> Date: Tue, 12 Nov 2013 06:35:51 +0000 > From: "Dobbins, Roland" <rdobb...@arbor.net> > To: NANOG list <nanog@nanog.org> > Subject: Re: CPE dns hijacking malware > > > On Nov 12, 2013, at 1:17 PM, Jeff Kell <jeff-k...@utc.edu> wrote: > > > (2) DHCP hijacking daemon installed on the client, supplying the hijacker's > > DNS servers on a DHCP renewal. Have seen both, the latter being more > > common, and the latter will expand across the entire home subnet in time > > (based on your lease interval) > > I'd (perhaps wrongly) assumed that this probably wasn't the case, as the OP > referred to the CPE devices themselves as being malconfigured; it would be > helpful to know if the OP can supply more information, and whether or not > he'd a chance to examine the affected CPE/end-customer setups. >
I have encountered a family members provider supplied CPE that had the web server exposed on the public interface with default credentials still in place. It's probably more common than one would expect. -- Matthew Galgoci Network Operations Red Hat, Inc 919.754.3700 x44155 ------------------------------ "It's not whether you get knocked down, it's whether you get up." - Vince Lombardi
