Welcome to Comcast Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,746,843

members

16

online now

1,905,415

discussions

Back to Top

DPC3941T Modem hacked? Utopia.net

Frequent Visitor

DPC3941T Modem hacked? Utopia.net

Has anyone else had this problem? In an effort to be as secure as possible, I have disabled the Wifi options for this DPC3941T gateway and I opted-out in My Account from being a WiFi hotspot. I use a separate Netgear router for my Wifi, but I have used the DPC3941T as a MoCa router for my home network and I had several TiVo's on the MoCa network, as well as Sonos and other devices.

 

Twice in the last two weeks my internet connectivity has stopped and after a hard reset of the modem, my modem browser config page becomes inaccessible (cannot open 10.0.0.1 at all, even when hard-wired to the modem by Ethernet) and my DNS settings point to "utopia.net" instead of the comcast.net servers. Because I cannot access the modem configuration at all I cannot change this, and none of my devices can connect. Both times I have called Comcast and they pushed a modem reset which eventually restored my internet access and then I am able to access the modem page.

 

If it weren't for the MoCa network going down, I might never have even noticed this hijack because apart from being unable to reach the modem home page, I can access other web pages, so I still have internet access. But I fear that this "utopia.net" DNS server might be redirecting our web activity to phony or phishing sites in order to collect logins and financial details?

 

I have changed the firewall settings on the modem to High, and I changed my modem admin password. Aside from thoroughly virus checking my computers, is there anything else I can do to prevent this from happening again? 

New Poster

Re: DPC3941T Modem hacked? Utopia.net

DPC3941T user - similar experience.  While on my phone, the modem reset, then connected to the modem's 5 setting, not 2.4 as we originally used.  When I checked the connection information, I was connected to utopia.net - same IP address and Subnet as Comcast, but different Router and DNS.  There was a brief disconnect again and I was reconnected to Comcast, but at the modem's 5 setting, not 2.4.

 

When I went to my laptop (connected via ethernet and in airplane mode), I was still connected to 2.4, but it is identified as a public network - we also opted-out of the WIFI hotspot option.  I checked our settings, the opt-out is still listed as in effect, but our connection was changed to the 5, not the 2.4.

 

I am interested in a explanation as well.

Official Employee

Re: DPC3941T Modem hacked? Utopia.net

utopia.net is part of a DNS hijacking attack.  You should check all of your systems for malware, and then make sure your devices are getting their DNS servers from us automatically or set them manually:

 

IPv4:

 

75.75.75.75

75.75.76.76

 

IPv6:

 

2001:558:feed::1

2001:558:feed::2

 

 




Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon
Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net


ComcastDNS wrote:

utopia.net is part of a DNS hijacking attack.  You should check all of your systems for malware, and then make sure your devices are getting their DNS servers from us automatically or set them manually:

 

IPv4:

 

75.75.75.75

75.75.76.76

 

IPv6:

 

2001:558:feed::1

2001:558:feed::2

 

 


Unfortunately once this hijack has taken hold, I am locked out of the modem and can't adjust the settings. The signal push by Comcast has restored things briefly so I'll try to put so,e security measures into play. 

Problem Solver

Re: DPC3941T Modem hacked? Utopia.net

Have you guys seen this new thread:


Why Not Recall The Technicolor TC dpc3941T (formerly Cisco dpc3941T) AP's? (Modem/Router combos)

The exploit itself: https://www.exploit-db.com/exploits/40982/

 

And, in a way more impomtantly here are details on an exploit via a CVE database. https://www.cvedetails.com/cve/CVE-2016-7454/

 

Again CVE-2016-7454 .. also note http://www.cvedetails.com/cve/CVE-2016-1325/

 

The first one's description is 'SSRF vulnerability on Technicolor TC dpc3941T (formerly Cisco dpc3941T) devices with firmware dpc3941-P20-18-v303r20421733-160413a-CMCST allows an attacker to change the Wi-Fi password, open the remote management interface, or reset the router.'

 

NIST even regards 1325 which targets the DPC3941 as a 7.5 out of 10 threat. https://nvd.nist.gov/vuln/detail/CVE-2016-1325

 

And the first of the two as an 8 out of 10. https://nvd.nist.gov/vuln/detail/CVE-2016-7454

 

I say these units all must be replaced with units which at the least lack any published CVE's unresolved, not fixed, with a severity above a 2 or 3. There shold be a reasonable policy on this. If you have one of these units, you should definitely ask it be replaced by another newer model if possible. Any thoughts on my opinions appreciated, and if level 2/3 techs and so forth want to prove me wrong, I'm fine with that too.

 

Chris

New Poster

Re: DPC3941T Modem hacked? Utopia.net

I have a Arris TG1682G and just experienced this as well. Modem reset spontaneously and for ~10 - 15 minutes my leases (wired as well as wireless) were coming up with utopia.net as a DNS suffix and search domain. When I renewed the lease from my device, I received a 'standard' comcast.net DNS suffix and the expected DNS servers.

 

I talked with Customer Support who told me to contact Customer Security Assurance.  Customer Security Assurance told me that "they don't deal with those devices (cable modems)" and they tried to send me somewhere else, but all that happened was I ended up on a "New Product line" IVR system that was asking about XI4 and then eventually disconnected me.

 

So yeah. I'm definitely not 'assured' about my security on Comcast.

