View Single Post
Old 07-20-2010, 06:59 PM
Wheelie's Avatar
Wheelie Wheelie is offline
Join Date: May 2008
Posts: 600
Wheelie is on a distinguished road
Default "Poisoned" Router DNS Settings


Discovered a new one today (new to me!). A virus that changed the DNS settings in a Netgear WPN824 router. The router had the default password. A quick search on the Internet shows routers "poisoned" by viruses that can modify router settings when the user has NOT changed the default password. Y'all be sure to change your default passwords on customer routers (I usually do this).

Customer brings me an infected laptop that has a hijacked browser and I pulled the hard disk and slaved to my bench PC to clean it (SOP). It had several Java script viruses (AVG shows twitters.class, skypeqd.class, mailvue.class, AppleT.class all in jar_cache). Removed viruses with AVG.

So I gave the laptop a "clean up/tune up" afterward. Customer picks up laptop, goes back home, and calls me within hours: "it's still going to the wrong web sites". So I ask him to drop it back by the shop to check it out again. Pull the hard disk, scan with AVG & Malwarebytes and it's clean. The browser is NOT hijacked in my shop. Put it back into PC and scan with his AVG & Malwarebytes and it's clean. He calls while I have it and says: "now my wife's laptop is hijacked!". I pack up his machine and go over to his home and run an IPCONFIG /ALL in a CMD window and the DNS servers shown is (which resolves to a Russian network!) Wow!

Go into his Netgear router and low and behold the DNS setting has been changed from "Get Automatically from ISP" to "use these DNS Servers" with the above numbers typed in. Bingo. Change it to "Get Automatically from ISP" and it's all good.

It is a good reason to always change the default password.


Keyword reference for DNS and

Network Whois record
Queried with "-B"...
Information related to ' -'

inetnum: -
netname: PROLITE-NET
descr: ProLite Ltd.
country: RU
org: ORG-PL83-RIPE
admin-c: NF1275-RIPE
tech-c: NF1275-RIPE
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-PROLITE
mnt-domains: MNT-PROLITE
changed: 20090831
source: RIPE

organisation: ORG-PL83-RIPE
org-name: ProLite Ltd.
org-type: OTHER
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
mnt-ref: MNT-PROLITE
changed: 20090914
source: RIPE

person: Nikolay N. Filimonov
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
phone: +7 831 4284242
nic-hdl: NF1275-RIPE
changed: 20090914
source: RIPE

"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote