Has anybody else seen a Mikrotik router change its DNS IP to 195.3.144.115? We have several out in the field that apparently have changed themselves.

Does any have a dhcp-client, or any kind of VPN tunnel interface running?

No DHCP clients. I just checked the routers that were affected this last round where it was somehow changed automatically. Good thought though.

Has anybody else seen a Mikrotik router change its DNS IP to 195.3.144.115? We have several out in the field that apparently have changed themselves.

I guess you use PPPOE on it ? Did you check the USE PEER DNS checkbox ?

If yes, your DNS should be dynamic, if the provider changes them, it will update yours.

If not, be careful that you are not attacked, change your password etc.

Andy

It can be some malware, this IP address belongs to RN Data SIA (195.3.144.0/22) and it is connected with ZeroAccess Botnet.

Do you have UPNP enabled on these routers?

I found the issue. Unfortunately, there was a password defaulted on these routers. SSH scanners associated with this ugly botnet probably found them and changed DNS for their own nefarious purposes. Scary stuff. Passwords have been changed

Thanks for the tips everyone!