http://thehackernews.com/2014/01/TP-LINK-Routers-password-hacking.html
    I did think I was up to date with firmware, but perhaps they got in quickly. I'm changing my admin password and keeping watch...
• A related external forum thread on Mozila FireFox system tools 17.54.5468'http://forums.mozillazine.org/viewtopic.php?f=38&t=2846699 (Thanks to Noah) {elsethread)
• Standard malware advice (Thanks to the-edmeister) upthread answer-594370
• What is an ISP see http://simple.wikipedia.org/wiki/Internet_service_provider & http://en.wikipedia.org/wiki/ISP

A further worry for people it seems to me is that the router hackers will have your isp/adsl loginame + password too.

That is potentially bad.

For my ISP the adsl password is the same as my ISP email, so they could hack my email. I don't use it much but all the same...

Anyone with this problem should change their ISP password too it seems to me, as I have.

As ever - I'm not happy with TP-LINK, I think this was rather a basic error on their part. Although I suppose, these things do happen.

WARNING ! ! ! !

You should change ALL of your password for EVERYTHING ! ! !

As soon as you can.

Since the hacker have a complete dump of the router, they are able to extract all information of the router. This means, they have at least: WLAN Password, ISP Account Router Password Mac Adresses of connected PCs IP Adresses of home network

For me: I see a high relevance in changing the ISP Account, but do not know how to do it, since it is given by ISP. Do I need to request it at ISP?

FredMcD - that is probably alarmist.

If you have this problem and you have not clicked the link and installed the malware, then you just have to secure your router (firmware, dns, firewall) and change your ADSL password.

If you use an email account associated with the same adsl account, you have to assume the hackers could hack this account.

If you want to take the chance that your information has not been compromised, that is your business. Most on line security agents would tell you to change passwords now and then. And if one thinks there was an issue, change them anyway.

Hey forum folks,

I'm back at my parent's this weekend to fix this problem.

The "3 steps to solve this problem" on the TP-Link webpage are real funny: My ACL-Settings were never set on [WAN] - they're still at [LAN] as set 2 years ago. And since I'm the only one in my family, who has the password to fumble around with the router settings, the posted Security holes...

Both security holes TP-Link confessed (external, German) (°1)

• Cross Site Request Forgery - read the admin-pw out of the browser via a corrupted link/image.

• Mediatek-Chipset bug - download the router's config files via active WAN-remote access.

... doesn't fit on me. Because 1st: I never-ever save passwords in any web browser, and 2nd: the settings were still on no-remote.

So I procrastinate the reasons for now and tried to reestablish a safe internet access, while follow the logical (and several times by @abecrabt, @John99 and all the other helpful participants above) mentioned steps.

Eleven Steps to renovate your router firmware as TP-Link recommend. (worked out for my TP-Link TD-W8961NB router)

• 1.) Plug off all the router cables except DC-power supply.

• 2.) Reset the router with a pin/pencil at the backside to the default settings

• 3.) Download the newest firmware for your router model (beware! Also check for the right hardware version!) using a safe internet access (neighbor or friend - my Smartphone was it or me).

TP-Link firmware download (external, Germany) (°2) TP-Link firmware download (external, United Kingdom)

• 4.) Connect a computer to the modem with a Ethernet cable (maybe called "LAN-Cable", "twisted pair", "ISDN-RJ-45", "RJ-61", ect. You know which I mean).

• 5.) Start your web browser (maybe in "in-private", "stealth-mode" or whatever to make sure not to save the admin-password per mistake).

• 6.) Type in the address row the router's IP (192.168.1.1 by default) to access the router's web interface. (by default the user name is admin and the password is admin as well)

• 7.) Go to the rider/slider called "Maintenance", sub-slider "firmware" and insert the path of your firmware download

• 8.) After the new firmware is set up and BEFORE fill out your ISP information check the slider "Access Management", sub-slider "ACL"! In the first line ACL MUST be activated and the interface in the lower sub-section MUST be set on LAN (not WAN). After saving this settings with the button below, "Interface: LAN" must indicated in the grid.

• 9.) (optional) Maybe you give a local home-computer - which is connected via cable - the sole claim to alter the router settings: Go to the sub-slider "Interface Setup, LAN", section DHCP-table, choose the MAC address of this home-computer. Type in your desired IP (or choose the given), and set static in the drop-down. Save, and go back to "Access Management, ACL". Replace in the line "safe/secure IP-address" (sorry, I've translated it from German) in both fields the 0.0.0.0 with your chosen 192.168.X.X Address. (BEWARE! Saving this setting will permit further configuration of your router only via the computer with the chosen IP - which is only applied to the computer with the unique MAC-address set at the start of step 9)

• 10.) Take the slider "Maintenance, Administration" and change your default password (admin) into a "real" password.

• 11.) Now fill out your ISP (easy task, using the "Quick Start Assistant"), activate/deactivate/alter the WLAN-settings and so on, to ready your average internet access.

Remember that I said "...doesn't fit on me"? Yeah, these security holes which TP-Link had to confess to, (see Link °1) were issued on the 7th April 2014... Now the big but: The newest firmware I can use was released on 9th November 2012.

So how can an older firmware update fix actual problem? Have no clue? Me neither! Maybe the email customer support? ...not a single reaction since 7 days!

Based on both not applicable security holes, there must be another one wich altered my DNS to a differtent one - keep cautious!

Finally I accompany @abecrabt: TP-Link is as good as dead for me!

My next move is to buy a new router tomorrow morning (today in 5 hours *yawn*) at my local vendor, then straight to the Telekom shop to order a new set of access data. (the first one is your decision, but I advise you to get new access data too)

After that I have a long day resetting my sister's laptop (she admit to clicked on the link) and help her and my mum (shared laptop) to renew every relevant online and email account - it's just Saturday morning but I can call it a weekend.

Thank to you, hacker scum!

...and to the others in here: Have a good night & stay tuned!