Skip to content

How to tell if the router is infected

Rate this post

How to tell if the router is infected: In the world of modern computing, threats are practically on the agenda: new viruses, malicious programs and various types of malware are constantly being created, which can be coped with by keeping the programs and security apps installed on your own up to date. devices. There is, however, a less obvious but equally insidious threat, which can affect the user’s browsing activity and the security of data in transit on the Internet: the  router hijacking .

This practice, in practice, consists in altering the  DNS servers of the routers by exploiting one or more vulnerabilities of the respective operating systems: in this way, it is possible to divert the victims to unwanted Internet pages, without the user doing absolutely nothing. In some cases, moreover, criminals are able to  spy on the traffic generated by the devices connected to the router, exploiting the information obtained to their advantage. As I have already told you, this is a threat that does not trace itself in the router, although it can involve, and also seriously, the devices connected to the latter.

How do you say? At this point, would you like a hand to  understand if the router is infected ? No problem: read carefully the following chapters of this guide, in which I am going to explain a series of techniques to adequately answer the question that you have rightly asked yourself. At this point, I have nothing else to do, except to wish you happy reading and make a big good luck for everything!

Methods to understand if the router is infected

As I mentioned in the introductory lines of this guide, the vast majority of “infections” contracted by a router involve changing the DNS , ie the servers used to “translate” literal addresses into numeric IP addresses, and vice versa. Using “ad-hoc” DNS, cybercriminals have the ability to provoke the appearance of unwanted advertisements on browsers, programs and apps, make certain websites unreachable or, worse still, spy on incoming and outgoing Internet traffic , obtaining valuable browsing information.

For this reason, you can  understand if the router is infected by carefully observing the behavior of the browsers running on the devices connected to your network, as well as some specific sections of the device management panel. Below I provide you with more in-depth information on this topic.

Check your browser behavior

How to tell if your router is infected - Check your browser

One of the alarm bells to take more into consideration is the  behavior of the browser or other programs / apps installed on the devices connected to the router. In the event of an infection, it is very likely that, completely unexpectedly, windows containing unwanted advertising , pure  spam or  invitations to install potentially harmful software (but passed off as healthy and potentially very useful) are automatically opened  . In the latter case, you may receive false alarm messages, often contained in a tab or browser window, which warn you about the (false) threats already active on your device.

If you have encountered such behavior, I recommend that you analyze your device with a program or app aimed at destroying active viruses and malware . If you need a hand in this regard, you can consult the guide I just linked to you.

If the outcome of the analysis is positive,  remove the threats using the tools offered by the program or app you have chosen, then restart the device and observe again the behavior of the browser (or the software that has suspected you): should this occur again, even after cleaning, it is very likely that the cause is the router itself.

Check the port forwarding settings

How to tell if the router is infected - Check the port forwarding settings

In some cases, the viruses active on the routers are able to carry out port forwarding operations (the so-called  opening of the doors ) in complete autonomy  , to ensure that criminals are able to comfortably control one or more connected positions remotely.

To check if such a threat is acting on your router, access the device management panel by visiting, via a browser, an address between or and typing, when necessary, the combination of  username and  password  to login (which is usually admin / admin or admin / password ). If you don’t succeed, you can take a look at my guide on how to enter the router page to get more precise instructions on what to do.

Once logged in, go to the  advanced settings of the router, find the section relating to the  configuration of the ports , which you can find under the name of  Port forwarding, Port triggeringVirtual server, NAT Forwarding or similar, then check that there are no inside settings different from those you have specified of your own will, perhaps following my guide dedicated to opening the ports on the router .

Should your analysis be successful,  promptly eliminate all the rules you do not know: it is very likely that your router has been the victim of a cyber attack and, consequently, allows remote control of one or more connected devices.

Check the DNS

How to tell if the router is infected

Regardless of the outcome of the previous two checks, you can get “definitive proof” of your router’s compromise by checking the DNS : as I mentioned earlier, most attacks on routers are based on changing this important parameter, able to  hijack the user on sites containing unwanted advertising or software, or even more serious consequences, such as the  theft of data  in transit on the network.

You can verify that your router is not using harmful DNS in the following way: connect to this website using the browser of any device connected to the router (on which, however, the manual DNS setting must not have been made ), press the Check the router button  and wait a few seconds for the analysis to complete.

If not, you will see the message  No problem detected on the router , indicating that the device in your possession is not, in fact, infected. To get information on the DNS servers currently in use, visit the link  View results in detail . If, on the other hand, the router is actually infected, you will receive a message informing you of its compromise: in this case, I recommend that you immediately put into practice the advice that I am going to give you in the next chapter of this guide.

What to do when the router is infected

What to do when the router is infected

Did you follow the instructions I gave you previously to carry out the necessary checks and, alas, was your router actually infected? Although this is a decidedly not negligible security problem, the situation cannot necessarily be compromised.

At this point, what you need to do is act in a timely manner, carrying out a series of steps necessary to secure, as soon as possible, the data stored on your devices, the integrity of the latter and, above all, your Internet traffic . Below I will explain everything in detail.

