CPE dns hijacking malware

Tue Nov 12 22:54:20 UTC 2013

As I recall, the unit in question had a severely flawed "auto" channel
selection algorithm that always, without fail, landed on the first OCCUPIED
channel. It was pretty terrible.

On Tue, Nov 12, 2013 at 4:18 PM, James Sink <james.sink at freedomvoice.com>wrote:

> "Personally I have fond memories of going into my neighbor's router,
> flashing it with dd-wrt which allowed manual channel setting, and moving it
> off of the same wifi channel mine was on.... That was probably not a great
> idea, but you do what you have to sometimes."
>
> Props on that, but wouldn't it have been easier to simply change your
> channel setting?
> -James
>
> -----Original Message-----
> From: Tom Morris [mailto:blueneon at gmail.com]
> Sent: Tuesday, November 12, 2013 9:59 AM
> Cc: NANOG list
> Subject: Re: CPE dns hijacking malware
>
> EXTREMELY common. Almost all Comcast Cable CPE has this same login,
> cusadmin / highspeed At least on AT&T U-Verse gear, there's a sticker on
> the modem with the password which is a hash of the serial number or
> something equally unique.
>
> Almost all home routers also tend to have the default credentials.
>
> I'm actually surprised it was this long before XSS exploits and similar
> garbage started hitting them.
>
> Personally I have fond memories of going into my neighbor's router,
> flashing it with dd-wrt which allowed manual channel setting, and moving it
> off of the same wifi channel mine was on.... That was probably not a great
> idea, but you do what you have to sometimes.
>
>
> On Tue, Nov 12, 2013 at 10:57 AM, Matthew Galgoci <mgalgoci at redhat.com
> >wrote:
>
> > > Date: Tue, 12 Nov 2013 06:35:51 +0000
> > > From: "Dobbins, Roland" <rdobbins at arbor.net>
> > > To: NANOG list <nanog at nanog.org>
> > > Subject: Re: CPE  dns hijacking malware
> > >
> > >
> > > On Nov 12, 2013, at 1:17 PM, Jeff Kell <jeff-kell at utc.edu> wrote:
> > >
> > > > (2) DHCP hijacking daemon installed on the client, supplying the
> > hijacker's DNS servers on a DHCP renewal.  Have seen both, the latter
> > being more
> > > > common, and the latter will expand across the entire home subnet
> > > > in
> > time (based on your lease interval)
> > >
> > > I'd (perhaps wrongly) assumed that this probably wasn't the case, as
> > > the
> > OP referred to the CPE devices themselves as being malconfigured; it
> > would be helpful to know if the OP can supply more information, and
> > whether or not he'd a chance to examine the affected CPE/end-customer
> setups.
> > >
> >
> > I have encountered a family members provider supplied CPE that had the
> > web server exposed on the public interface with default credentials
> > still in place. It's probably more common than one would expect.
> >
> > --
> > Matthew Galgoci
> > Network Operations
> > Red Hat, Inc
> > 919.754.3700 x44155
> > ------------------------------
> > "It's not whether you get knocked down, it's whether you get up." -
> > Vince Lombardi
> >
> >
>
>
> --
> --
> Tom Morris, KG4CYX
> Mad Scientist and Operations Manager, WDNA-FM 88.9 Miami - Serious Jazz!
> 786-228-7087
> 151.820 Megacycles
>
>

-- 
--
Tom Morris, KG4CYX
Mad Scientist and Operations Manager, WDNA-FM 88.9 Miami - Serious Jazz!
786-228-7087
151.820 Megacycles