I don't recognise my DNS server's address: does this mean I am compromised?

Something in your environment has definitely been compromised. It seems more likely that your router has been compromised. You haven't provided much information, so I'm going to make some basic assumptions:

  • You're at home
  • You are behind a commercial router, provided by your ISP
  • You haven't done anything to secure your router
  • Your linux desktop is a DHCP client of the router.

These devices often have default passwords that users never change and critical firmware vulnerabilities that go unpatched. As a DHCP client of the router, your Linux desktop is going to pull DNS information as part of its DHCP request, and so will see the behavior you've described above. Configuring other DNS servers in resolv.conf is only a workaround. I strongly suggest that you try to log in to your router (probably @ 192.168.1.1, based on your screenshot). I bet you won't be able to. You'll probably have to reset it to factory defaults, then log in. You'll want to secure it better - update firmware, change default passwords, and hope that's enough.

For confirmation without logging into your router, check the DNS configuration on your Windows desktop. If it points to the same 46.161.40.29, then it's very likely the router.


Take a look at this resource:
http://thesimplesynthesis.com/post/how-to-set-a-static-ip-and-dns-in-ubuntu-14-04

In summary, you may be updating /etc/resolv.conf but Ubuntu is rewriting it based on other pre-defined settings. You can think of /etc/resolv.conf as the resulting entries that your system derived from the various options.

Check the locations referenced for the head/base/tail/interfaces entries and see if they have been updated (might be good to make note of permissions, ownership and date changed). I expect you will find one or all of them have the unwanted nameserver entries. Update the file and regenerate the resolv.conf file (the steps in the above entry look correct, but would not hurt searching for a Ubuntu KB to verify the correct process for your specific version of Ubuntu).

Last but not least though... the updating of your resolv.conf may have just been one of the changes to your system and other nasty items may be lurking. If it were me... once I had secured my network (as you appear to have been looking at by setting good password on your router, etc.) I would reinstall.

If a reinstall is not something you are up for yet, at the very least change all your passwords (all users and root) on the system. If someone updated resolv.conf they would have already gained root access (unless you have funky permissions only root or users with sudo access should be able to update resolv.conf) and could have easily grabbed your shadow file and have a hash of your passwords.

This could have all also been self-inflicted... think installing something that prompted you for elevated access (sudo) and you thought it was doing xyz, when it was really doing XYZ and you may have done it to yourself (sometimes exploits are not the work of criminal masterminds but rather hacks of opportunity).

Good Luck.