nanog mailing list archives
Re: CPE dns hijacking malware
From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 12 Nov 2013 01:17:51 -0500
On 11/12/2013 1:12 AM, Dobbins, Roland wrote:
On Nov 12, 2013, at 12:56 PM, Mike <mike-nanog () tiedyenetworks com> wrote:It appears that some of my subscribers DSL modems (which are acting as nat routers) have had their dns settings hijacked and presumably for serving ads or some such nonsense.How do you think this was accomplished? Via some kind of Web exploit customized for those devices and targeting your user population via email or social media, which tricked users into clicking on something that accessed the Web admin interface via default admin credentials or somsesuch; or via some direct attack on the CPE devices themselves; or via some other method?
Basically two cases... (1) XSS attack on the router using default (or dictionary) credentials to set the DNS server on the router, or (2) DHCP hijacking daemon installed on the client, supplying the hijacker's DNS servers on a DHCP renewal. Have seen both, the latter being more common, and the latter will expand across the entire home subnet in time (based on your lease interval) Jeff
Current thread:
- CPE dns hijacking malware Mike (Nov 11)
- Re: CPE dns hijacking malware Dobbins, Roland (Nov 11)
- Re: CPE dns hijacking malware Jeff Kell (Nov 11)
- Re: CPE dns hijacking malware Dobbins, Roland (Nov 11)
- Re: CPE dns hijacking malware Matthew Galgoci (Nov 12)
- Re: CPE dns hijacking malware Dobbins, Roland (Nov 12)
- Re: CPE dns hijacking malware Tom Morris (Nov 12)
- RE: CPE dns hijacking malware James Sink (Nov 12)
- Re: CPE dns hijacking malware Tom Morris (Nov 12)
- Re: CPE dns hijacking malware Jared Mauch (Nov 12)
- Re: CPE dns hijacking malware Jeff Kell (Nov 11)
- Re: CPE dns hijacking malware Dobbins, Roland (Nov 11)
- Message not available
- Re: CPE dns hijacking malware Larry Sheldon (Nov 12)
- Message not available
- Message not available
- Re: CPE dns hijacking malware Larry Sheldon (Nov 12)