New Poster

Re: DPC3941T Modem hacked? Utopia.net

yes.  I have had this happen with my system over the past few weeks.  I pay sooo much money for the optimum speed, etc., only to be frozen. Super slow modem gateway reboot as well - up to 8 minutes for the reboots.  I too, had the utopia.net resets.  Information search yielded nothing until these posts.  My comcast service has been deteriorating (in both delivery and customer service intel) over the past 6 months; with this last month being the worst for slow (incredibly slow) access and troubleshooting time spent. I look forward to knowing the solution as well. thank you.

 

Contributor

Re: DPC3941T Modem hacked? Utopia.net

Hello All

 

Noticed this as well after a Modem restart, or reset, DNS shows utopia.net, after a brief secondary disconnect, reconnects to Comcast dns servers, is this something new with the updated DPC3941T Firmwire that was recently pushed out?    Not sure if it happened in the past, as i never noticed it,  do use the DPC3941T for wifi both 5ghz, 2.4ghz, and Ethernet wired and Moca, so concerning that it does this.

 

 

 

Problem Solver

Re: DPC3941T Modem hacked? Utopia.net

Now that you say that I notice the same on my 3941. It will show the Comcast DNS servers but say utopia.net and then after about a minute with a quick disconnect it switches over to still showing the Comcast DNS servers but this time saying the correct name of hsd1.state.comcast.net (replace state with your state abbreviation)
Contributor

Re: DPC3941T Modem hacked? Utopia.net

This affected me too. I noticed it this morning when my network connection had many gigs of traffic but all I was doing was web browsing.

 

I was able to stop it after a bit of work by changing permissions on the "hosts" file that is in the "C:\Windows\System32\drivers\etc" directory/folder and the editing the file to add the line "127.0.0.1 utopia.net" (without the quotes). Now I am back to having the typical "hsd1.mn.comcast.net" DNS listed instead of the utopia.net.

 

I hope that if I exceed the one terrabyte limit this month, Xfinity doesn't charge me or take one of the courtesy months away.

 

Does anyone know if a typical user is able to detect these kind of attacks if their internet doesn't seem slowed by them? Is there software available to guard against it?

 

Thank you and good luck!

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net COMCAST IS SUPER DISHONEST

 So what is the latest on this DNShijack, and why doesn't Comcast come clean about it? 
Same problem here, even when my DNS entries are set to 8.8.8.8 or 8.8.4.4 (google public servers, as opposed to  Comcast's 75.75.75.75) my network still shows as being connected to "utopia.net"
DAYS of negotiating with techs, getting a modem replacement, and having yet another tech come over, have all resulted in no change. 

what the gosh darn heck is going on here?

Contributor

Re: DPC3941T Modem hacked? Utopia.net COMCAST IS SUPER DISHONEST

Your computer is infected and still allowing the infection to happen, that's what's going on.  Go get it fixed.

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net COMCAST IS SUPER DISHONEST

Translation:
"I have no idea what is going on, no real suggestions on how to fix it,  and no idea what the problem is, but I'll chime in all the same.
Um, yeah. Right.  


Contributor

Re: DPC3941T Modem hacked? Utopia.net COMCAST IS SUPER DISHONEST

The utopia.net hijack uses a script in order to take advantage of a vulnerability (across numerous devices, not just limited to Comcast provided devices), and can also lead to other potential device-related problems / infections.  While I was fairly abrupt, for which I'll apologize, the end result is the same, especially if the issue has remained present across multiple gateways.

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net COMCAST IS SUPER DISHONEST

And I'll apologize for my snotty response. it's been really frustrating. 

So, after running every scan that I have,  Both AVAST and Malwarebytes, physically setting the DNS addresses, flushing the DNS cache, and releasing/renewing the IP address, and removing all even remotely questionable files from my computer, it still comes up uptopia.net.
Do you know of a scan that works, a person who knows decisively how to remove it, or a resource that has bona fide information on it?
That was the thing I found most odd. No one really seems to know much about it, though complaints have been coming for at least two years. 

Thank you for your help.

K

Connection Expert

Re: DPC3941T Modem hacked? Utopia.net COMCAST IS SUPER DISHONEST

See if anything here helps you;

 

https://www.google.com/search?q=utopia.net+malware&oq=utopia.net&aqs=chrome.4.5j69i57j69i61l2j0l2.10...

 

Good luck !




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net COMCAST IS SUPER DISHONEST

SOLVED: (followed a guy on another forum. he seems to have it licked) 

I was finally able to get rid of utopia.net and get back on to "hsd1.ca.comcast.net, by using my avast internet security program.
1: Go to network, and in avast, if it says that utopia.net is your network, turn it off. 
Then, go to Firewall - settings - network profiles, and then going down the list until  you see  "utopia.net" in the list of network profiles.  Delete it using the right click drop-down menu. 

Restart computer.
Bingo! no more utopia.net now my connection looks square."
Thanks to everyone who pitched in helping me solve this. 

Frequent Visitor

If you have problems with "Utopia.net" hijacking your DNS, read on.

NOTE: This post is windows-specific. 

Recently I has hijacked and thought it to be a malware/ransomeware problem.
While I did use the update patch from windows for wannacry/double pulsar malware, I found the solutiio to getting rid of "utopia.net' to be quite easy.

