Hit by router infection [Updated]

This is not a technical assistance but an information to check your routers if your are seeing unexpected pop-ups. After coming back to India, I saw unexpected increase in pop-ups. With pages that worked without issues started giving pop-ups with clicks and sometimes on scroll or click on no links.

I tried looking for reasons of unexpected pop-ups. I found that Airtel and MTNL are injecting pop-ups in pages. Screenshots showed they are not pop-ups but hovering ads. So, I moved on.

I could see even my blog started with the pop-ups. I started observing the ads on pages I visit. These ads looked different. Simply put some crazy, cheap gifs, which are outdated now. It made me remember those age old cyber-cafe days. Now I had to look what these pop-ups are.

Thanks to poor speed, I was able to see the initial redirect link. I could see the pages go through 5-10 redirects before showing adult site, Facebook, page showing my device(s) is infected etc. The main redirect pages seemed to be adcash & rdsrv.

Firefox & Firebug to rescue. I started looking into code of pages. They had some unexpected coding standard another <head><body> HTML statements inside <body>. I looked in my blog. Similar situation happened. I’m using WordPress so I’m sure they won’t do that. Checked my homepage, which is under development since the inception, it’s just a landing page now 🙂 It too had adcash [DOT] com. I did not write it nor Google will introduce something.

adcash & rdsrv are common bugs which find a way to install on PCs or browsers as extension. The issue was showing everywhere, Mac, PC, iPhone, Android, iPad. I don’t use PC much but I’m certain others don’t have bugs or extensions (I avoid extensions except 1Password). Some codes did not have adcash but I found there is some adk [DOT] com. The pages had inconsistency. After reading about adcash & rdsrv bugs, I checked all systems. They were green. Now it was time to router check.

I’ve a MTNL ADSL Modem (Sterlite SAM300 AX) connected to Apple Airport Extreme Base Station. All devices use wifi from AEBS. I can not see if AEBS has infection or the MTNL Modem. I disconnected from Wi-Fi and used hotspot from my device to browse. Web pages looked good. Checked source, no adcash or adk. Awesome!

Connected system to MTNL Modem via LAN Cable. Voila! The bug is back. I had read that AEBS is safe but since the issue is with MTNL Modem, I first thought to correct it.

Step 1: Call MTNL and ask for modem change. That call went for 30 mins (except wait time), trying to explain that Modem has bug while other end was quite sure it is a system/browser issue. Finally the issue reported and I’m waiting for replacement modem.

Step 2: Read about modem. Well actually, how to reset it. Since this is a infection assumed the firmware is still intact and resetting it should give me factory settings. Before Step 2, I did get all required documents to reconfigure. It took me more time to look for a pin to reset than to actually do it. A pen (mightier than a sword) helped me push that button and the word document from MTNL website helped reconfigure. Within minutes, I was up and running without pop-ups.

Till now, a good amount of time, I’ve not seen any pop-up or javascript injection on pages I visit. Now it’s a matter of time I get replacement modem as the bug may return. I could do the firmware upgrade but (being lazy here) since this is quite old, may not be supported or new modems will have better handling of infections. If I’m supplied this again, I might go for a new modem (on my own) altogether.

Do check guys if you see unexpected behaviour with your browser?

  1. Then check for unexpected software (for PC: Win + R > appwiz.cpl i.e. Control Panel > Add Remove Programs).
  2. Check for unexpected Browser Extensions (Chrome, Firefox, Safari and others)
  3. Check Source Code of webpage to see adcash, adk or rdsrv (I’ve not seen this but pop-ups show this too)
  4. https:// pages seemingly do not exhibit this behaviour (so may not be seen for gmail, Facebook, outlook)
  5. Visit my page (till I don’t update it), zeronea.com because it does not have pop-ups (and codes written by me or from trusted sources). It does has ads but the above injections break the ads (the Amazon ad below) by showing poorly formatted ads or just Go To Facebook on solid colours

ZeroneA Page


Live Preview of page:

[browser-shot url=”http://www.avxio.com/” width=”1024″ href=”http://www.avxio.com/” alt=”Live Preview of ZeroneA” target=”_blank”]Live Preview of ZeroneA[/browser-shot]

Update (21/07/2015):

The infection is back and I’m still waiting for new modem.

  1. Check your modem DNS server. Connect to Modem by typing (generally this is used). If you’ve not changed the ID & Password, it should be admin & admin respectively
  2. You might need to access some documentation from you ISP (or seek information from them) regarding the DNS Address. For MTNL it is under Interface Setup > LAN. Mine was redirecting to somewhere in Germany with secondary to (Google). Checked using ip-lookup.net
  3. Password protect your modem too.

After 2-3 days it’s back so I’m still working on solution. Hopefully I figure it out. Please let me know how you deal with it.

2 thoughts on “Hit by router infection [Updated]

  1. Hi Sam – I’m facing the same issue. Resetting MTNL’s Sterline modem only buys a day or two. The problem comes back. I spoke to MTNL, and this modem is the latest and only modem they have. It’s not this one specifc modem, its the modem model itself that has the security flaw in its hardware.

    I was thinking of buying a third party ADSL modem and use it with MTNL’s configuration. Do you think it can be done?

    1. Hi Meetal,
      Of course, a third party ADSL will work provided the configuration to be changed is known. This can be generally found in MTNL website related to modems. I’ve Sterlite SAM300AX modem so, I used the document and added another point before Point 4, which says: Go to “Advance Setup”…

      In LAN setting, DNS Server Address as : Preferred DNS (Primary) and Alternate DNS (Secondary) : Keep TCP/IP Properties settings in your PC as Obtain IP automatically (if not fixed IP).

      Edited document uploaded here

      Apart from this, I modified some more setting in Advanced Setting > NAT > Virtual Server

      1. Select any Rule Index. I chose 2. Can’t remember why, may be coz 1 is always attacked first in Database
      2. Application: HTML & nothing from dropdown
      3. Protocol: All
      4. Start & End Port Number: 80. This is because web servers are generally on this port. So a hacker/bug will try this port
      5. Set Local IP Address to any arbitrary high number IP. I updated just coz I don’t have that many systems 🙂

      This will basically send any external entity trying to access the admin page to a non-existing IP address. So anyone knowing your public IP will be unable to change anything in admin page. Screenshot uploaded here

      Finally, Maintenance > SysRestart > Select Current Settings & Click Restart. After doing this, I’ve been living happily (or maybe it has not come back for me yet!).

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.