nanog mailing list archives

Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica

From: Andrew Latham <lathama () gmail com>
Date: Tue, 4 Mar 2014 05:54:40 -0600

On Tue, Mar 4, 2014 at 5:46 AM, fmm <vovan () fakmoymozg ru> wrote:

On Tue, 04 Mar 2014 09:00:18 +0100, Jay Ashworth <jra () baylink com> wrote:


http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/

Is there any valid reason not to black hole those /32s on the back bone?

The telltale sign a router has been compromised is DNS settings that have
been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted
the provider that hosts those two IP addresses but have yet to receive a
response.



you wanted to say "blackhole those 5.45.72.0/22 and 5.45.76.0/22", aren't
you?


Cheers


Jay is right, it is just the /32s at the moment...  Dropping the /22s
could cause other sites to be blocked.

inetnum:        5.45.72.0 - 5.45.75.255
netname:        INFERNO-NL-DE
descr:          ********************************************************
descr:          * We provide virtual and dedicated servers on this Subnet.
descr:          *
descr:          * Those services are self managed by our customers
descr:          * therefore, we are not using this IP space ourselves
descr:          * and it could be assigned to various end customers.
descr:          *
descr:          * In case of issues related with SPAM, Fraud,
descr:          * Phishing, DDoS, portscans or others,
descr:          * feel free to contact us with relevant info
descr:          * and we will shut down this server: abuse () 3nt com
descr:          ********************************************************
country:        NL
admin-c:        TNTS-RIPE
tech-c:         TNTS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-3NT
mnt-routes:     serverius-mnt
source:         RIPE # Filtered




-- 
~ Andrew "lathama" Latham lathama () gmail com http://lathama.net ~

Current thread:

Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Jay Ashworth (Mar 04)
- Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica fmm (Mar 04)
  - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Andrew Latham (Mar 04)
    - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Davide Davini (Mar 04)
    - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Andrew Latham (Mar 04)
    - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica jim deleskie (Mar 04)
    - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Valdis . Kletnieks (Mar 04)
    - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Merike Kaeo (Mar 04)
    - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Warren Bailey (Mar 04)
    - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Niels Bakker (Mar 04)
    - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Jay Ashworth (Mar 04)
    - Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Octavio Alvarez (Mar 04)
    - RE: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica Ian McDonald (Mar 04)

(Thread continues...)