Warning Signs of a Compromised Router
Unexpected DNS changes: Check your router's DNS settings (in the WAN or Internet settings page). If the DNS servers listed are not ones you recognize or configured (your ISP's DNS, Cloudflare 1.1.1.1, Google 8.8.8.8, or a custom resolver you set), they may have been changed by malware or a remote attacker. Attackers change DNS to redirect traffic to phishing sites that appear identical to legitimate banking and login pages.
Unknown devices on the network: Check your router's client list (DHCP client table). If you see devices you do not recognize — unfamiliar hostnames, MAC addresses belonging to device types you do not own — an unauthorized device may have connected, or the router's client list may have been manipulated.
Unexplained slowdowns or redirects: Consistent redirects to wrong pages, unexpected browser warnings about invalid certificates, or HTTPS pages failing to load may indicate DNS or traffic interception. If https://google.com shows a certificate for a different domain, your DNS has been hijacked.
Router admin page inaccessible: If you cannot access your router's admin interface at its default gateway IP, or if the admin credentials you set no longer work, the router may have been reconfigured by an attacker.
How to Verify Router Integrity
Check DNS settings: Log into your router admin page (typically 192.168.1.1 or 192.168.0.1). Navigate to WAN/Internet settings and check the DNS server addresses. They should match what you configured or your ISP's servers. Verify by running nslookup example.com (or dig example.com @your-dns-ip) and confirming the response comes from the expected resolver.
Check for firmware updates: Compare your router's current firmware version to the latest available on the manufacturer's support page. Being far behind on firmware updates creates vulnerability windows. Some compromised routers are reflashed with modified firmware — if the reported firmware version does not match official releases, the firmware may have been replaced.
Check admin accounts: In your router's administration or user management section, verify there are no unknown admin accounts. Attackers sometimes add a backdoor admin account rather than changing your existing credentials.
Run a Shodan or external scan: Visit shodan.io and search your public IP to see what services your router is exposing to the internet. Open management ports (80, 443, 8080, 8443, 23, 22) on your WAN IP indicate UPnP has opened firewall rules or the router is misconfigured to expose admin interfaces externally.
How to Recover a Compromised Router
If you suspect compromise, the safest recovery is a factory reset followed by a clean reconfiguration from scratch. A factory reset (typically a hardware button held for 10–30 seconds) returns the router to its default firmware and settings. This removes any attacker-added accounts, changed DNS, and most malware that does not persist across firmware flashes. After the reset: change the admin password immediately; disable remote management (WAN-side admin access); disable UPnP; enable the automatic firmware update option; and check your DNS settings before connecting any devices.
If the firmware itself appears to have been modified, perform a manual firmware reinstall using the official image from the manufacturer's website, following the manufacturer's recovery procedure (often a TFTP recovery mode or a specific button sequence at boot).
Router Compromise Indicators and Actions
| Symptom | What to Check | Action |
|---|---|---|
| DNS changed to unknown servers | Router WAN settings → DNS fields | Change back; investigate who changed it; consider factory reset |
| Unknown admin accounts | Router administration → User management | Delete unknown accounts; factory reset recommended |
| Unknown connected devices | Router → DHCP client list | Block by MAC; check for rogue AP or unauthorized device |
| HTTPS certificate warnings | Run nslookup for known domains | Likely DNS hijack; check DNS settings immediately |
| Cannot access router admin | Try reset button to access default UI | Factory reset; reconfigure from scratch |
| Router exposing ports on WAN | Shodan search of your public IP | Disable UPnP; disable remote management; update firmware |
| Firmware version mismatch | Compare to manufacturer release notes | Manual firmware reinstall from official image |
Frequently Asked Questions
How do routers get hacked?
The most common attack vectors: default credentials that were never changed (admin/admin, admin/password); exploiting known vulnerabilities in outdated firmware (router exploits are frequently published — Mirai botnet infected millions of routers through default credentials); remote management enabled on the WAN interface (admin page accessible from the internet); UPnP opening unexpected firewall ports; and DNS rebinding attacks that allow web-based attacks against the router from within the browser.
Should I disable UPnP on my router?
Yes, as a general security practice. UPnP (Universal Plug and Play) allows devices on your network to automatically open firewall ports without your knowledge or approval. Malware and some legitimate applications exploit UPnP to open persistent port forwards. Disable UPnP in your router settings unless you specifically need it for a known application (older game consoles, some VoIP devices). Most modern applications work fine without UPnP.
Can I check if my router's DNS was hijacked without logging in?
Yes. Run nslookup google.com on your computer. The response shows which DNS server was used. If it shows your router's IP (expected) but the response is wrong or redirects to an unexpected IP, DNS manipulation is occurring. Alternatively, set your computer to use a direct DNS server (8.8.8.8) and compare results — if direct DNS gives different results than your default, the router's DNS is being manipulated.
Do I need to replace my router if it was hacked?
Not necessarily. A factory reset removes most malware because consumer router flash memory is typically overwritten during reset. The exception is persistent firmware implants (rare, typically from state-level actors targeting specific devices). For most home router compromises, factory reset + firmware update + strong password + UPnP disabled is a complete recovery. If the router model has known unfixed vulnerabilities with no firmware update available, replacing it is the right call.