DNS Hacked in Router

[ijsa]

thx guys...

do not recall the full ip..... i just removed it in a hurry.

when I was accessing the sites on android in browser.... it was redirecting me to download/ update facebook.

 

[vishalrao]

It is also possible your ISP using remote administration to update the DNS on your modem.

Recently my fiber modem (ONU) was updated by bsnl ftth from server side to change the default gateway IP address, apparently for "security reasons" 😀

 

[Sushubh]

Seems like something bsnl would do. Change your router's dns to push ads in your browser.

 

[Sushubh]

Would have been great if you had saved the ip. If it was operated by bsnl... This would have been the next big scandal.

 

[ijsa]

but if it were isp they would not totally stop functionality... I was not able to access google.com

Nvidea Shield (android box).... was connected to router but showing no internet. Hotstar was working but youtube not working...

 

[Sushubh]

BSNL has capabilities to do that. 🦅

 

---

[Jay]

Will past dns changes be visible in the system log? How to view System Log of TP-Link wireless Router? | TP-Link

 

[Jay]

when I was accessing the sites on android in browser.... it was redirecting me to download/ update facebook.

Sounds exactly like Crooks Hijack Router DNS Settings to Redirect Users to Android Malware

For these attacks, crooks redirected users to pages peddling clones of Android apps like Google Chrome for Android (chrome.apk) and Facebook (facebook.apk). These apps used excessive permissions, allowing them total access to the users' smartphones. The apps' main purpose was to overlay login screens on top of various apps.

Sounds like spyware. Check if any app has device-admin permission now.

 

[alphago]

I remember my friend having a TP-Link router. The router had telnet access in it(most good routers have telnet access). So one could control it from the PC using command line and tinker around with it. Try to check, telnet 192.168.1.1(or router ip address) in command line @ijsa

 

[vishalrao]

Well I'll be damned. My BSNL FTTH connection was not working right now (sites not opening) so when I checked the modem settings there is a DNS server 87.x.x.x along with 8.8.8.8 as 2nd entry. I am on Airtel 4G backup right now.

Will look up that DNS IP and see if it belongs somewhere suspicious 😀 I don't remember if the LCO configured that DNS IP or it came on its own when I checked.

 

[pothi]

The router is of little help if the hack has happened using an app in our phone.

That said, I would invest in a router that provides regular security updates. For example, Netgear provides more regular firmware and security updates than some Chinese brands.

If you need more control than regular security updates, then you may choose a router from Mikrotik or Ubiquiti. For example, with Mikrotik, I connect all the wireless devices using a guest network where an additional firewall is in place between devices connected through guest network and wired devices. Also, even devices connected within the same guest network can't connect to each other without passing through the firewall. I am sure there must be a similar configuration in Ubiquiti routers as well.

I hope that helps. Good luck.

 

[vishalrao]

So the suspect DNS IP is 89.207.131.8 - any idea what/where this is? whois lookup says netherlands "server.inteltek.com".

 

[Sushubh]

looks like something hosted by Snel.com - Your friendly Dedicated and VPS hosting provider

 

[Sushubh]

and based on google search of the ip... a lot of people seem to have seen this appearing in their routers.

 

[vishalrao]

Damn. So I got rid of that IP. But at least I won't be affected since I don't connect any devices directly to my ftth modem, there is a Netgear router which has google dns configured so mobile devices also should be safe from this attack.