How To Tell If Your Router Has Been Compromised Check Guide

Your router is the gateway between your local network and the internet. When an attacker compromises this device, they gain visibility into all network traffic, can redirect your DNS queries, intercept credentials, and potentially pivot to other devices on your network. This guide provides practical methods to detect router compromise, written for developers and power users who want actionable verification steps.

Signs Your Router May Be Compromised

Router compromises often leave detectable traces, though sophisticated attackers may work to hide their presence. Watch for these warning indicators:

Unexpected DNS Settings: One of the most common router attack vectors involves changing DNS servers to malicious ones. If your router’s DNS settings point to unfamiliar IP addresses—particularly those you did not configure—this is a strong sign of compromise. Legitimate public DNS includes 8.8.8.8 (Google), 1.1.1.1 (Cloudflare), and 9.9.9.9 (Quad9).

Unknown Devices on Your Network: Unauthorized devices connected to your network may indicate that an attacker has gained access. Use network scanning tools to enumerate all connected clients.

Router Admin Interface Inaccessibility: If you cannot access your router’s admin panel at its default IP address (commonly 192.168.0.1 or 192.168.1.1), or if credentials no longer work, the router may have been compromised and its firmware modified.

Unusual Network Behavior: Frequent disconnections, significantly slower speeds, or unexpected traffic spikes can all signal compromise—though these symptoms also have legitimate causes.

New Unknown Ports Open: If port forwarding rules or firewall configurations appear that you did not create, investigate immediately.

Checking Your Router for Compromise

1. Verify DNS Settings

Access your router’s admin interface and navigate to the DNS configuration section. Check for any IP addresses that you did not intentionally set. On many routers, you can also verify this programmatically.

For Linux or macOS, query your DNS servers directly:

# Check DNS servers being used
scutil --dns | grep 'resolver'

On Windows:

ipconfig /all | findstr /R "DNS Servers"

Compare the results against known-good DNS providers. If you see unfamiliar addresses—particularly single addresses that differ from your ISP’s typical configuration—your router’s DNS settings may have been tampered with.

2. Scan Your Network for Connected Devices

Use tools like nmap or arp-scan to enumerate all devices on your local network:

# Install arp-scan if needed
brew install arp-scan  # macOS
sudo apt install arp-scan  # Debian/Ubuntu

# Scan your local network
sudo arp-scan --localnet

This command identifies all devices responding on your local subnet. Cross-reference the MAC addresses and IP addresses against devices you expect to find. Unknown MAC addresses with vendor prefixes you do not recognize warrant further investigation.

3. Check Router Logs

Router logs often contain evidence of intrusion attempts or successful logins from unfamiliar IP addresses. Access your router’s logging section through the admin interface. Look for:

Failed login attempts from external IP addresses
Successful logins at unusual hours
Configuration changes you did not initiate
Unexpected service restarts

If your router does not support local logging, check whether it supports syslog forwarding to a centralized log server.

4. Verify Firmware Integrity

Many router attacks involve flashing modified firmware to gain persistent access. If your router supports it, verify the firmware checksum against the manufacturer’s published hash:

# Download firmware from manufacturer, then verify
sha256sum firmware.bin

Compare the output against the hash published on the manufacturer’s website. A mismatch indicates firmware modification.

5. Test for DNS Leaks

DNS leak tests verify whether your DNS queries are being routed through your intended servers or intercepted. Several online tools exist for this purpose, or you can test programmatically:

# Using dig to trace DNS resolution path
dig +trace example.com

Examine the response to ensure your queries follow expected paths through your ISP’s DNS or your chosen provider—rather than being intercepted by an unknown server.

Hardening Your Router After Detection

If you discover compromise indicators, take immediate action:

Factory Reset: Perform a factory reset to restore the router to known-good defaults. This removes most firmware-based malware, though some sophisticated threats may persist in flash memory.

Update Firmware: After reset, immediately update to the latest firmware version from the manufacturer.

Change All Credentials: Set strong, unique passwords for both the admin interface and WiFi networks. Avoid default credentials entirely.

Disable Remote Management: Turn off WAN-side management interfaces unless absolutely necessary.

Enable WPA3 or WPA2-AES: Use strong encryption for your wireless networks. WPA2 with AES remains secure; avoid WEP and WPA-TKIP.

Disable UPnP: Universal Plug and Play has been exploited in numerous router attacks. Disable it unless a specific device requires it.

# Example: If your router supports SSH, generate strong keys
ssh-keygen -t ed25519 -C "router-admin@$(hostname)"

Monitoring for Future Compromise

Establish ongoing monitoring practices:

Periodically re-scan your network for unknown devices
Review DNS settings weekly
Log router performance metrics to detect anomalies
Consider running your own DNS resolver (like Pi-hole) on your network to detect DNS manipulation at the client level
Monitor for unexpected DNS changes using automated scripts

A simple bash script for periodic DNS monitoring:

#!/bin/bash
# Monitor DNS settings - run via cron

EXPECTED_DNS="8.8.8.8"
CURRENT_DNS=$(scutil --dns | grep -A1 'resolver' | tail -1 | awk '{print $3}')

if [ "$CURRENT_DNS" != "$EXPECTED_DNS" ]; then
    echo "WARNING: DNS changed to $CURRENT_DNS at $(date)" >> /var/log/dns-monitor.log
    # Add notification logic here (email, webhook, etc.)
fi

Run this script hourly via cron for continuous monitoring.