1: Detection.
Look in your system tray, (far right end of your tool bar, with the computer connection logo) OR, go to "Network and sharing center"
If the "you are currently connected to" has ANYTHING without "comcast.net" in it, you have been hijacked. 
Mine said "you are currently connected to utopia.net"
Ip config releasing, and renewing, DNS flushing, maleare and virus scans, and changing the adapter setting to  75.75.75.75. (Comcast) or 8.8.8.8 or 8.8.4.4. (Google's open DNS servers, regarded as better than comcasts) did NOTHING.

Solution:
Download avast onlone security and get the free premium trial.

download and install
Go to firewall, in the firewall section go to settings, (far right small print)
In settings go to "Network Profiles"
Scroll down until you see utopia.net, (If you see comcast.net you are safe, and can stop here and do nothing), then select the button th the right of it and select "Delete" 
Restart computer

Thats! it!

Good luck

KH

Frequent Visitor

Re: If you have problems with "Utopia.net" hijacking your DNS, read on.

Ok I have the same thing.  I tried the Avast procedure and there's no listing for utopia.net.  I was fine until a week ago, then all this started up.  I live-chatted with Comcast, and the analyst wanted to send someone out to check my wiring.  Um, duh, it's not my wiring.

 

I pay a LOT of money for service to Comcast and now I'm having problems that nobody seems to want to resolve.  What's gonna take to fix this Comcast?

Frequent Visitor

Re: If you have problems with "Utopia.net" hijacking your DNS, read on.

I'm going through the exact same situation. I have no home internet access, ran Avast premier and couldn't clear the malware, and have live-chatted Comcast and nothing has been resolved thus far. Im going to try a few more things and report back, otherwise I don't know what other options I really have other than going to a different ISP. 

New Poster

Re: DPC3941T Modem hacked? Utopia.net

This happend to me too - Computers: Windows 7 and Windows 10.  I detected utopia.net using the command line (cmd): ipconfig /all    This showed me all my adapters and DNS connections.  On the computers that had utopia.net I disconnected the computer from the internet and searched in the registry for all instances of utopia.  (DON'T DO THIS UNLESS YOU ARE COMFORTABLE WORKING IN THE REGISITRY).   I replaced all instances of utopia.net with the correct pointer to comcast servers.  I deleted nothing!  I then changed all the passwords on my WiFi rounter and Comcast Router.   I then booted the computers and routers .  Now things are fine but I will be monitoring regular since I have no idea how this occured!  I am not sure you can blame comcast, the internet is a bad place these days! 

New Poster

Re: DPC3941T Modem hacked? Utopia.net

OK  editing a bit, now that I slept:

Yesterday morning my computer was sluggish, I went to check internet and found myself connected to Utopia.net NOT Comcast!  I did some google searching and was really scared by what I found!

After calling Comcast tech support, and asking them to read their own forums about utopia over and over, they had me replace my infected modem.  Once this was done I found the DNS/IP settings did not change in my computer(still connecting to Utopia.net).  I spent literally hours on the phone with Comcast and then their rep at Norton.  Unfortunately they were no help at all.

By the end I was exhausted and my computer was only sometimes connected to the internet.

Tech support really doesn't know anything about this.  

In frustration I started reading forums and trying all the cleaners and such, but the real trouble is my computer was not "infected" it just was stuck on this hijacked DNS.

 

What finally worked for me was: (After getting the new un-infected modem)

  1. In Avast > protection > settings > select Utopia.net and click remove 
  2. Go to Control Panel\Network and Internet\Network Connections
  3. Disable ether that is connected to utopia.net  by clicking on the utopia.net in blue (i think it is left click)
  4. Go back into Avast and be sure Utopia is still gone. (If not gone, remove it again See #1)
  5. Go back to Control Panel\Network and Internet\Network Connections and re-enable the ether that you disabled.
  6. reboot computer

This morning when I got up, I was pleased to see I was still connected to comcast.

 

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

I'm going to try this when I get home. When you noticed the hack, did you have internet access or no? 

New Poster

Re: DPC3941T Modem hacked? Utopia.net

At first I had slow internet, by the end I was off and on internet access.  Mostly off.

 

I hope this helps you!

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

Thanks to everyone who has chimed in. I ended up getting a new gateway from Comcast (an Arris TG1682G) and haven't had the hijack since (although I am now completely unable to disable the public wifi hotspot in the new modem). I did add the utopia.net line to my "hosts" file on my main laptop and I deleted the Utopia.net entry from my laptop registry. I have to get my husband to check his too. We had about 32 devices online- Sonos, TivoMinis and Roamio, printers, ipads and iphones, 5 laptops, a router set as an repeater and an extender, powerline and Moca adapters (big old house with 2 foot brick walls and two sets of wiring circuits!) and a few other ramdom wifi enabled devices like watches and a crockpot even, so I hope there is nothing hidden somewhere in any of these. We are moving so most of those are down and I hope our new Hughesnet network doesn't catch this (Comcast wanted $26k to build out to our new farm in the country!) None of my virus or malware detectors ever found anything, and my main laptop has Trend Micro protection through work.

Regular Visitor

Re: DPC3941T Modem hacked? Utopia.net

 

Hoping this helps those who have this issue:

 

I had to set a reserved IP in Xfinity modem settings and then manually configure my network adapter for that same IP, subnet, gateway, and DNS servers for my ISP.

I did this for IPV4 and for IPV6 I just set the DNS servers in the network adapter.

