CPE dns hijacking malware
Larry Sheldon
LarrySheldon at cox.net
Tue Nov 12 21:59:58 UTC 2013
On 11/12/2013 3:54 PM, Larry Sheldon wrote:
> On 11/12/2013 3:24 PM, Larry Sheldon wrote:
>> On 11/12/2013 12:12 AM, Dobbins, Roland wrote:
>>>
>>> On Nov 12, 2013, at 12:56 PM, Mike <mike-nanog at tiedyenetworks.com>
>>> wrote:
>>>
>>>> It appears that some of my subscribers DSL modems (which are acting
>>>> as nat routers) have had their dns settings hijacked and presumably
>>>> for serving ads or some such nonsense.
>>>
>>> How do you think this was accomplished? Via some kind of Web exploit
>>> customized for those devices and targeting your user population via
>>> email or social media, which tricked users into clicking on something
>>> that accessed the Web admin interface via default admin credentials
>>> or somsesuch; or via some direct attack on the CPE devices
>>> themselves; or via some other method?
>>
>> I am less well informed here than in a lot of other things, so please be
>> gentle.
>>
>> As a user of such equipment, I don't see or know of anything in the I/F
>> that I have access-to that mentions DNSish stuff except the servers I am
>> to use.
>>
>> But interestingly enough, when I tried to look at it to verify my
>> belief's just no I got a certificate error that it won't let me past.
>>
>> That seems odd.
>>
>
> Meant to send this to the list.
>
> The on-line chat to Linksys was subsatisfying, but for want of something
> to do I dropped the "s" IN "https" and go on the router just fine. Makes
> you wonder if I understand "certificates".
>
> But I do not see anything that looks like I can affect DNS beyond which
> servers I use.
And I don't know a way to get on Cox's "cable modem" at all.
--
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio Infallibility, and the ability to
learn from their mistakes.
(Adapted from Stephen Pinker)
More information about the NANOG
mailing list