Last night, I found that when I used my mobile phone to visit the app search (m.yingyong.so), there were pop-up ads on the webpage. Then I tried several other websites, and some of them were in the same situation. The ads were the same, coming from "fast media". Obviously, this is not normal. According to the previous experience of malicious pop-up ads on home broadband, it should be a DNS problem.
I have read articles for a long time that many TP Link routers have loopholes and can modify their DNS through a line of code in the web page. So I logged into the router control interface of the dormitory. Sure enough, the user name and password are the default admin, and my roommate has not modified them, DNS is 121.157.39.111 and 114.114.114.114. The first DNS is a malicious DNS in South Korea, and the second is to prevent the malicious DNS from being overloaded and unresponsive. Therefore, 114DNS is used as an auxiliary to avoid users' detection.
After modifying the DNS of the router to 114.114.114.114 and 114.114.115.115 of 114DNS, it is normal. Finally, of course, the password is also modified to avoid being tampered with again.
I don't understand why routers need to provide this initial password. Wouldn't it be safer to force users to set a password after the first installation or reset of the hardware?
Also, the "Super Media" (www.xsu. cc) is obviously a malicious advertising platform. Why is it ignored?
I hope that the routing password is still the default. Check the DNS and change the password to prevent it from being tampered with.