[169573] in North American Network Operators' Group
Re: Hackers hijack 300, 000-plus wireless routers, make malicious
daemon@ATHENA.MIT.EDU (Andrew Latham)
Tue Mar 4 06:55:00 2014
In-Reply-To: <op.xb64biiundossr@localhost>
Date: Tue, 4 Mar 2014 05:54:40 -0600
From: Andrew Latham <lathama@gmail.com>
To: fmm <vovan@fakmoymozg.ru>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Mar 4, 2014 at 5:46 AM, fmm <vovan@fakmoymozg.ru> wrote:
> On Tue, 04 Mar 2014 09:00:18 +0100, Jay Ashworth <jra@baylink.com> wrote:
>
>>
>> http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/
>>
>> Is there any valid reason not to black hole those /32s on the back bone?
>
>
>
>>> The telltale sign a router has been compromised is DNS settings that have
>>> been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted
>>> the provider that hosts those two IP addresses but have yet to receive a
>>> response.
>
>
> you wanted to say "blackhole those 5.45.72.0/22 and 5.45.76.0/22", aren't
> you?
>
>
> Cheers
>
Jay is right, it is just the /32s at the moment... Dropping the /22s
could cause other sites to be blocked.
inetnum: 5.45.72.0 - 5.45.75.255
netname: INFERNO-NL-DE
descr: ********************************************************
descr: * We provide virtual and dedicated servers on this Subnet.
descr: *
descr: * Those services are self managed by our customers
descr: * therefore, we are not using this IP space ourselves
descr: * and it could be assigned to various end customers.
descr: *
descr: * In case of issues related with SPAM, Fraud,
descr: * Phishing, DDoS, portscans or others,
descr: * feel free to contact us with relevant info
descr: * and we will shut down this server: abuse@3nt.com
descr: ********************************************************
country: NL
admin-c: TNTS-RIPE
tech-c: TNTS-RIPE
status: ASSIGNED PA
mnt-by: MNT-3NT
mnt-routes: serverius-mnt
source: RIPE # Filtered
--
~ Andrew "lathama" Latham lathama@gmail.com http://lathama.net ~
