View Single Post
  #1  
Old 07-20-2010, 05:59 PM
Wheelie's Avatar
Wheelie Wheelie is offline
 
Join Date: May 2008
Posts: 548
Wheelie is on a distinguished road
Default "Poisoned" Router DNS Settings

FYI

Discovered a new one today (new to me!). A virus that changed the DNS settings in a Netgear WPN824 router. The router had the default password. A quick search on the Internet shows routers "poisoned" by viruses that can modify router settings when the user has NOT changed the default password. Y'all be sure to change your default passwords on customer routers (I usually do this).

Background:
Customer brings me an infected laptop that has a hijacked browser and I pulled the hard disk and slaved to my bench PC to clean it (SOP). It had several Java script viruses (AVG shows twitters.class, skypeqd.class, mailvue.class, AppleT.class all in jar_cache). Removed viruses with AVG.

So I gave the laptop a "clean up/tune up" afterward. Customer picks up laptop, goes back home, and calls me within hours: "it's still going to the wrong web sites". So I ask him to drop it back by the shop to check it out again. Pull the hard disk, scan with AVG & Malwarebytes and it's clean. The browser is NOT hijacked in my shop. Put it back into PC and scan with his AVG & Malwarebytes and it's clean. He calls while I have it and says: "now my wife's laptop is hijacked!". I pack up his machine and go over to his home and run an IPCONFIG /ALL in a CMD window and the DNS servers shown is 213.109.64.5 (which resolves to a Russian network!) Wow!

Go into his Netgear router and low and behold the DNS setting has been changed from "Get Automatically from ISP" to "use these DNS Servers" with the above numbers typed in. Bingo. Change it to "Get Automatically from ISP" and it's all good.

It is a good reason to always change the default password.

-----------------------------------------------------------

Keyword reference for DNS 213.109.64.5 and 213.109.72.21:

Network Whois record
Queried whois.ripe.net with "-B 213.109.64.5"...
Information related to '213.109.64.0 - 213.109.79.255'

inetnum: 213.109.64.0 - 213.109.79.255
netname: PROLITE-NET
descr: ProLite Ltd.
country: RU
org: ORG-PL83-RIPE
admin-c: NF1275-RIPE
tech-c: NF1275-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-PROLITE
mnt-routes: MNT-PROLITE
mnt-domains: MNT-PROLITE
changed: hostmaster@ripe.net 20090831
source: RIPE

organisation: ORG-PL83-RIPE
org-name: ProLite Ltd.
org-type: OTHER
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
e-mail: prolite@p-lite.ru
mnt-ref: MNT-PROLITE
mnt-by: MNT-PROLITE
changed: prolite@p-lite.ru 20090914
source: RIPE

person: Nikolay N. Filimonov
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
phone: +7 831 4284242
nic-hdl: NF1275-RIPE
changed: prolite@p-lite.ru 20090914
source: RIPE
mnt-by: MNT-PROLITE

-----------------------------------------------------------
__________________
"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote