CPE dns hijacking malware

Larry Sheldon LarrySheldon at cox.net
Tue Nov 12 21:54:19 UTC 2013

On 11/12/2013 3:24 PM, Larry Sheldon wrote:
> On 11/12/2013 12:12 AM, Dobbins, Roland wrote:
>> On Nov 12, 2013, at 12:56 PM, Mike <mike-nanog at tiedyenetworks.com>
>> wrote:
>>> It appears that some of my subscribers DSL modems (which are acting
>>> as nat routers) have had their dns settings hijacked and presumably
>>> for serving ads or some such nonsense.
>> How do you think this was accomplished?  Via some kind of Web exploit
>> customized for those devices and targeting your user population via
>> email or social media, which tricked users into clicking on something
>> that accessed the Web admin interface via default admin credentials
>> or somsesuch; or via some direct attack on the CPE devices
>> themselves; or via some other method?
> I am less well informed here than in a lot of other things, so please be
> gentle.
> As a user of such equipment, I don't see or know of anything in the I/F
> that I have access-to that mentions DNSish stuff except the servers I am
> to use.
> But interestingly enough, when I tried to look at it to verify my
> belief's just no I got a certificate error that it won't let me past.
> That seems odd.

Meant to send this to the list.

The on-line chat to Linksys was subsatisfying, but for want of something 
to do I dropped the "s" IN "https" and go on the router just fine. 
Makes you wonder if I understand "certificates".

But I do not see anything that looks like I can affect DNS beyond which 
servers I use.
Requiescas in pace o email           Two identifying characteristics
                                         of System Administrators:
Ex turpi causa non oritur actio      Infallibility, and the ability to
                                         learn from their mistakes.
                                           (Adapted from Stephen Pinker)

More information about the NANOG mailing list