Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica
Andrew Latham
lathama at gmail.com
Tue Mar 4 11:54:40 UTC 2014
On Tue, Mar 4, 2014 at 5:46 AM, fmm <vovan at fakmoymozg.ru> wrote:
> On Tue, 04 Mar 2014 09:00:18 +0100, Jay Ashworth <jra at baylink.com> wrote:
>
>>
>> http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/
>>
>> Is there any valid reason not to black hole those /32s on the back bone?
>
>
>
>>> The telltale sign a router has been compromised is DNS settings that have
>>> been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted
>>> the provider that hosts those two IP addresses but have yet to receive a
>>> response.
>
>
> you wanted to say "blackhole those 5.45.72.0/22 and 5.45.76.0/22", aren't
> you?
>
>
> Cheers
>
Jay is right, it is just the /32s at the moment... Dropping the /22s
could cause other sites to be blocked.
inetnum: 5.45.72.0 - 5.45.75.255
netname: INFERNO-NL-DE
descr: ********************************************************
descr: * We provide virtual and dedicated servers on this Subnet.
descr: *
descr: * Those services are self managed by our customers
descr: * therefore, we are not using this IP space ourselves
descr: * and it could be assigned to various end customers.
descr: *
descr: * In case of issues related with SPAM, Fraud,
descr: * Phishing, DDoS, portscans or others,
descr: * feel free to contact us with relevant info
descr: * and we will shut down this server: abuse at 3nt.com
descr: ********************************************************
country: NL
admin-c: TNTS-RIPE
tech-c: TNTS-RIPE
status: ASSIGNED PA
mnt-by: MNT-3NT
mnt-routes: serverius-mnt
source: RIPE # Filtered
--
~ Andrew "lathama" Latham lathama at gmail.com http://lathama.net ~
More information about the NANOG
mailing list