Router connected to IP not belonging to ISP

Discussion in 'malware problems & news' started by learningcurve, May 19, 2012.

Thread Status:
Not open for further replies.
  1. learningcurve

    learningcurve Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    47
    Location:
    usa
    Today I was troubleshooting a DNS connection problem and manually connecting through router (on demand) to ISP. The WAN IP I was issued was 186.36.128.XX and that IP address is not offered by my ISP. I immediately disconnected in alarm -- so I missed whole IP address.

    This is in Chile? (LACNIC).

    I have no clue what it indicates. Anyone experienced this before? Can explain how this can happen?

    In meantime I have reset the router settings to default and reconfigured it. Any thing else I should do?


    Edit: Connection: DSL /PPPoe on router
    Visible Settings in router were *not* altered.
    At time of unusual event, using ISP's DNS.
     
    Last edited: May 19, 2012
  2. SoCalReviews

    SoCalReviews Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    282
    Location:
    Los Angeles, CA
    As you seem to have already discovered by doing a "WHOIS search" that address range appears to be under the Latin American and Caribbean IP address Regional Registry.

    I am not sure what what you mean by "WAN IP you were issued" because it doesn't make sense that your ISP would issue you a WAN IP outside your region (if you are U.S. based) but unless you are in that region then having a DNS from that region may be NOT a good thing. If you can verify a non-regional "WAN IP" being issued you should contact your ISP to determine how or why this might be happening. While I can't verify I have seen it happen I have read that ISP DNS servers can be compromised. The other possibility that is more likely a concern is that your own system or router has been compromised. I have seen Windows based malware cause redirects on people's systems many times before. One work way to work around the ISP DNS security concerns is that you can manually set your settings in your router and/or in Windows to specify another trusted DNS server of your choice instead of your ISP's DNS server. Also check your router's security settings, password settings, etc.. To help prevent your router from being compromised... set router privacy and security settings to reject WAN based (and if you want also reject wireless LAN based) administration requests and consider only allowing wired LAN administrative access to your router and of course after you do this you will need to have a manually connected wired Ethernet cable on your LAN side to make future changes to your router settings.

    You can manually set in Windows and your router a different DNS server than the one provided by your ISP. Many people like to use Google's public DNS servers...by disabling auto-DNS settings in their router and/or Windows and then by manually configuring their network settings to use the Google DNS server addresses 8.8.8.8 for main DNS and 8.8.4.4 for secondary DNS server(s). You can do this in your router settings (select manual setting) and in Windows networking (choose and set in your manual settings). Forcing manual settings in Windows networking for local IP address and for DNS servers may help as a temporary work around if you suspect you have malware on your Windows system that is causing redirects.

    I have been assuming you are running a Windows based system. I would also recommend deep scanning your Windows system for malware. If you are having problems in normal Windows mode then try booting in safe mode with networking support to run the AV online scans and anti-malware programs. Try using Hitman Pro, Malwarebytes, and other online antivirus/antimalware scanners, etc... to detect and remove malware and to determine if your Windows system was compromised.
     
    Last edited: May 31, 2012
  3. learningcurve

    learningcurve Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    47
    Location:
    usa
    SoCalreviews:

    Since I posted, as indicated I reset router and exhaustively scanned my pc. I have no idea how -- when I connect on demand to my DSL -- my *wired router* indicated I was connected to the *rogue* IP in Chile. It could be my router was "owned" and was displaying wrong info.

    At the time of event I was troubleshooting connection problems (probably router, in hindsight); so my usual DNS configuration on NIC -- either Norton DNS or trying out new DNSCrypt -- was not being used and I had reverted to ISP DNS.

    Router is configured to block remote administration, although I do log on to it to connect per use basis. Router is well passworded and firewalled. Use HTMPro regularly. :)

    Hindsight indicates to me that router was compromised and displayed some false IP -- as no one has indicated that it is possble for US major ISP to offer IP address in Chile.

    Thanks for your insights. Please let me know if you think my theory of what transpired is a more plausible explanation.
     
Loading...
Thread Status:
Not open for further replies.