Hi All,
Today while checking an issue with my home network (not my current place but at my natives), I found that the DNS address looked kind of suspicious. The DNS IP Address was 5.45.75.11(Primary.) and 5.45.75.36(Secondary.) and these addresses kinda seemed phony to me. So I ran a Google search and found out that there has been reports of a very recent Cyber attack on modems/routers where the DNS server address has been forcefully changed to these addresses. What this means that all your sensitive data/information probably are being compromised. Here are couple of references for this attack which google has shown:
http://www.ispreview.co.uk/index.ph...0000-home-broadband-routers-major-brands.html
http://www.pcworld.com/article/2104...-300000-home-routers-alters-dns-settings.html
The report can be found here :
https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf
Also it seems that these phony DNS servers are not exactly responding well and most of the time you would not be even able to connect to network or it'll be very slow net conn (which is what was happening at my folk's place). So if you are suddenly facing such issues and getting DNS response errors then it might be the case that your modem/router has been compromised. Even if you are not facing disconnection or slow network issues, it would be better if you check your DNS configs just to be sure.
The modem and router used in my home are DLink but it seems many other brands also facing the same issue.
The service provider is BSNL at my natives.
Note : As of now, I'll force my modem to point to either google DNS or some other openDNS now but that probably is not the permanent solution (or not even a solution). Permanent solution would probably be an upgraded firmware without this vulnerability for such attacks. Also if the network is compromised that would also mean that the computers and other devices are also been compromised. Probably I will also have to get the machines at my home scanned properly for virus/maleware?
If anyone out there have more info then please do share. Also please let us know if this attack is for real (from the readings it does look real) and what should be steps need to be taken for remedy and also for protection.
Regards,
Today while checking an issue with my home network (not my current place but at my natives), I found that the DNS address looked kind of suspicious. The DNS IP Address was 5.45.75.11(Primary.) and 5.45.75.36(Secondary.) and these addresses kinda seemed phony to me. So I ran a Google search and found out that there has been reports of a very recent Cyber attack on modems/routers where the DNS server address has been forcefully changed to these addresses. What this means that all your sensitive data/information probably are being compromised. Here are couple of references for this attack which google has shown:
http://www.ispreview.co.uk/index.ph...0000-home-broadband-routers-major-brands.html
http://www.pcworld.com/article/2104...-300000-home-routers-alters-dns-settings.html
The report can be found here :
https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf
Also it seems that these phony DNS servers are not exactly responding well and most of the time you would not be even able to connect to network or it'll be very slow net conn (which is what was happening at my folk's place). So if you are suddenly facing such issues and getting DNS response errors then it might be the case that your modem/router has been compromised. Even if you are not facing disconnection or slow network issues, it would be better if you check your DNS configs just to be sure.
The modem and router used in my home are DLink but it seems many other brands also facing the same issue.
The service provider is BSNL at my natives.
Note : As of now, I'll force my modem to point to either google DNS or some other openDNS now but that probably is not the permanent solution (or not even a solution). Permanent solution would probably be an upgraded firmware without this vulnerability for such attacks. Also if the network is compromised that would also mean that the computers and other devices are also been compromised. Probably I will also have to get the machines at my home scanned properly for virus/maleware?
If anyone out there have more info then please do share. Also please let us know if this attack is for real (from the readings it does look real) and what should be steps need to be taken for remedy and also for protection.
Regards,