Date: Tue, 12 Nov 2013 06:35:51 +
From: Dobbins, Roland rdobb...@arbor.net
To: NANOG list nanog@nanog.org
Subject: Re: CPE dns hijacking malware
On Nov 12, 2013, at 1:17 PM, Jeff Kell jeff-k...@utc.edu wrote:
(2) DHCP hijacking daemon installed on the client, supplying the
On Nov 12, 2013, at 10:57 PM, Matthew Galgoci mgalg...@redhat.com wrote:
It's probably more common than one would expect.
Concur 100%.
https://app.box.com/s/rblnddlhda44giwfa8hy
---
Roland Dobbins rdobb...@arbor.net //
EXTREMELY common. Almost all Comcast Cable CPE has this same login,
cusadmin / highspeed
At least on ATT U-Verse gear, there's a sticker on the modem with the
password which is a hash of the serial number or something equally unique.
Almost all home routers also tend to have the default
Hello NANOG,
Just a quick note thanking those that responded to me on and off list. I
appreciate the input!
--
Landon Stewart landonstew...@gmail.com
Personally I have fond memories of going into my neighbor's router, flashing
it with dd-wrt which allowed manual channel setting, and moving it off of the
same wifi channel mine was on That was probably not a great idea, but you
do what you have to sometimes.
Props on that, but wouldn't it
Hello,
We got often abuse reports on hosts that has been involved in DDOS attacks.
We contact the owner of the host help them fix the problem.
I also would like to start send these abuse report to the ISP of the source.
Are there any avaliable tools for this? Is there any plugin for nfsen?
Do
We used to use a small perl script called tattle that would parse out
the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits,
lookup the proper abuse contacts and report them. I haven't seen
anything similar in years but it would be interesting to do more than
null route IPs.
On 11/12/2013 3:24 PM, Larry Sheldon wrote:
On 11/12/2013 12:12 AM, Dobbins, Roland wrote:
On Nov 12, 2013, at 12:56 PM, Mike mike-na...@tiedyenetworks.com
wrote:
It appears that some of my subscribers DSL modems (which are acting
as nat routers) have had their dns settings hijacked and
On 11/12/2013 3:54 PM, Larry Sheldon wrote:
On 11/12/2013 3:24 PM, Larry Sheldon wrote:
On 11/12/2013 12:12 AM, Dobbins, Roland wrote:
On Nov 12, 2013, at 12:56 PM, Mike mike-na...@tiedyenetworks.com
wrote:
It appears that some of my subscribers DSL modems (which are acting
as nat routers)
On 2013-11-12 16:58, Jonas Björklund wrote:
Hello,
We got often abuse reports on hosts that has been involved in DDOS attacks.
We contact the owner of the host help them fix the problem.
I also would like to start send these abuse report to the ISP of the
source.
Are there any
As I recall, the unit in question had a severely flawed auto channel
selection algorithm that always, without fail, landed on the first OCCUPIED
channel. It was pretty terrible.
On Tue, Nov 12, 2013 at 4:18 PM, James Sink james.s...@freedomvoice.comwrote:
Personally I have fond memories of
Someone has to move. The defaults are really bad in dense deployments of
1,6,11. Always fun when we went to Japan in the early days and our equipment
could not see channel 13 :-)
Most need more fhss than single channel stuff.
Jared Mauch
On Nov 12, 2013, at 2:18 PM, James Sink
On 12 November 2013 22:52, Sam Moats s...@circlenet.us wrote:
We used to use a small perl script called tattle that would parse out the
/var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup
the proper abuse contacts and report them. I haven't seen anything similar
in
I also would like to start send these abuse report to the ISP of the
source.
good idea. we all need more entries in our .procmailrcs
randy
On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats s...@circlenet.us wrote:
We used to use a small perl script called tattle that would parse out the
/var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup
the proper abuse contacts and report them. I haven't seen anything similar
Your right they wouldn't get all of the way through. The three way
handshake is great against blind spoofing attacks. That said the
original poster was focused on a DOS event,to do that you really don't
need the full handshake.
I'm not sure if the end goal of whomever we were dealing with was
On Tue, Nov 12, 2013 at 9:07 PM, Sam Moats s...@circlenet.us wrote:
That said the original poster was
focused on a DOS event,to do that you really don't need the full handshake.
Point. Though not all DDOSes are created equal. The simple packet
flood is, as likely as not, from forged addresses.
On Tue, Nov 12, 2013 at 10:03 PM, William Herrin b...@herrin.us wrote:
Now it would be trivial to setup syslog and sshd to give only the sessions
that complete the handshake, however I'm also not sure how responsive some
of the abuse contacts may be. I'll keep my restrictive network settings
On Nov 12, 2013, at 9:16 PM, Brandon Galbraith brandon.galbra...@gmail.com
wrote:
On Tue, Nov 12, 2013 at 10:03 PM, William Herrin b...@herrin.us wrote:
Now it would be trivial to setup syslog and sshd to give only the sessions
that complete the handshake, however I'm also not sure how
William Herrin b...@herrin.us said:
That's the main problem: you can generate the report but if it's about
some doofus in Dubai what are the odds of it doing any good?
It's much worse than that.
Several 500 pound gorillas expect you to jump through various hoops to report
abuse. Have you
20 matches
Mail list logo