 

Then, on my computer I searched regedit for all instances of "utopia" and cleared the value data.

 

Restart computer and if all settings are configured correctly, you should have full IPV4 connectivity.

 

You can get internet by just setting the IPV6 DNS entries on your network adapter and disabling IPV4 if you cant get to the router config page.  But you wont be able to use some services, such as Steam, if you are on IPV6 exclusively.

 

FYI, the issue appears even after a clean windows install and after a factory reset of the router.  Connect fresh install to the factory reset Xfinity modem for the first time and it pulls the "utopia.net" dns suffix immediately.  Search registry and those three "utopia.net" entries are there.

 

Good luck out there.

New Poster

Re: DPC3941T Modem hacked? Utopia.net

This past Friday, at comcast tech nudging I switched from out Motorola Surfboard sbg6580 to the Technicolor DPC3941T.  We have had the Motorola for a few years and it was fingered by the tech as the reason we were not receiving the 150 - 200mbps connection.  One installed, the speed never changed, exactly the same at the moto.   BUT, Jane being the liberal she is agreed to give it a week or so to do what it should have done once booted and on the system.   

BUT WAIT:  Last evening I was watching a movie over at tv.xfinity.com and about in the middle it froze.  I said, "here we go, another Whiskey Tango Foxtrot moment" as despite we were just gleaning over 100mbps an issue like that had not occurred for the entire life of the moto.  So I check (via smart phone app ) for an outage.   Nothing appeared to be out and all lights on my online check were green ( good to go )  I did a speed check and we were barely getting 35mbps.. then I decided to run some checks.   And I want to know WHY this happened only after the Technicolor Gateway was installed...  my first instinct was to check DNS and what do I find?  Sadly, you already know, don't you. APPARENT AS I SERACHED FOR HIJACKED DNS AND ENDED UP HERE.   Our DNS appeared to becoming from - you guessed it -  utopia.net.    Being on the web before it was the web and only message based, going into the BBS era abd programming mail tossers between FIFONet, RBBSNet, GTPowerNet to name a few and the then message base internet in the 80's and coming of age as the web matured and finally buying a domain in 1996 ( I still own )  I think I have learned my way around.. though after 70 years on the planet life can get some what foggy and what you once were very familiar with seems to hide out in the deep dark spaces of your growing senile mind.. I decided to check further.  And what did I find? The IP Addy for the jerks that hijacked the DNS IP Address     208.91.197.27.  And where did that take me?
Registry Registrant ID:  Registrant Name: Utopia Network  Registrant Organization: Utopia Network  Registrant Street: 8121 20 Ave, Apt B3 Registrant City: Brooklyn
Registrant State/Province: NY Registrant Postal Code: 11214  Registrant Country: US Registrant Phone: +1.7182566976    Registrant Fax: +1.7182566976
Who IP appears to be hosted/coming from here:
Point of Contact  Name    Tech Admin  Handle    TECHA29-ARIN  Company    Confluence Network Inc  Street    3rd Floor, J&C Building, P.O. Box 362
City    Road Town State/Province    TORTOLA  Postal Code    VG1110 Country    VG  Registration Date    2011-06-20  Last Updated    2017-03-08
Phone    +1-415-358-0891 (Office)  Email    noc@confluence-networks.com 
And it gets better.   What BLACKLISTS are we looking at concerning these folks?
SPAM tools:  Blocklist lookup
1.   Adult hosting  At least one domain hosted on this IP address is marked as containing adult content. more info    listed
2.  Hackers, Spyware, Botnets etc.    listed
Why hasn't something been done?  Why isn't that IP and any other IP traced that may be doing or trying the same tricks UNIVERSALLY banned from access ( don't tell me that
can't be done )

I was going to take the time to call Comcast/Xfinity security  at 877 - 807 - 6581 - the number I requested from tier 1 support last eve, but after a due diligence check, why should I, as it is verifiable the issue appears to be well known.  Spinning my wheels at my age is not really much fun. 
Jane and I have both enjoyed xfinity save for speed issues, but now feel duped into changing from a perfectly working gateway to one that was hijacked in less than 48 hours from install we will be assessing our options.  AT&T has installed a fiber line through our back yard and a gig connection is cheaper than what we have now, install and modem included ( among other things ) Even if we only got 500mbps off the gig, this old f**t isn't going to complain.

So you call security  And, really consider dumping that Technicolor DPC3941T seeing it opend the door to the dark web with an issue that appears to be on going and continuous in your forums as well as other forums like DSL Report on the web.
Joe
Over 70 years on the planet and all I want to do is enjoy my last days of life on the web I grew up with.
Respect your web elders .. I opened my domain on: Creation Date: 1996-08-18T04:00:00Z  Comcast opened it's domain Creation Date: 1997-09-25T04:00:00Z 

 

 

 

 

 

New Poster

Re: DPC3941T Modem hacked? Utopia.net

ps:  Tech support Levl 2 was also locked out when he tried to access during our conversation.  Thats really bad news.   David @ level 2 did all he could do when we finally regained control.

