CPE dns hijacking malware
Larry Sheldon
LarrySheldon at cox.net
Tue Nov 12 21:54:19 UTC 2013
On 11/12/2013 3:24 PM, Larry Sheldon wrote:
> On 11/12/2013 12:12 AM, Dobbins, Roland wrote:
>>
>> On Nov 12, 2013, at 12:56 PM, Mike <mike-nanog at tiedyenetworks.com>
>> wrote:
>>
>>> It appears that some of my subscribers DSL modems (which are acting
>>> as nat routers) have had their dns settings hijacked and presumably
>>> for serving ads or some such nonsense.
>>
>> How do you think this was accomplished? Via some kind of Web exploit
>> customized for those devices and targeting your user population via
>> email or social media, which tricked users into clicking on something
>> that accessed the Web admin interface via default admin credentials
>> or somsesuch; or via some direct attack on the CPE devices
>> themselves; or via some other method?
>
> I am less well informed here than in a lot of other things, so please be
> gentle.
>
> As a user of such equipment, I don't see or know of anything in the I/F
> that I have access-to that mentions DNSish stuff except the servers I am
> to use.
>
> But interestingly enough, when I tried to look at it to verify my
> belief's just no I got a certificate error that it won't let me past.
>
> That seems odd.
>
Meant to send this to the list.
The on-line chat to Linksys was subsatisfying, but for want of something
to do I dropped the "s" IN "https" and go on the router just fine.
Makes you wonder if I understand "certificates".
But I do not see anything that looks like I can affect DNS beyond which
servers I use.
--
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio Infallibility, and the ability to
learn from their mistakes.
(Adapted from Stephen Pinker)
More information about the NANOG
mailing list