# DSL Modem/DNS Servers Compromised [ISP BSNL]



## DDIF (Dec 18, 2013)

I have a TP-LINK TD-8817 ADSL modem which is connected to BSNL BB Service and I have a wireless router ASUS RT-N66U running asuswrt-merlin firmware.
For the past few days I have been experiencing a strange behavior.
Mostly in TD-8817 I use OpenDNS and GoogleDNS IPs (user-configured dns) as my DNS servers but sometimes when there is slow activity on Indian websites I switch the DNS to ISP default(auto).
Now if I use user-configured DNS then there is no problem but if I switch to ISP Default (auto) then after some time it changes itself to user-configured dns and the input values are automatically changed to *5.45.75.11 & 95.211.156.101*.
Now the IP search I did on the IPs returned with this:

```
[B]General IP Information
IP:	5.45.75.11
Decimal:	86854411
Hostname:	5.45.75.11
ISP:	Serverius Holding B.V.
Organization:	Serverius Holding B.V.
Services:	None detected
Assignment:	Static IP	
Geolocation Information
Country:	Netherlands nl flag
Latitude:	52.5  (52° 30′ 0.00″ N)
Longitude:	5.75  (5° 45′ 0.00″ E)[/B]
```


```
[B]General IP Information
IP:	95.211.156.101
Decimal:	1607703653
Hostname:	hosted-by.leaseweb.com
ISP:	LeaseWeb B.V.
Organization:	LeaseWeb
Services:	None detected
Assignment:	Static IP	
Geolocation Information
Country:	Netherlands nl flag
State/Region:	Noord-Holland
City:	Amsterdam
Latitude:	52.35  (52° 20′ 60.00″ N)
Longitude:	4.9167  (4° 55′ 0.12″ E)[/B]
```

Now no service is open on either my router or my modem. And the paswwords are not default though the dsl modem password was rather easy.
Today I found that someone else is having a same problem *here.*

Same as the guy in mentioned post I did a full security check with Avast internet security on my desktop and with Norton Internet Security on my laptop(updated the database with 3g dongle) but found nothing. As for now I am going to reload the firmware for my modem and router and changing the passwords to more strength. I just thought that I should share this with the community so that you guys could *also check your modem for any suspicious behavior.*


----------



## whitestar_999 (Dec 18, 2013)

seems like a problem with your setup.i changed dns to auto in modem & everything is working fine for last 2 hours.btw instead of setting complex passwords & reloading firmware did you try using access management control option to restrict modem/router access to PC/PCs from local lan only.btw firefox with noscript addon blocks any xss attack from lan side to modem & also don't set browser to remember modem/router password after changing it.another thing to note is that XSS attack is not virus related meaning it does not use any exe so it won't be detected by any AV.it is based entirely on opening certain web pages in some browser.


----------



## DDIF (Dec 18, 2013)

^^ Before I never felt the need to put any ACL rule but now that I've seen that I am not safe, I'm sure going to put ACL and IPTABLES rules.
My browser is already set to never remember any passwords or cookies.



whitestar_999 said:


> another thing to note is that XSS attack is not virus related meaning it does not use any exe so it won't be detected by any AV.it is based entirely on opening certain web pages in some browser.


Yeah but I wanted to be sure that it didn't install anything malicious from web to my system.


----------



## whitestar_999 (Dec 18, 2013)

if it did then most likely it would have been caught by a good AV.also a good XSS attack can bypass ACL rule so prefer firefox with noscript addon as even with temporarily allow all scripts option(default noscript mode is whitelist so you have to grant permission for every script which can be annoying in the beginning) noscript can successfully block most xss attacks.


----------