New Poster

Re: DPC3941T Modem hacked? Utopia.net

 
utopia.jpg
New Poster

Re: DPC3941T Modem hacked? Utopia.net


corgi11 wrote:

Have you guys seen this new thread:


Why Not Recall The Technicolor TC dpc3941T (formerly Cisco dpc3941T) AP's? (Modem/Router combos)

The exploit itself: https://www.exploit-db.com/exploits/40982/

 

And, in a way more impomtantly here are details on an exploit via a CVE database. https://www.cvedetails.com/cve/CVE-2016-7454/

 

Again CVE-2016-7454 .. also note http://www.cvedetails.com/cve/CVE-2016-1325/

 

The first one's description is 'SSRF vulnerability on Technicolor TC dpc3941T (formerly Cisco dpc3941T) devices with firmware dpc3941-P20-18-v303r20421733-160413a-CMCST allows an attacker to change the Wi-Fi password, open the remote management interface, or reset the router.'

 

NIST even regards 1325 which targets the DPC3941 as a 7.5 out of 10 threat. https://nvd.nist.gov/vuln/detail/CVE-2016-1325

 

And the first of the two as an 8 out of 10. https://nvd.nist.gov/vuln/detail/CVE-2016-7454

 

I say these units all must be replaced with units which at the least lack any published CVE's unresolved, not fixed, with a severity above a 2 or 3. There shold be a reasonable policy on this. If you have one of these units, you should definitely ask it be replaced by another newer model if possible. Any thoughts on my opinions appreciated, and if level 2/3 techs and so forth want to prove me wrong, I'm fine with that too.

 

Chris


I believe it ... I don't think that many in level 1 or level 2 have ample experience to reasonably address the issue.    I do know this, if an issue is on going and continuous, it becomes a pattern and practice of those who know the issue is real but refuse to take the necessary steps to correct the problem, liability will attach and some one who is prone to initiate litigation because they ordered their coffee hot  - will at some point feel froggy and jump.
Eagle II sends

New Poster

Re: DPC3941T Modem hacked? Utopia.net

I noticed this today while on my phone that I couldn't access websites while still being connected to my WiFi. My Xbox which is a hard line to the router was still working but all WiFi devices were not. I rebooted the router, the first time it froze. The second time around it my iPhone gave me a security precaution that I was connected to a hidden WiFi network which is then when I noticed the utopia.net on the DNS. Noticed this as well on my girlfriend's iPhone and my laptop. Tried going to the admin page, was super slow so then restarted the router once more and it reconnected to the Comcast DNS. 

 

Since both iPhones showed this utopia.net DNS, it confirms the hijack is on the router and not on any of the devices. 

This doesn't add anything to this ongoing mystery but wanted to voice my displeasure since there is no answer of why this happens and how. Now I'm a little paranoid about if it will happen again. 

Official Employee

Re: DPC3941T Modem hacked? Utopia.net

Hey RedHood,

 

I can help with this concern. Send me a private message verifying the first and last name of the account holder, phone number, and the street address or the full account number associated with your services.

 

To send a private message click on my name "ComcastChe", then click private message me.




Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon
Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

How can you help why not post here solution?

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

How are you advising to remove or prevent on Macbook, this happened to me for two weeks, prior devices Arris TG1682G then 2 Ciscos, in fact thinking of going to comcast store and swap again.

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

I am paranoid about this as well, I don't understand why the Wi Fi lights are actively flashing when I am not using Wi Fi???? anyone thoughts suggestions about this? I used to be able to disable wifi module to get the public hotspot hacker scum off my modem now not able to.

Official Employee

Re: DPC3941T Modem hacked? Utopia.net

Hello sjmerchant,

 

I apologize for any frustration this has caused you. In truth there is not much technical action that you can take to resolve this problem. Aside from the obvious clearing of your cache and cookies, resetting your network devices, resetting computer internet settings, running both virus and malware scans, and rebooting your system; all else is on our end. You would have to report this type pf a problem to an employee like myself so we can confirm what you are experiencing. We have options to factory rest your modem while forcing a new public IP to your device, sending the issue to our Security Assurance team to review modem traffic, or send a tech with a completely new modem. The issue with these solutions is that beyond reporting to us, there is not much you can do yourself. Again I apologize for any frustration this has caused and ask that if you do run into these or other issue to please reach out to us as soon as possible. Are you still needing my assistance with your connection?




Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon
New Poster

Re: DPC3941T Modem hacked? Utopia.net

New information regarding this issue.

After spending all night troubleshooting, diagnosing, and being paranoid about the utopia.net DNS suffix, I've come to a conclusion.

 

This is in fact coming from the Cisco device and not from any networked clients and affects systems across multiple platforms, Windows 10 and Ubuntu 16.04 tested.

 

While the gateway is restarting (which does take some time), the ethernet connection is dropped, and re-established before the gateway is completely ready.  While connected in this state, the client machine will use 10.0.0.1 as the DNS server and when it fails to resolve hostname, it then automatically tries to resolve to hostname.utopia.net  The client machine then picks up on the suffix "utopia.net" and sets that as the connection-specific DNS suffix.  Once the gateway is ready, the connection is re-established and DCHP gives the client machine an IP address and DNS servers of 75.75.75.75 and 75.75.74.74, but RETAINS the DNS suffix of "utopia.net".  It is not until a DHCP renew is issued (if at all) that the DNS suffix changes to "hsd1.state.comcast.net".

 

For client machines with this behavior, the issue will occur each and every time the gateway is restarted.