Disconnect all devices from the router

Disconnect all devices from the router

After actually checking that the router has been compromised, you must immediately disconnect all the devices connected to the latter, in order to stop any control / traffic of data to the criminal’s servers. So, eliminate the wireless network generated by the router from devices with Wi-Fi connectivity (e.g. smartphones, tablets, Smart TVs or other connected devices). If you are unable to do this, in order to avoid risks, completely switch off the devices involved, at least until you reset the router.

Once this is done,  physically disconnect the Ethernet cables from the sockets located on the back of the router: in this way, the connection to the devices connected by cable will be immediately interrupted. Finally,  also disconnect the ADSL / Fiber cable (which is usually inserted in the “Internet” port of the network device) and  turn off the router .

Perform an antivirus scan

Perform an antivirus scan

After interrupting the physical connection between your router and the criminals who had taken control of it, the time has come to secure all the devices that you connected to the Internet via the compromised device, by performing an  antivirus scan that can track down and eliminate malicious software.

This operation is absolutely necessary for Windows PCs  and for Android devices , notoriously more vulnerable to external threats due to the extreme diffusion and the dynamics underlying these operating systems. Although Macs , iPhones , iPads and other categories of devices with different operating systems are generally more “resistant” to the most common malware, it would be a good practice to proceed with the analysis of the disks anyway.

If you don’t know how to perform an antivirus scan and / or you don’t know the tools to use, I suggest you take a look at my guides dedicated to antivirus for Windows , antivirus for Mac , antivirus for Android and malware removal techniques on iPhone (also valid for iPad).

If you do not already have an antivirus and you need to download it from the Internet,  do not turn on the router again to make the Ethernet or Wi-Fi connection, as you could frustrate this operation or find yourself unable to download (the DNS set by criminals, in fact, may prevent you from reaching the pages dedicated to antivirus).

For this reason, I advise you to rely on the connection via cellular network : if you have to act on a smartphone and / or tablet equipped with a 3G module, you must activate the data connection ; if, on the other hand, you need to download everything on your PC or other devices with wireless connectivity, you can use your phone or tablet to share your cellular connection via hotspot .

Change your passwords

Change your passwords

It may not be your case but, very often, cybercriminals infect routers to spy on traffic in transit to and from devices connected to the network, including passwords. Thanks to modern encryption standards, the access keys inserted on secure sites (home banking, social networks, e-mail services and so on) cannot be intercepted in any way.

For greater security, however, I still recommend that you change the passwords of the sites and services on which you have logged in using a device connected to the compromised router: I know, it is an operation that may take time, but it is essential for guarantee the security and integrity of your personal information (and not). For your convenience, I would like to point out below a series of tutorials, available on my website, dedicated to changing the password for the most well-known online portal sites.

Reset and update the router

Reset and update the router

Now that you have secured the devices involved and your personal data, you can finally go back to the router and try to put it back on its feet: to do this, you must first  reset the device firmware , to cancel the effects of the infection contracted previously.

How? I’ll explain it right away. First, make sure the router is  disconnected from the Internet , checking that the ADSL / Fiber-copper / Fiber optic cable is not inserted in the designated port, then  connect it to the power supply , turn it on and wait a few minutes for it to start completely.

Then, proceed to  reset the router by intervening on the physical button on the  appliance: it looks like a  small black dot facing inwards, identified by the wording  RST or  RESET . When you find it, gently press the button in question using a  pointed object , such as the tip of a pen, a toothpick, a pencil or an open paperclip, and hold it for  about 30 seconds , until the device lights they turn off and on again quickly.

Once the router has been reset, you must access its management panel via any PC (connected, if possible, via an Ethernet cable) and carry out the initial configuration again, specifying the parameters necessary for Internet access, the name and password of the wireless network, the rules for opening doors, and so on. If you do not know how to proceed, you can follow the instructions that I have given you in my guide to the initial configuration of the router , in which I have dealt with the topic in great detail.

Firmware update

Once the router is “online” again, I advise you to immediately update the firmware of the router,  so as to bring the version of the internal operating system to the latest version, making it, where possible, invulnerable to known infections: however, keep in mind that you this is a very delicate operation, and that an incorrect step (e.g. the installation of an unsuitable firmware) could  definitively break the device . For this reason, if you are not sure what you are about to do, I recommend that you seek help from an expert who can assist you.

In any case, you can get the update file by going to  the router manufacturer ‘s website , accessing the firmware download section  and downloading the most recent one dedicated to the router in your possession. Alternatively, you can type in Google the words  “firmware download [router brand and model]” and use the results provided to recover the necessary file, taking care to download it only from  official sources .

Once this is done, access the router management panel again, enter the section dedicated to  updates and, following the instructions provided on the screen, proceed to  upload and install the previously downloaded file. If you need further information, consult the manual of the router in your possession, or do a search on Google, using the phrase  “firmware update [router brand and model]” .