CPE dns hijacking malware

James Sink james.sink at freedomvoice.com
Tue Nov 12 21:18:10 UTC 2013


"Personally I have fond memories of going into my neighbor's router, flashing it with dd-wrt which allowed manual channel setting, and moving it off of the same wifi channel mine was on.... That was probably not a great idea, but you do what you have to sometimes."

Props on that, but wouldn't it have been easier to simply change your channel setting?
-James

-----Original Message-----
From: Tom Morris [mailto:blueneon at gmail.com] 
Sent: Tuesday, November 12, 2013 9:59 AM
Cc: NANOG list
Subject: Re: CPE dns hijacking malware

EXTREMELY common. Almost all Comcast Cable CPE has this same login, cusadmin / highspeed At least on AT&T U-Verse gear, there's a sticker on the modem with the password which is a hash of the serial number or something equally unique.

Almost all home routers also tend to have the default credentials.

I'm actually surprised it was this long before XSS exploits and similar garbage started hitting them.

Personally I have fond memories of going into my neighbor's router, flashing it with dd-wrt which allowed manual channel setting, and moving it off of the same wifi channel mine was on.... That was probably not a great idea, but you do what you have to sometimes.


On Tue, Nov 12, 2013 at 10:57 AM, Matthew Galgoci <mgalgoci at redhat.com>wrote:

> > Date: Tue, 12 Nov 2013 06:35:51 +0000
> > From: "Dobbins, Roland" <rdobbins at arbor.net>
> > To: NANOG list <nanog at nanog.org>
> > Subject: Re: CPE  dns hijacking malware
> >
> >
> > On Nov 12, 2013, at 1:17 PM, Jeff Kell <jeff-kell at utc.edu> wrote:
> >
> > > (2) DHCP hijacking daemon installed on the client, supplying the
> hijacker's DNS servers on a DHCP renewal.  Have seen both, the latter 
> being more
> > > common, and the latter will expand across the entire home subnet 
> > > in
> time (based on your lease interval)
> >
> > I'd (perhaps wrongly) assumed that this probably wasn't the case, as 
> > the
> OP referred to the CPE devices themselves as being malconfigured; it 
> would be helpful to know if the OP can supply more information, and 
> whether or not he'd a chance to examine the affected CPE/end-customer setups.
> >
>
> I have encountered a family members provider supplied CPE that had the 
> web server exposed on the public interface with default credentials 
> still in place. It's probably more common than one would expect.
>
> --
> Matthew Galgoci
> Network Operations
> Red Hat, Inc
> 919.754.3700 x44155
> ------------------------------
> "It's not whether you get knocked down, it's whether you get up." - 
> Vince Lombardi
>
>


--
--
Tom Morris, KG4CYX
Mad Scientist and Operations Manager, WDNA-FM 88.9 Miami - Serious Jazz!
786-228-7087
151.820 Megacycles




More information about the NANOG mailing list