Is this weird?? (hacking a router)

We are a small broadband ISP. We have one customer that
could not get DNS to resolve. We found that he was using a
DNS server in China/Taiwan, 168.95.192.1 (hntp1.hinet.net)
We have our own DNS servers and this router had our DNS
in its DNS field.
The reason he failed is that the above DNS failed for several
hours yesterday. We checked our server logs and found that
he has been using this DNS since early July. He is behind a
DI-604 router. As it turns out, the router redirects any request
on port 53 to this hntp1.hinet.net Today we replaced the router
and it's all back to normal, all DNS requests are going to our server.
We also checked the settings in the DI-604, they are correct.
In fact, if we use the DI-604's internal ping test, it uses our DNS.
Is it possible to hack a router?? Anyone heard of this?
Thanks,

-
R

"RZ" <rz@dev.invalid> wrote in news:11gs8rja8u18u11@news.supernews.com:

> We are a small broadband ISP. We have one customer that
> could not get DNS to resolve. We found that he was using a
> DNS server in China/Taiwan, 168.95.192.1 (hntp1.hinet.net)
> We have our own DNS servers and this router had our DNS
> in its DNS field.
> The reason he failed is that the above DNS failed for several
> hours yesterday. We checked our server logs and found that
> he has been using this DNS since early July. He is behind a
> DI-604 router. As it turns out, the router redirects any request
> on port 53 to this hntp1.hinet.net Today we replaced the router
> and it's all back to normal, all DNS requests are going to our server.
> We also checked the settings in the DI-604, they are correct.
> In fact, if we use the DI-604's internal ping test, it uses our DNS.
> Is it possible to hack a router?? Anyone heard of this?
> Thanks,
>

Yeah a router can be hacked if the router is left in its out of the box
default state such as leaving the router's Admin user-id and PSW as is out
of the box and most *clueless* home users will do just that. It could
happen if the *clueless* user with happy fingers that clicked on unknown
links in an email or a Web site that deployed a backdoor Trojan or root
tool kit to a computer that gave the hacker full remote control of the
machine. The hacker could easily go to the router's admin screens and
configure the router.

If the router is wireless and was not secured wirelessly even a wireless
hacker that could attach a machine wirelessly to the LAN on the router
could access the router's Admin screens and configure the router with the
router being left in its out of the box default state.

Duane ;)

RZ wrote:
> We are a small broadband ISP. We have one customer that
> could not get DNS to resolve. We found that he was using a
> DNS server in China/Taiwan, 168.95.192.1 (hntp1.hinet.net)
> We have our own DNS servers and this router had our DNS
> in its DNS field.
> The reason he failed is that the above DNS failed for several
> hours yesterday. We checked our server logs and found that
> he has been using this DNS since early July. He is behind a
> DI-604 router. As it turns out, the router redirects any request
> on port 53 to this hntp1.hinet.net Today we replaced the router
> and it's all back to normal, all DNS requests are going to our server.
> We also checked the settings in the DI-604, they are correct.
> In fact, if we use the DI-604's internal ping test, it uses our DNS.
> Is it possible to hack a router?? Anyone heard of this?
> Thanks,
>

I have not heard of this before, but it certainly sounds like the
router has been hacked somehow. As for why - the most likely
reason is to be able to direct the user to a fake financial web
site, e.g. a mock-up of a home banking site, where thay can then
get him to give them his username and pasword, thinking he's
loggin into his usual home banking web site.

You should inform the user that any sites where he used passwords
could have been fakes, to change his passwords and to check all
his bank accounts. You should also look for other users similarly
compromised and inform them.