Advanced Router Forensics

For users with technical expertise, deeper investigation reveals more sophisticated compromise indicators:

Checking Router Firmware Modifications

Router malware often modifies firmware to maintain persistence. Examine firmware binary signatures:

# Download original firmware from manufacturer
# Compare with running system

# On some routers with SSH access:
ssh admin@192.168.1.1

# Extract firmware
dd if=/dev/mtd0 of=/tmp/firmware.bin

# Compare against manufacturer's published binary
sha256sum /tmp/firmware.bin
# Cross-reference with manufacturer's checksums

# Check for suspicious modifications
strings firmware.bin | grep -i "malware\|backdoor\|exploit"

If the checksum doesn’t match the manufacturer’s published hash, your firmware has been modified.

Identifying Custom Firmware

Some routers run custom open-source firmware (OpenWrt, Tomato) which is legitimate but should be intentional:

# Check router model and firmware
curl http://192.168.1.1/status

# Query system information
ssh root@192.168.1.1 "uname -a"
ssh root@192.168.1.1 "cat /etc/os-release"

If you never installed custom firmware but find it running, this indicates compromise.

Network Reconnaissance for Suspicious Activity

Beyond simple DNS checks, examine network behavior patterns:

# Monitor DNS queries in real-time
# Requires DNS logging on router or network capture

tcpdump -i eth0 -n 'port 53' | head -20

# Look for queries to suspicious domains
# Example suspicious patterns:
# - .tk, .ml, .ga domains (cheap TLDs favored by malware)
# - Queries to IPs instead of domain names
# - Queries to known C&C (command and control) servers

Tools like Pi-hole (running on a separate device) log all DNS queries from your network, making it easier to spot anomalies:

# Install Pi-hole for network-wide DNS monitoring
docker run -d \
  --name pihole \
  -e TZ="UTC" \
  -p 53:53/tcp \
  -p 53:53/udp \
  -p 80:80 \
  pihole/pihole:latest

Router Model-Specific Vulnerabilities

Certain router models are frequently compromised. Check your model against known CVEs:

# Identify your router model
curl -s http://192.168.1.1/status | grep -i "model\|version"

# Check against known exploits
# Visit: https://nvd.nist.gov/vuln/search
# Or: https://www.exploit-db.com/

# Subscribe to CVE alerts for your model
# Many vendors provide security advisory mailing lists

Common vulnerable models from 2025-2026 include older TP-Link, D-Link, and Netgear units. If your router model appears in active CVE lists, prioritize updates.

Restoring Router Security After Compromise

If you suspect compromise:

1. Immediate Isolation

# Disconnect router from network
# Do not powercycle (may trigger malware cleanup routines)
# Leave powered on for forensics if desired

2. Hardware Replacement

For thorough security, replace the compromised router rather than attempt recovery. Malware may persist in non-volatile memory that survives factory resets.

3. Network Segmentation During Recovery

If you must keep the router while recovering:

# Segment network into trusted and untrusted zones
# Keep devices on separate SSID with isolated network

# Create guest network strictly for unknown devices
# Isolate IoT devices on separate network segment

4. Complete Credential Reset

After recovery, change all credentials:

# Change router admin password
# Ensure it's cryptographically random (16+ characters)
# Store in password manager

# Reset WiFi password
# Use WPA3 encryption (WPA2 minimum)
# Change SSID if it matches default

# Reset SSH/SFTP credentials if enabled
ssh-keygen -t ed25519 -C "router"

Detecting Command and Control (C&C) Communication

Compromised routers often communicate with attacker infrastructure:

# Analyze outbound traffic
tcpdump -i eth0 'src 192.168.1.1' -w router_traffic.pcap

# Examine with Wireshark
wireshark router_traffic.pcap

# Look for patterns:
# - Regular connections to unknown external IPs
# - Unusual ports (>50000) communicating with external hosts
# - Encrypted traffic to untrusted destinations

Compare suspicious IPs against known malicious IP databases:

# Check IP reputation
curl https://api.abuseipdb.com/api/v2/check \
  -G \
  -d ipAddress=SUSPICIOUS_IP

Long-Term Monitoring Strategy

Implement continuous monitoring rather than one-time checks:

#!/bin/bash
# Continuous router health monitoring script

ROUTER_IP="192.168.1.1"
BASELINE_DNS="8.8.8.8"
LOG_FILE="/var/log/router-monitor.log"

while true; do
  # Check DNS
  CURRENT_DNS=$(dig +short @$ROUTER_IP example.com)

  # Check uptime hasn't reset suspiciously
  UPTIME=$(curl -s http://$ROUTER_IP/status | grep uptime)

  # Check device count
  DEVICE_COUNT=$(arp-scan --localnet 2>/dev/null | wc -l)

  echo "$(date): DNS=$CURRENT_DNS, Uptime=$UPTIME, Devices=$DEVICE_COUNT" >> $LOG_FILE

  sleep 3600  # Check hourly
done

This script creates a baseline that helps identify unusual changes.

Built by theluckystrike — More at zovo.one