 

Almost any hostname.utopia.net will resolve to one of their IP addresses and I'm not sure what purpose this serves and/or if any information may be collected by requests send to those servers. Also, as someone else mentioned, this even affects clients which are using manual DNS settings such as Google Public DNS (8.8.8.8, 8.8.4.4).  Tested on fresh installations, safe modes, linux machines, factory gateway resets, and happens every time.

New Poster

Re: DPC3941T Modem hacked? Utopia.net


hdman007 wrote:

New information regarding this issue.

After spending all night troubleshooting, diagnosing, and being paranoid about the utopia.net DNS suffix, I've come to a conclusion.

 

This is in fact coming from the Cisco device and not from any networked clients and affects systems across multiple platforms, Windows 10 and Ubuntu 16.04 tested.

 

While the gateway is restarting (which does take some time), the ethernet connection is dropped, and re-established before the gateway is completely ready.  While connected in this state, the client machine will use 10.0.0.1 as the DNS server and when it fails to resolve hostname, it then automatically tries to resolve to hostname.utopia.net  The client machine then picks up on the suffix "utopia.net" and sets that as the connection-specific DNS suffix.  Once the gateway is ready, the connection is re-established and DCHP gives the client machine an IP address and DNS servers of 75.75.75.75 and 75.75.74.74, but RETAINS the DNS suffix of "utopia.net".  It is not until a DHCP renew is issued (if at all) that the DNS suffix changes to "hsd1.state.comcast.net".

 

For client machines with this behavior, the issue will occur each and every time the gateway is restarted.

 

Almost any hostname.utopia.net will resolve to one of their IP addresses and I'm not sure what purpose this serves and/or if any information may be collected by requests send to those servers. Also, as someone else mentioned, this even affects clients which are using manual DNS settings such as Google Public DNS (8.8.8.8, 8.8.4.4).  Tested on fresh installations, safe modes, linux machines, factory gateway resets, and happens every time.


 

Thank you.  This happened recently to our gateway as well.  Why is there no firmware update to resolve this issue?!  This thread clearly is not "resolved."

New Poster

Re: DPC3941T Modem hacked? Utopia.net

I agree this issue is not solved.  I've been encountering this problem on my DPC394IT box for several months now.  I can replicate the issue everytime I reboot the box.  On my second reset, the DNS is corrected (probably because of the renewal as jason states).  I can verify that this is not my PC or any other device infecting the router because I disconnected all wifi and wired devices from the box and reset it.  I then hooked up my Linux box to check then.. boom, utopia.net.  I tried using phone, Windows PC on safe mode.. same result Utopia.net after 1st box reset.  

 

Edit: I just chatted w/ Comcast TS.  I'll get my box replaced w/ an Arris box.  Maybe that'll get it resolved.

New Poster

Re: DPC3941T Modem hacked? Utopia.net

I'm a computer science major focusing in the areas of cybersecurity and networking.

 

I've emailed my professors about this.

 

Here's my observations

 

Since the storm the cable network got knocked down

My Comcast router which is made by Cisco is unable to acquire a signal through the coax

Interestingly enough

Ipconfig on my computer shows DHCP settings received by the router

But the thing is the DNS suffix is set to utopia.net

Not hsd1.nh.comcast.net
 
After researching the issue I've found vague information on this. 
 
When the modem hasn't downloaded it's config file (IE Unplugging the coax) the DHCP server assigns utopia.net
 
the only way then to remove utopia.net is to manually do it from regedit
 
When the modem has downloaded it's config file as long as utopia.net was cleared from the registry it defaults to hsd1.nh.comcast.net
 
it seems when it's in it's unconfigured state it sets it to utopia.net... 
 
It isn't conclusive though because I haven't unplugged the coax and checked all the systems on the network....
 
I can't find any definitive information about this except some CVE's listed about the product comcast uses for a cable modem/router.
 
Comcast's top security tier wasn't any help either.
 
In my research I've seen posts about this problem dating back to may 2017 it is now October.
 
I use a couple security solutions to pick up viruses etc. I would think they've identified the problem by now and updated their databases.
 
My system came back clean through all methods used to scan.
 
I'm at a loss for the moment.
 
 
The attached screenshots show. My systems ipconfig output.
 
and the cable modems status at the time of the issue
 

 

New Poster

Re: DPC3941T Modem hacked? Utopia.net

Any luck with a new modem eliminating the problem? I've been having this problem for a month or so now and other than resetting the router a few times I'm finding no solution. None of my devices (Mac, PC, Playstation) come up with viruses and they are all manually DNS set. 

Contributor

XB3 TG1682 DPC3941T DNS Hijack Utopia.net

Preemptive --

I've read all the other threads regarding this and still no resolution. Tech visited residence and no resolution.

 

Backstory -- 

I had the Cisco DPC3941T "XB3" in bridge mode for the last year using my own router. When there was (unknowingly at the time) widespread outages last month across the entire us, I thought maybe my connection issues were due to the router's age, so I elimited it from the equation. This did not resolve the issues I was having with connectivity, and actually inadverently introduced this utopia.net hijack.The modem now would randomly reboot, various occasions just drop connections and upon rebooting all PC's would have a connection-specific DNS suffix of utopia.net. The only way to get rid of this is to factory reset the modem, which must be done by pinhole since accessing 10.0.0.1 is either non responsive or the password was also hijacked. This behavior, as well as other concerns, are also confirmed by other users here: 

 

http://forums.xfinity.com/t5/Your-Home-Network/DPC3941T-Modem-hacked-Utopia-net/td-p/2888703

 

Adding to this, this happens on every single device in my house (2-6 pcs, 3-4 phones). 100% without a doubt my PC's are NOT infected. This happens on machines with a clean install. After this incident occurs, an entry for utopia.net gets created in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\ for utopia.net that must be deleted or PC's will continue to try and connect here. This is what most antivirus scanners pickup as an "infection".

