Attackers altering the DNS configuration on some routers
MINOR Closed Broadband and Ethernet
STATUS
Closed
AFFECTED
Broadband and Ethernet
STARTED
Mar 06, 09:00 AM (5 years ago)
CLOSED
Mar 11, 09:32 AM (5 years ago)
REFERENCE
1900 / AA1900
INFORMATION
  • INITIAL
    5 years ago by Andrew

    We have had a small number of reports from customers who have had the DNS settings on their routers altered. The IPs we are seeing set are 199.223.215.157 and 199.223.212.99 (there may be others)

    This type of attack is called Pharming. In short, it means that any internet traffic could be redirected to servers controlled by the attacker.

    There is more information about pharming on the following pages: https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf http://www.team-cymru.com/ReadingRoom/Whitepapers/SOHOPharming.html

    At the moment we are logging when customers try to accesses these IP addresses and we are then contacting the customers to make them aware.

    To solve the problem we are suggesting that customers replace the router or speak to their local IT support.

  • UPDATE
    5 years ago by Andrew

    Changing the DNS settings back to auto, changing the administrator password and disabling WAN side access to the router may also prevent this from happening again.

  • UPDATE
    5 years ago by Andrew

    Also reported here: http://www.pcworld.com/article/2104380/

  • RESOLUTION
    5 years ago by Andrew

    We have contacted the few affected customers.

  • Closed