DNS settings in router being changed.

[Robmoff]

How do I stop the DNS settings in my Asus router being changed? It happens when the router is on and connected to the internet even if the PC is off or disconnected.
Router log for a typical 1/2 hour:-

10:23:32 user alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=64.185.10.193 DST=83.217.164.208 LEN=60 TOS=0x08 PREC=0x20 TTL=53 ID=28338 DF PROTO=TCP SPT=3077 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 
 10:33:30 user alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=198.20.70.114 DST=83.217.164.208 LEN=40 TOS=0x00 PREC=0x00 TTL=120 ID=8195 PROTO=TCP SPT=11748 DPT=111 WINDOW=29191 RES=0x00 SYN URGP=0 
 10:43:59 user alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=115.59.109.0 DST=83.217.164.208 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=7057 DF PROTO=TCP SPT=3561 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 
 10:53:46 user alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=190.66.63.6 DST=83.217.164.208 LEN=56 TOS=0x00 PREC=0x20 TTL=50 ID=41453 DF PROTO=TCP SPT=44093 DPT=23 WINDOW=5440 RES=0x00 SYN URGP=0 
 11:04:07 user alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=80.85.84.75 DST=83.217.164.208 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=12609 PROTO=TCP SPT=43581 DPT=4000 WINDOW=1024 RES=0x00 SYN URGP=0 

[DaveLembke]

Instead of using dynamic DNS, set the DNS in the router to a static IP and this way it wont change. Additionally hopefully your routers password is different than that of what it shipped with as for default passwords are the biggest security problem in the world of wifi security.

[Robmoff]

It is set to static DNS (Google free dns, the numbers are easy to remember when typing in every 15 minutes!)
The Admin password has been changed when first used and every day or so for the last month. Admin does not have the authority to change the SUPPORT password, so I am stuck with that.
BTW Malware bytes and AVG both run clean, but I don't expect it's a PC problem as it occurs when the PC is switched off.

[DaveLembke]

user alert kernel: Intrusion

Never seen this alert before... I'd suggest getting a different router maybe. Maybe this one was compromised somehow in its firmware. If its a rental from ISP then they should swap it out free.

[Geek-9pm]

kernel: Intrusion ? Very odd.
Please provide the name of the ISP and the type of service.
Where are you located? (Approximate location.)
Also, the model number of the router.

This information can help others who might have similar issues.

[Robmoff]

It's an Asus WL-600g router, and I've used it for a few years. The ISP supplied router does not do wireless.
ISP is Vispa and I'm in the UK on non-cable broadband.

[Geek-9pm]

Check with Vispa and see if they have a policy of DNS settings.
The may wish to limit which DNS you can use. Possible security issue.
Understand that this is not the policy of most providers.
Of relevance:
UK ISP Vispa Internet in Rare Change of DNS Servers

v
Customers of Vispa Internet have been informed that the ISP will be changing their Domain Name Servers (DNS) from the current ones (62.24.228.24 – 25) to a new set (83.217.161.161 – 162).

NOTE: In some regions  a range of IP assignments might be reserved for a special use.

[Robmoff]

I am familiar with the DNS servers that Vispa prefers it's clients to use, the ones that hijack my settings are managed (if that's the right word) by
Digital Ocean:-
139.59.165.202
188.166.150.116
Bhost inc:-
176.126.247.157
Neither company can be bothered to respond to any communication!

[camerongray]

This sounds like something malicious to me, especially given the Admin password being changed.  If the DNS server is changed to something malicious then it allows an attacker to redirect you to different websites.  Digital Ocean and BHost just rent out servers, anyone can rent one to host whatever they want (including malicious DNS servers).

I would completely reset the router (after noting down all your connection settings.etc) and set it up again from scratch setting the Admin password to something secure (and disabling remote management if there's an option) - If the router has been used with the default admin password and it allows people to connect to it over the internet it is possible that an attacker has been able to log into it and change the admin password/DNS server.  It may also be worth updating the firmware on the router if a newer version is available to ensure that is patched against any security flaws that may have been discovered in that model.

If you still have issues after doing this, you may want to look at just replacing the router, it's a pretty old Wireless G model, a better replacement won't break the bank!