nanog mailing list archives

Re: CPE dns hijacking malware

From: Tom Morris <blueneon () gmail com>
Date: Tue, 12 Nov 2013 12:58:46 -0500

EXTREMELY common. Almost all Comcast Cable CPE has this same login,
cusadmin / highspeed
At least on AT&T U-Verse gear, there's a sticker on the modem with the
password which is a hash of the serial number or something equally unique.

Almost all home routers also tend to have the default credentials.

I'm actually surprised it was this long before XSS exploits and similar
garbage started hitting them.

Personally I have fond memories of going into my neighbor's router,
flashing it with dd-wrt which allowed manual channel setting, and moving it
off of the same wifi channel mine was on.... That was probably not a great
idea, but you do what you have to sometimes.


On Tue, Nov 12, 2013 at 10:57 AM, Matthew Galgoci <mgalgoci () redhat com>wrote:

Date: Tue, 12 Nov 2013 06:35:51 +0000
From: "Dobbins, Roland" <rdobbins () arbor net>
To: NANOG list <nanog () nanog org>
Subject: Re: CPE  dns hijacking malware


On Nov 12, 2013, at 1:17 PM, Jeff Kell <jeff-kell () utc edu> wrote:

(2) DHCP hijacking daemon installed on the client, supplying the

hijacker's DNS servers on a DHCP renewal.  Have seen both, the latter being
more

common, and the latter will expand across the entire home subnet in

time (based on your lease interval)


I'd (perhaps wrongly) assumed that this probably wasn't the case, as the

OP referred to the CPE devices themselves as being malconfigured; it would
be helpful to know if the OP can supply more information, and whether or
not he'd a chance to examine the affected CPE/end-customer setups.


I have encountered a family members provider supplied CPE that had the
web server exposed on the public interface with default credentials still
in place. It's probably more common than one would expect.

--
Matthew Galgoci
Network Operations
Red Hat, Inc
919.754.3700 x44155
------------------------------
"It's not whether you get knocked down, it's whether you get up." - Vince
Lombardi



-- 
--
Tom Morris, KG4CYX
Mad Scientist and Operations Manager, WDNA-FM 88.9 Miami - Serious Jazz!
786-228-7087
151.820 Megacycles

Current thread:

CPE dns hijacking malware Mike (Nov 11)
- Re: CPE dns hijacking malware Dobbins, Roland (Nov 11)
  - Re: CPE dns hijacking malware Jeff Kell (Nov 11)
    - Re: CPE dns hijacking malware Dobbins, Roland (Nov 11)
    - Re: CPE dns hijacking malware Matthew Galgoci (Nov 12)
    - Re: CPE dns hijacking malware Dobbins, Roland (Nov 12)
    - Re: CPE dns hijacking malware Tom Morris (Nov 12)
    - RE: CPE dns hijacking malware James Sink (Nov 12)
    - Re: CPE dns hijacking malware Tom Morris (Nov 12)
    - Re: CPE dns hijacking malware Jared Mauch (Nov 12)
- Message not available
  - Message not available
    - Re: CPE dns hijacking malware Larry Sheldon (Nov 12)
- Message not available
  - Message not available
    - Message not available
    - Re: CPE dns hijacking malware Larry Sheldon (Nov 12)