[166806] in North American Network Operators' Group
RE: CPE dns hijacking malware
daemon@ATHENA.MIT.EDU (James Sink)
Tue Nov 12 16:18:26 2013
From: James Sink <james.sink@freedomvoice.com>
CC: NANOG list <nanog@nanog.org>
Date: Tue, 12 Nov 2013 21:18:10 +0000
In-Reply-To: <CAEZ7Lt2a0-JR13NHe3JOxeDr860LcyfA-6uNfpnAcJ24=2dKTA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
"Personally I have fond memories of going into my neighbor's router, flashi=
ng it with dd-wrt which allowed manual channel setting, and moving it off o=
f the same wifi channel mine was on.... That was probably not a great idea,=
but you do what you have to sometimes."
Props on that, but wouldn't it have been easier to simply change your chann=
el setting?
-James
-----Original Message-----
From: Tom Morris [mailto:blueneon@gmail.com]=20
Sent: Tuesday, November 12, 2013 9:59 AM
Cc: NANOG list
Subject: Re: CPE dns hijacking malware
EXTREMELY common. Almost all Comcast Cable CPE has this same login, cusadmi=
n / highspeed At least on AT&T U-Verse gear, there's a sticker on the modem=
with the password which is a hash of the serial number or something equall=
y unique.
Almost all home routers also tend to have the default credentials.
I'm actually surprised it was this long before XSS exploits and similar gar=
bage started hitting them.
Personally I have fond memories of going into my neighbor's router, flashin=
g it with dd-wrt which allowed manual channel setting, and moving it off of=
the same wifi channel mine was on.... That was probably not a great idea, =
but you do what you have to sometimes.
On Tue, Nov 12, 2013 at 10:57 AM, Matthew Galgoci <mgalgoci@redhat.com>wrot=
e:
> > Date: Tue, 12 Nov 2013 06:35:51 +0000
> > From: "Dobbins, Roland" <rdobbins@arbor.net>
> > To: NANOG list <nanog@nanog.org>
> > Subject: Re: CPE dns hijacking malware
> >
> >
> > On Nov 12, 2013, at 1:17 PM, Jeff Kell <jeff-kell@utc.edu> wrote:
> >
> > > (2) DHCP hijacking daemon installed on the client, supplying the
> hijacker's DNS servers on a DHCP renewal. Have seen both, the latter=20
> being more
> > > common, and the latter will expand across the entire home subnet=20
> > > in
> time (based on your lease interval)
> >
> > I'd (perhaps wrongly) assumed that this probably wasn't the case, as=20
> > the
> OP referred to the CPE devices themselves as being malconfigured; it=20
> would be helpful to know if the OP can supply more information, and=20
> whether or not he'd a chance to examine the affected CPE/end-customer set=
ups.
> >
>
> I have encountered a family members provider supplied CPE that had the=20
> web server exposed on the public interface with default credentials=20
> still in place. It's probably more common than one would expect.
>
> --
> Matthew Galgoci
> Network Operations
> Red Hat, Inc
> 919.754.3700 x44155
> ------------------------------
> "It's not whether you get knocked down, it's whether you get up." -=20
> Vince Lombardi
>
>
--
--
Tom Morris, KG4CYX
Mad Scientist and Operations Manager, WDNA-FM 88.9 Miami - Serious Jazz!
786-228-7087
151.820 Megacycles
