I started noticing that all traffic on all devices destined for non-existing URLs was resolved into a domain called: http://searchguide.level3.com
After about 30 seconds to a minute, the following error appears in the browser:
Your browser has sent a request that this server could not understand.
Reference # 7.26c0f948.1553830976.0
Seeing that it was a DNS problem, I checked the settings of my router and I find that there is a server with an IP address of 184.108.40.206 and 220.127.116.11 (google). I did a quick search on Google and found this: http://drewgraybeal.blogspot.com/2015/05/level-3-dns-hijacking-4222-and-others.html
I did a traceroute on a nonexistent domain and I got this:
traceroute kjaskdjfkjdf.com traceroute: Warning: kjaskdjfkjdf.com has several addresses. using 18.104.22.168 traceroute to kjaskdjfkjdf.com (22.214.171.124), maximum of 64 hops, packets of 52 bytes 1 configuration (192.168.1.1) 2.920 ms 1.254 ms 1.090 ms 2 126.96.36.199 (188.8.131.52) 8.714 ms 17.041 ms 9.197 ms 3 172.17.1.146 (172.17.1.146) 10.300 ms 8.925 ms 10.385 ms 4 h252.63.131.40.static.ip.windstream.net (184.108.40.206) 9.783 ms 9.410 ms 10.615 ms 5 be3.agr01.alby01-ny.us.windstream.net (220.127.116.11) 19.659 ms 18.709 ms 18.619 ms 6 ae6-0.cr02.nycm01-ny.us.windstream.net (18.104.22.168) 18.544 ms 12.356 ms 20.854 ms 7 and 11-0-0-0.cr01.nycm01-ny.us.windstream.net (22.214.171.124) 19.256 ms 11.462 ms 17.903 ms 8 10ge3-9.core1.nyc6.he.net (126.96.36.199) 19.074 ms 18.299 ms 12.802 ms 9 100ge13-1.core1.nyc4.he.net (188.8.131.52) 17.187 ms 18.555 ms 20.392 ms Xerocole-inc.10gigabitethernet12-4.core1.nyc4.he.net (184.108.40.206) 19.384 ms 14.154 ms 14.531 ms 11 * * * 12 * * * 13 * * * 14 * * * 15 * * *
I will call my ISP in the morning, but I want to give them as much information as possible.
First, how can I tell if my router has been hacked or if my ISP has been hacked? My ISP is managed by the municipality. They may not be up to all the security measures. The ISP has the ability to remotely configure the settings of my router via a website interface with the help of a remote router management protocol.
I do not see any way to remove the wrong DNS IP address from the router settings.
Please, give your opinion.