Community Forum

DPC3941T Modem hacked? Utopia.net

New Poster

Re: DNS reverts to Utopia.net after gateway/router reboot- Malware & Virus software finds nothin

Hello everyone.  I am having the utopia.net hijack problem for months.  I do believe that it is coming from the Comcast modem, as I switched out three times and it always comes back.

My temporary fix on windows 10 is eliminate the three mentions in regedit.exe.  then run the following commands on an administrator command prompt.

 

ipconfig /flushdns
ipconfig /release
ipconfig /renew

 

This keeps it to the comcast DNS for a while, maybe days or a week or so, but utopia.net comes back.

 

For those that say that it does not matter, I say yes it does.  Because my upload speed goes down to 100 KBS from 12.7 MBS when uploading to YouTube.

 

I do not know how to get rid of it permanently.  I am angry and I wish Comcast would admit that it is their problem and not anything on our systems.

 

heartdaughter

New Poster

Re: DPC3941T Modem hacked? Utopia.net

With the abundance of information posted regarding utopia.net in forums (including this one), I am astounded that nobody at Xfinity customer service has any training on how to deal with it. I spent almost on hour on the phone, and Comcast's "technicians" in India don't seem to understand what I'm talking about, much less have capability to solve it. This is a serious issue that can adversely affect customers without their knowledge — because malware and virus scans can't detect it. I have changed my wireless router settings to reflect what you have suggested here, hopefully isolating the issue to the modem when it arises. But this gives me little assurance. In any case, the Internet Security team at Comcast is woefully lacking in their knowledge and ability to solve problems that are beyond textbook level.

Contributor

Re: DPC3941T Modem hacked? Utopia.net

For those looking for "resolution" here is my best attempt at providing you as much detail as I can from various sources.

What we know:

  • This is a known (by customers atleast) issue with the comcast XB3 series and potentially some other Cisco and Technicolor models.
  • This appears to be a issue within the firmare of the modem itself, where the "default" DNS is "utopia.net" while the modem is loading and connecting to comcast.
    • I suspect this is the case because whomever created the firmware needed to enter "something" as a default and was likely thinking "haha, utopia.net, that'll never exist"
      • Someone smart figured this out, and actually created the domain utopia.net which may I add looks suspicious as ever
  • This issue seems to be 100% duplicatable by rebooting the modem and PC at the same time (confirmed on multiple PC's)
  • This will create atleast 1 registry entry for "utopia" on every machine that is powered on when this issue occurs.
    • Search the registry for the word utopia and if it matches utopia.net, DELETE IT.
    • If you do not delete it, the machine WILL revert to it randomly, upon reboots, or whenever it desires.
      • This gives an illusion that this issue is happening more frequently than it really is.
  • This appears to NOT be related to any particular virus or malware infection on the PC
    • Some AntiVirus/Malware software WILL detect the afore mentioned registry key as a virus. While this registry key itself is NOT a virus, it does relate to other malware.
  • This DNS will be handed out to ANY device connected on your network. PC's and Mac's are prune to retaining this entry.
    • My OSX repair days have come to a minium, I cannot remember how to clear a previous DNS entry from OSX, but I suspect it is somewhere in the network manager.

Is my information compromised?

  • Keep in mind, these points aren't going to be things that an "average" person just "does". It would require someone with an amount of IT knowledge to successfully pull most of these things off.
    • While it is unlikely that this particular issue actually steals any information from you or your computer, it is possible for the owner of this domain to detect incoming connections coming from your machine which may give away your IP address and potentially allow a remote hacker to later compromise your system if you have open ports on your network.
    • It could redirect you to other malicious sites or search results that may contain questionable content. These sites are typically the sites you will get the infection from, not the DNS server.
    • Packets could get snooped and the contents revealed, although this form of hacking is getting substantially harder with advanced encription algorithms.
  • Use general internet common sense.
    • Do not enter a username, password, or any other personal information anywhere online while your DNS shows up as utopia.net
    • Don't use the same passwords everywhere, especially for banking & health, for the aforementioned bullet could allow one person to take control of your entire digital life.

