CPE dns hijacking malware

Matthew Galgoci mgalgoci at redhat.com
Tue Nov 12 15:57:20 UTC 2013

> Date: Tue, 12 Nov 2013 06:35:51 +0000
> From: "Dobbins, Roland" <rdobbins at arbor.net>
> To: NANOG list <nanog at nanog.org>
> Subject: Re: CPE  dns hijacking malware
> On Nov 12, 2013, at 1:17 PM, Jeff Kell <jeff-kell at utc.edu> wrote:
> > (2) DHCP hijacking daemon installed on the client, supplying the hijacker's DNS servers on a DHCP renewal.  Have seen both, the latter being more
> > common, and the latter will expand across the entire home subnet in time (based on your lease interval)
> I'd (perhaps wrongly) assumed that this probably wasn't the case, as the OP referred to the CPE devices themselves as being malconfigured; it would be helpful to know if the OP can supply more information, and whether or not he'd a chance to examine the affected CPE/end-customer setups.

I have encountered a family members provider supplied CPE that had the
web server exposed on the public interface with default credentials still
in place. It's probably more common than one would expect.

Matthew Galgoci
Network Operations
Red Hat, Inc
919.754.3700 x44155
"It's not whether you get knocked down, it's whether you get up." - Vince Lombardi

More information about the NANOG mailing list