DNS hack attack - sneaky changes to modem DNS settings

Starting a few days ago I noticed that I sometimes did not get the website I expected.

Enter “Google.ca” and get “RusianBrides.ru” for example. (not a literal example, some of the sites were “harmeless” some much more “adult” oriented)

I have seem this happen before, once or twice a year. Some nasty website or something I did lets a malicious program change the modems DNS settings.

Normally DNS comes from your upstream provider - Acanac in my case. Usually I have DNS of:
Primary: 209.197.128.2
Secondary: 209.197.128.5

But something keeps switching my modem to Static DNS using these values:
Primary: 159.203.32.8
Secondary: 8.8.8.8

Usually I just change the modem back to Dynamic DNS from provider and all is fine.

This time is a little different. This time something is actively switching the DNS BACK after I “fix” it. Usually within an hour. But there was one 12-20 hour gap.

This started 3 or 4 days ago. I’m going nuts trying to figure out where and how the change is coming from.

I have several Windows and Apple computers, an iPad, iPhone in use. One of my first tests was to shut them all OFF. Even my Android TV (Kodi) player. And it was changed again. I had to boot up an iPad to check - I know nothing that can hack an iPad so I think that was safe.

With all my computers OFF, Tablo is one of the few things left active.

So, is there anything in the Tablo that could affect DNS? It seems unlikely to me, but I have to ask.

And what can I do to the Tablo to ensure it has not been compromised in some way?

Thanks in advance.

I use OpenDNS
https://www.opendns.com/about/ and haven’t had a problem

Thanks for the reply!

I can change the DNS to anything I like, including OpenDNS… Something then changes it back!

Are you using an ISP provided modem/router box or your own router? If your own, have you changed the admin login and password?

Thanks for the reply!

It’s supplied by my ISP. When I switched to VDSL the modems were scarce and expensive!

I always change admin passwords when I buy a “connected” device.

Since the admin password is cached on all my computers i even changed it again yesterday - and did not update the saved password. So if some clever hacker has found a way to get at my saved passwords, they will get the wrong one!

Acanac is urging me to do a factory reset. Mildly annoying, I have a bunch of custom settings I will have to re-enter. Like Tablo ports…

I’m getting ready to do anyway since I am out of ideas.

Is it possible to use their modem and your router? If so, I’d do that and lock down the router. There might be a vulnerability in their modem that they don’t want to tell you about.

Interesting … the 8. address appears to be a valid DNS offered by Google. But the other seems odd … listed as “1.canadaclient” but located in Michigan… wierd… http://www.my-address-ip.com/whois-address-ip-159.203.32.8.html

It is very odd that someone is getting into your router/modem across password changes. What brand / model is the device? Wondering if there is a history of the device type being hacked directly?

Could someone else have access to your wifi network?

@rcooke

Years ago I had the same problem, turned out to be a trojan on my desktop.

I think Kaspersky (Internet security) had to run a special scan to get rid of it.

Been too long to remember, but it’s just a thought.

Chas

Thanks for the thought.

Getting on the wifi would not grant them access to the DNS settings.

But I will change it if the current fix fails!

Thanks for the thought.

I have dug out many hidden infections in the past on client computers.

One of the first tests I did was to shut off computers one at a time to see if one of them was infected.

I eventually ran out of computers!

Thanks for the post!

Yes I keep wondering about that too.

I did a factory reset to the modem last night. I have it up and reconnected - but - I can’t get access to any web pages through it!

This happened when it was first installed. And it was some sort up upstream DNS problem my ISP had to fix by remote.

I put in a call to them for help. Now I wait.

UPDATE:

After resetting to factory defaults and re-connecting to my VDSL account I was unable to route traffic through the modem for about 18 hours.

15 mins after I sent an e-mail to Acanac support it started to work!

Everything works now. And - so far - my DNS has not been hacked.

Dunno what it is support has/had to do but it appears they certainly did. Don’t have these problem with ADSL(2). Hopefully this is something VDSL will get better at. Then again, its so much FASTER I don’t care! heheh (so long as it works).

If I get hacked again in the next few days I’ll update this post. Otherwise assume that the problem was actually in the modem itself!

Thanks for all the input and ideas!

Modem is a SmartRG SR505N.

The firmware is customised by my ISP (Acanac) making upgrades or changes to open source potentially tricky.

Or at leat, if I change the firmware then they may blame every problem I have on the “non standard” firmware.

I found no chatter about any problems with this product.

Let me know if you come across anything.

Sounds like you may have active Malware on your network. I would suggest you run one of the top antivirus that are in this report. http://www.av-comparatives.org/real-world-protection-test-february-2016/

Hopefully it will correct your issue. By the way be careful and do not use any internet banking until you have this resolved.

Thanks for the post!

What malware can still run when all the computers are OFF?

First thing I did was start shutting down computers to figure out which one was infected.

After I had them all shut down, and DNS still got hacked, things got interesting!

I think the modem is vulnerable to an outside attack. I HIGHLY RECOMMEND you get your own router to put between the ISP’s modem and your network.

Read up and good luck. The problem lies with your providers DNS servers.

There are work arounds that may work for you.

Thanks for the post.

Its been 2 or 3 days since I did a Factory RESET on my modem. And no further DNS problems.

I don’t understand how a modem’s firmware can get “confused” to the point of preferring some other company’s DNS server over the DHCP one assigned from upstream.

I still think this is a security hole a mile wide! But my ISP is adamant its not.

Not sure what TabloTV is, but came across this post when doing a Google search with my DNS ISP values, which are the same as yours.
I am connected to a local ISP in a small town between Ottawa and Montreal in Ontario, and the ISP also gave me a SmartRG modem. Like you, my DNS values were getting changed in the modem, driving me crazy as I experienced exactly the same behavior (and troubleshooting steps) you describe.
I recently reconfigured the modem in BRIDGE mode, and set up a router behind it to do the PPPoE and DNS, DHCP stuff. Had been running well for about a week now with no more changes to my DNS. I did get something to glitch a few minutes ago, in that the BOSE wifi speakers we have at the office stopped playing music, something that typically happened when the DNS was changed.
I checked the router, and the DNS were OK. Then the music came back. So maybe an unrelated glitch.
One difference with you is that my DNS were getting changed to something that didn’t give me bad sites, it just broke things like the music to the bose and some internet sites. The pokey DNS IP was 85.25.237.240
Trying a different modem didn’t help, checking on SmartRG site for more recent FW didn’t turn up anything.