I had to go and sort out a client the other day as their router (a Bigpond branded Netcomm unit for a home NextG connection) had, somehow, been compromised and dodgy DNS server addresses were being handed out via DHCP. Changing the settings on the router didn’t seem to stick.

Google searches were being redirected to porn sites and other web sites were being redirected to the wrong things too.

Had to back up it’s config, as I had their username but not their password and interestingly enough unlike all other 3G connections I’ve seen used this one required a username and password to connect. Luckily the config file was in an xml style format and whilst the password was encrypted in the file, I could edit out the sections that related to DNS. I could also verify pretty well what was being configured with the config file too which was handy.

Restored the unit to factory defaults, uploaded the edited config and we were back up and running. I turned off all the other management interfaces (including telnet, ssh and snmp) leaving only http on the LAN interface.

They did have PCs on the network a short while ago that were replaced with Macs, it’s entirely possible the PCs were rooted and that’s how the router was compromised, but I’m not 100% sure on this as I didn’t see any of the PCs in action.