 

After dealing with this issue for a while, I finally swapped this version at a local center for another "XB3" TG1682 which is the Arris sourced version. The very first power up, utopia.net was present. Perform a hard reset, and remove the utopia.net entries from the pc, wait the boring 15 minutes for this thing to reboot and finally I'm back online. I call comcast tech support to request a new, different model modem, such as the XB6. The tech did what he could, but was unable to order an XB6 modem for me, but did schedule a tech to come out the next day, promising that the tech would bring me a new modem. I use the internet for the day, all devices turned off at bed time, wake up in the morning and it again is hijacked. Factory reset yet again, and remove the registry entries. A little while later, the tech arrives, and I show him the picture of whats going on and he informs me he's not seen this issue with any other customers at this time (which is fine, there arent a lot of customers with my level of tech savvy that bring these issues to light). He asks around some of his co workers for assistance, but again being in a small area, and not a lot of people bringing these issues to light, no luck on a solution. I am then told that I cannot get an XB6 because its not available in my area yet. Bummer. We agreed that replacing the modem was pointless, since all that he had available were of equivalent (XB3) models and we know this issue happened on 2 modems already. The tech is great, he's been to my residence on various occasion and does a wonderful job -- no complaints to him. My concern comes in that, many people in my area may also be experiencing this issue, or unknowingly using their computers in this state and sending their info through some hijacking sites. I am able to bypass this issue by putting the modem in bridge mode (which, might I add is quite a pain in the but on these devices to get the public IP to pass through), and using an external router with Google DNS configured. I have also manually edited the hosts files on all of my machines to loop back any traffic to utopia.net to 127.0.0.1 just to prevent anything from my side from actually going out to this bogus website.

 

I believe that this issue may be more widespread than expected, and I also believe that anyone who uses the device in a bridge mode, OR uses an external router with custom DNS entries, OR manually sets their DNS servers on their PC may be affected by this issue, but they are bypassing it the same way I was unknowingly (prior to finding this). I am looking for resolution from anyone who has the ability to provide one. I believe the issue is within the firmware itself for these units, perhaps the "default" dns suffix written in the firmware is "utopia.net" because someone thought it would be funny to write a random url in the firmware for a default, and someone smart enough to figure this out actually created the domain to hijack all these modems. There is undoubtedly a security issue here that NEEDS to be resolved. I would be more than willing to troubleshoot with anyone who wishes.

Regular Visitor

Re: XB3 TG1682 DPC3941T DNS Hijack Utopia.net

I would like to say that I am glad that someone has brought this issue to light. I have been dealing with the same issue for over a year. What I finally resorted to doing is hardcoding the comcast DNS names into all the machines on my home network hsd1.xx.xx.comcast.net. And that "seems" to have aleviated the issue. I was offered when i called into Comcast to upgrade to the XB6 modem which I am going to pick up tomorrow. The problem with that is, other people who are not forunate enough to understand what is going on behind the scenes is something that is a huge security risk. Like if the utopia.net dns changed the dns entry for google.com to the ip address of yahoo.com. Now this isnt a huge issue, but what if they forwarded your from the bank of america login to a phishing site, that would be a definite concern. I hope that the engineers at Comcast take this very seriously and look into the firmware issues on the XB3's and either recall them from the market or create a patch so this doesn't continue to occur. 

 

Also i have read plenty of forums on the web. Avast Anti-Virus will definiately delete the record from your registry editor, but that is simply a band-aid. It will come back and it won't work so easily the second time. 

 

Thanks!

Service Expert

Re: XB3 TG1682 DPC3941T DNS Hijack Utopia.net


jerryb1988 wrote:

Preemptive --

I've read all the other threads regarding this and still no resolution. Tech visited residence and no resolution.

 

Backstory -- 

I had the Cisco DPC3941T "XB3" in bridge mode for the last year using my own router. When there was (unknowingly at the time) widespread outages last month across the entire us, I thought maybe my connection issues were due to the router's age, so I elimited it from the equation. This did not resolve the issues I was having with connectivity, and actually inadverently introduced this utopia.net hijack.The modem now would randomly reboot, various occasions just drop connections and upon rebooting all PC's would have a connection-specific DNS suffix of utopia.net. The only way to get rid of this is to factory reset the modem, which must be done by pinhole since accessing 10.0.0.1 is either non responsive or the password was also hijacked. This behavior, as well as other concerns, are also confirmed by other users here: 

 

http://forums.xfinity.com/t5/Your-Home-Network/DPC3941T-Modem-hacked-Utopia-net/td-p/2888703

 

Adding to this, this happens on every single device in my house (2-6 pcs, 3-4 phones). 100% without a doubt my PC's are NOT infected. This happens on machines with a clean install. After this incident occurs, an entry for utopia.net gets created in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\ for utopia.net that must be deleted or PC's will continue to try and connect here. This is what most antivirus scanners pickup as an "infection".

