Re: CPE dns hijacking malware

[Matthew Galgoci <mgalgoci () redhat com>]

> Date: Tue, 12 Nov 2013 06:35:51 +0000
> From: "Dobbins, Roland" <rdobbins () arbor net>
> To: NANOG list <nanog () nanog org>
> Subject: Re: CPE  dns hijacking malware
>
>
> On Nov 12, 2013, at 1:17 PM, Jeff Kell <jeff-kell () utc edu> wrote:
>
> > (2) DHCP hijacking daemon installed on the client, supplying the hijacker's DNS servers on a DHCP renewal.  Have 
> > seen both, the latter being more
> > common, and the latter will expand across the entire home subnet in time (based on your lease interval)
>
> I'd (perhaps wrongly) assumed that this probably wasn't the case, as the OP referred to the CPE devices themselves as 
> being malconfigured; it would be helpful to know if the OP can supply more information, and whether or not he'd a 
> chance to examine the affected CPE/end-customer setups.

I have encountered a family members provider supplied CPE that had the
web server exposed on the public interface with default credentials still
in place. It's probably more common than one would expect.

-- 
Matthew Galgoci
Network Operations
Red Hat, Inc
919.754.3700 x44155
------------------------------
"It's not whether you get knocked down, it's whether you get up." - Vince Lombardi