[AusNOG] Traffic from Optus and Telstra CPE addresses
Jeremy Visser
jeremy at visser.name
Tue Mar 4 16:03:02 EST 2014
On 04/03/14 15:12, Joshua Riesenweber wrote:
> I had a customer hit with what looks like a DoS attack from (mainly) a
> couple of addresses address last night:
> 220.239.56.245 [c220-239-56-245.eburwd6.vic.optusnet.com.au]
> 121.214.8.170 [cpe-121-214-8-170.lnse3.win.bigpond.net.au]
Not sure if it’s related, but one of my customers got hit by this last
night:
<http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/>
In my case the casualty was a NetComm NB604n, which I understand to have
had remote admin enabled on port 80. (!!!)
A packet capture confirmed it was sending DNS queries to 5.45.75.11, so
despite NetComm not being mentioned in the article, it’s most likely a
rebadged unit anyway.
I could also see HTTP traffic from the device which I’m certain wasn’t
originating from the LAN. Could have been participating in a DoS, but
looked more like click fraud to me based on the URLs in the capture.
More information about the AusNOG
mailing list