 

After dealing with this issue for a while, I finally swapped this version at a local center for another "XB3" TG1682 which is the Arris sourced version. The very first power up, utopia.net was present. Perform a hard reset, and remove the utopia.net entries from the pc, wait the boring 15 minutes for this thing to reboot and finally I'm back online. I call comcast tech support to request a new, different model modem, such as the XB6. The tech did what he could, but was unable to order an XB6 modem for me, but did schedule a tech to come out the next day, promising that the tech would bring me a new modem. I use the internet for the day, all devices turned off at bed time, wake up in the morning and it again is hijacked. Factory reset yet again, and remove the registry entries. A little while later, the tech arrives, and I show him the picture of whats going on and he informs me he's not seen this issue with any other customers at this time (which is fine, there arent a lot of customers with my level of tech savvy that bring these issues to light). He asks around some of his co workers for assistance, but again being in a small area, and not a lot of people bringing these issues to light, no luck on a solution. I am then told that I cannot get an XB6 because its not available in my area yet. Bummer. We agreed that replacing the modem was pointless, since all that he had available were of equivalent (XB3) models and we know this issue happened on 2 modems already. The tech is great, he's been to my residence on various occasion and does a wonderful job -- no complaints to him. My concern comes in that, many people in my area may also be experiencing this issue, or unknowingly using their computers in this state and sending their info through some hijacking sites. I am able to bypass this issue by putting the modem in bridge mode (which, might I add is quite a pain in the but on these devices to get the public IP to pass through), and using an external router with Google DNS configured. I have also manually edited the hosts files on all of my machines to loop back any traffic to utopia.net to 127.0.0.1 just to prevent anything from my side from actually going out to this bogus website.

 

I believe that this issue may be more widespread than expected, and I also believe that anyone who uses the device in a bridge mode, OR uses an external router with custom DNS entries, OR manually sets their DNS servers on their PC may be affected by this issue, but they are bypassing it the same way I was unknowingly (prior to finding this). I am looking for resolution from anyone who has the ability to provide one. I believe the issue is within the firmware itself for these units, perhaps the "default" dns suffix written in the firmware is "utopia.net" because someone thought it would be funny to write a random url in the firmware for a default, and someone smart enough to figure this out actually created the domain to hijack all these modems. There is undoubtedly a security issue here that NEEDS to be resolved. I would be more than willing to troubleshoot with anyone who wishes.


Try replacing the Cisco with the Arris XB3 TG1682G.  I was sent a free replacement because of some issue with the Cisco.

 




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Contributor

Re: XB3 TG1682 DPC3941T DNS Hijack Utopia.net

Robert, thanks for the reply. As noted in my post, I was also given a replacement Arris device in exchange for the Cisco, and the issue persists.
Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

Thanks for your reply,

 

I have an Arris TG1682G again and can disable the wifi module.  But it seems whomever is attacking the modem/network keeps trying. Today I got a message while logged into 10.0.0.1 disabling the 5G wifi I use at night to Stream TV on IPad.  The message said after I already logged into the admin page (use the NEW WIFI name and password to log in).  I was already logged in.  And now suddenly speed issues, lags...as you mentioned it is on your end.  What is the time frame fro fix?

 

New Poster

Re: DPC3941T Modem hacked? Utopia.net

I'm really freaked out by all this. I'm having the same issue, but our phone and TV is out too.
What sort of information could they have stolen? If any? I've had my computer on and plugged into my modem all day but haven't been able to use the internet because of said issue, and only recently figured out it in fact was this issue when I found this thread.
New Poster

Re: DPC3941T Modem hacked? Utopia.net

On a side note, I found this thread that might be interesting on the subject: http://www.dslreports.com/forum/r30150713-DNS-hijacking

It does alleviate my worries a little bit, as it appears that most likely this isn't a standard hijacking as it were. But rather a very frustrating and annoying issue. What I gather from this is that it isn't necessarily malicious, and probably isn't stealing anything, and probably isn't caused by any malware. Correct me if I'm wrong, please.
New Poster

DNS reverts to Utopia.net after gateway/router reboot- Malware & Virus software finds nothing wrong

I'm running a Mac with ios 10.11.6, using Malware bytes, Sophos and Bitdefender. Using a new Comcast (Tehnicolor) gateway/router with Firewall turned on and set to medium. 

 

When I reboot the router and check my network preferences, my DNS server is reset to my router address and my DNS Search domain = utopia.net. Which I'm told is a result of a DNS malware/hijack. I can manually change both to back to Comcast, but on reboot they revert to Utopia. I have run malware & virus tools, but again, they find nothing. 

 

Not much info on it online, but what little is there mostly mentions this in relation to Windows machines. Also, in reading the forums, Comcast seems to say it is not their problem, but a problem with an infected machine inside the firewall. I have alot fo devices on our home network, largely all Mac except for an Xbox. 

 

How much of a worry is this and any suggestions on how I can get this permanently fixed? Any help or suggestions are appreciated. 

 

Ferniture

 

New Poster

Re: DNS reverts to Utopia.net after gateway/router reboot- Malware & Virus software finds nothin

Some more info:

https://www.reddit.com/r/Comcast/comments/7d2hz6/utopia_problem/

That links to a Reddit thread that I started. What I'm interested on is if the person who has replied is correct. Does a DNS function essentially like a phone book? And would I have nothing to worry about continuing to use it if it remains on Utopia?