CPE dns hijacking malware

Larry Sheldon LarrySheldon at cox.net
Tue Nov 12 21:59:58 UTC 2013

On 11/12/2013 3:54 PM, Larry Sheldon wrote:
> On 11/12/2013 3:24 PM, Larry Sheldon wrote:
>> On 11/12/2013 12:12 AM, Dobbins, Roland wrote:
>>> On Nov 12, 2013, at 12:56 PM, Mike <mike-nanog at tiedyenetworks.com>
>>> wrote:
>>>> It appears that some of my subscribers DSL modems (which are acting
>>>> as nat routers) have had their dns settings hijacked and presumably
>>>> for serving ads or some such nonsense.
>>> How do you think this was accomplished?  Via some kind of Web exploit
>>> customized for those devices and targeting your user population via
>>> email or social media, which tricked users into clicking on something
>>> that accessed the Web admin interface via default admin credentials
>>> or somsesuch; or via some direct attack on the CPE devices
>>> themselves; or via some other method?
>> I am less well informed here than in a lot of other things, so please be
>> gentle.
>> As a user of such equipment, I don't see or know of anything in the I/F
>> that I have access-to that mentions DNSish stuff except the servers I am
>> to use.
>> But interestingly enough, when I tried to look at it to verify my
>> belief's just no I got a certificate error that it won't let me past.
>> That seems odd.
> Meant to send this to the list.
> The on-line chat to Linksys was subsatisfying, but for want of something
> to do I dropped the "s" IN "https" and go on the router just fine. Makes
> you wonder if I understand "certificates".
> But I do not see anything that looks like I can affect DNS beyond which
> servers I use.

And I don't know a way to get on Cox's "cable modem" at all.

Requiescas in pace o email           Two identifying characteristics
                                         of System Administrators:
Ex turpi causa non oritur actio      Infallibility, and the ability to
                                         learn from their mistakes.
                                           (Adapted from Stephen Pinker)

More information about the NANOG mailing list