Check your routers DNS IP address

Check your routers DNS IP address

Author
Discussion

drew.h

Original Poster:

526 posts

188 months

Monday 30th March 2015
quotequote all
After some internet access problems this morning I noticed the DNS server IP address in my router didn't look right. A reverse look up showed it was a Russian IP address, for a Swiss company whose mailing address was in Saudi. It should have been a BT DNS. How this was possible I don't know. I've set all my PCs DNS IPs to fixed ones now, just in case it happens again.

Aphex

2,160 posts

199 months

Monday 30th March 2015
quotequote all
Someone in the house watching things they shouldn't be? hehe

drew.h

Original Poster:

526 posts

188 months

Monday 30th March 2015
quotequote all
Work!

eltawater

3,107 posts

178 months

Monday 30th March 2015
quotequote all
Which make / model of router?

There was a well publicised backdoor router vulnerability last year which affected brands such as linksys, netgear etc whereby an attacker could just send unauthenticated admin commands to the router and perform a factory reset, which allows the attacker into the admin pages and can then set the DNS etc to whatever they like.

It wouldn't surprise me if there was a worm doing the rounds which performed such actions automatically.

rfisher

5,024 posts

282 months

Monday 30th March 2015
quotequote all
Got this too.

Both set to 31.168.224.100 and 5.135.12.56

Fixed the router dns ips but can't get the tablet to change its dns.

Not happy.

How much of a risk is this?

GreigM

6,726 posts

248 months

Monday 30th March 2015
quotequote all
rfisher said:
How much of a risk is this?
Big. Could redirect you to phising/fake sites. Start changing your passwords.

SmithyAG

300 posts

127 months

Monday 30th March 2015
quotequote all
GreigM said:
Big. Could redirect you to phising/fake sites. Start changing your passwords.
+1

DNS tells your computer that when you want to go to www.natwest.com that it is located at 155.136.80.213. A dodgy DNS server could send you elsewhere, most likely to a copy of the banks website and you enter your details.

If you can't get the correct DNS settings you can either do a factory reset and immediately change the password, or in a pinch change the DNS to a known public one, such as googles 8.8.8.8 or 8.8.4.4

Edited by SmithyAG on Monday 30th March 23:52

TonyRPH

12,963 posts

167 months

Tuesday 31st March 2015
quotequote all
CloudScout and CloudGuard.exe Removal Instructions

The post is about an adware called CloudGuard or CloudScout. If the CloudGuard adware is running on your system, you will see CloudGuard.exe in the Windows Task Manager, a new service called CloudScout starting the CloudGuard.exe process and name servers changed to 31.168.224.100 and 5.135.12.56. The software appears as CloudScout Parental Control in the Add/Remove programs dialog.


drew.h

Original Poster:

526 posts

188 months

Tuesday 31st March 2015
quotequote all
SmithyAG said:
If you can't get the correct DNS settings you can either do a factory reset and immediately change the password, or in a pinch change the DNS to a known public one, such as googles 8.8.8.8 or 8.8.4.4
Thats what I did, just fixed the router and all the PCs to Googles. Its also how I noticed the problem, because my PC was already set to Google and the only one with internet access that day.

All our PCs appear clean, it was just the router affected. Its a TP-Link TD-W8901G. Thinking about it, we have had a couple of 2nd hand laptops and friends/families PCs on the network recently, whilst trying to solve problems for them. I think I should put a ban on that.

lestag

4,614 posts

275 months

Tuesday 31st March 2015
quotequote all
drew.h said:
Thats what I did, just fixed the router and all the PCs to Googles. Its also how I noticed the problem, because my PC was already set to Google and the only one with internet access that day.

All our PCs appear clean, it was just the router affected. Its a TP-Link TD-W8901G. Thinking about it, we have had a couple of 2nd hand laptops and friends/families PCs on the network recently, whilst trying to solve problems for them. I think I should put a ban on that.
maybe?
http://piotrbania.com/all/articles/tplink_patch/
https://rootatnasro.wordpress.com/2014/01/11/how-i...

I would see what the latest firmware patch is for the router

rfisher

5,024 posts

282 months

Tuesday 31st March 2015
quotequote all
Seems to be adware related on my system.

Interestingly it is only my Playbook that has had the DNS changed.

All PCs and router are clean.

Not sure how this has happened - possibly via the Opera browser.

I've fixed the DNS IPs on the PB now and I'll keep checking they are correct.

Fecking adware is getting pretty malignant these days.

No way is it acceptable to go changing DNS IP.

drew.h

Original Poster:

526 posts

188 months

Wednesday 1st April 2015
quotequote all
lestag said:
Looks like that may be it, I can download the rom-0 without being logged in. Router is getting replaced and a hammer put through the TP-Link.