How can you resolve this?

  • Buy your own external router
  • Disable the WiFi on the comcast gateway, including opting out of the Public WiFi Hotspot via your comcast account page
  • Set the firewall for IPv4 and IPv6 to "none/disabled"
  • Place the comcast gateway in bridged mode. The gateway should automatically reboot.
  • Disconnect ALL ethernet cables from the gateway while it reboots (independent issue, just trust me)
  • Wait for the gateway to fully bootup, including the telephony portion.
    • Confirm that your telephone works (if subscribed)
  • Connect the ethernet cable from your router to an ethernet port on the back of the gateway. 
    • Reports indicate that port 4 will not work as it is reserved for "Xfinity Home Security"
    • Other reports indicate that port 1 will not work either (random?)
    • Try port 2 for best luck
  • Power up the external router and wait a few minutes for it to establish a connection
  • Plugin your wired devices to the new router and/or pair with a wifi device
  • Configure new wireless router
    • Look for a subsection labeled DNS
    • DISABLE automatic DNS assignment
      • This disables getting the DNS server from the comcast gateway, which as we know passes out Utopia.net
    • Manually enter comcast's DNS servers, which are in the beginning of this thread
      • Primary: 75.75.75.75
      • Secondary: 75.75.76.76
    • *Optionally use Google DNS instead - Known to provide faster response times*
      • Primary: 8.8.8.8
      • Secondary: 8.8.4.4
    • If available, enable the option that allows the router to hand out these DNS entries to each PC instead of passthrough the router
      • This will further prevent the PC from otherwise reverting in very rare cases
      • If this option isn't available, you will likely be fine. This is just a second layer.

I hope the information contained in this post is helpful and if so, please click the Kudos button. I'm just a normal everyday IT guy trying to help everyone who has likely spent countless days searching the internet for resolution to this. I am in no way related to Comcast and the information contained above is to be used at your sole discretion. I know some will complain that they shouldn't need to buy an external device to prevent an issue with the firmware, to which I 100% agree whole heartedly. I am offering a right-now solution versus waiting an undetermined amount of time for a firmware fix to be applied, tested, and deployed for this issue which could take weeks, months, or even more than a year to roll out widespread.

Contributor

Re: DPC3941T Modem hacked? Utopia.net

Yes my connection still needs your help.  We were supposed to have a tech call us this weekend and come over for neighbor splitting off my service causing issues with x1 companion box downstairs...shows failed but is connected, internet speeds inconsistent.  No call from Tech 3 days later.  

 

portion of chat Saturday November 18 2017:

 

12:50 PM Comcast : I have raised a request for you.
12:50 PM Me : shows here as failed
12:50 PM Me : ok
12:50 PM Comcast : The request number is 0 4 4 5 5 5 4 2 0.
12:50 PM Comcast : You will receive a call with in 2 hours from our tech.
12:50 PM Me: ok
12:51 PM Comcast : The box is showing failed on your end because of the splitter issue, No worries, out tech will fix it for you.
12:51 PM Comcast : You will not have to repeat your self again.
New Poster

Re: DPC3941T Modem hacked? Utopia.net

SOLVED: I had such an issue with this that I could barely use the internet. When I sent a reset to the modem and/or renewed my ip address (ipconfig/release > ipconfig/renew [in cmd prompt]) the dns would change back to comcast, but then get hijacked again by utopia.net a few minutes later. The below is how I fixed the problem (IMPORTANT: You should still run a good antivirus program or two so that any remaining infection can be removed.)

 

I found the registry keys for the network and deleted the profile, then changed the signature DNS suffix back to comasts:

(Go to start and run REGEDIT [be careful as messing with these files can seriously harm your computer])

 

  • Delete any utopia.net profile from here

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

 

  • Change the signature (DNS suffix) back to comcast's “hsd1.tx.comcast.net” for any that are "utopia.net"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

 

 

utopianet fix.png
Silver Problem Solver

Re: DPC3941T Modem hacked? Utopia.net


Quirkyhndl wrote:

SOLVED: I had such an issue with this that I could barely use the internet. When I sent a reset to the modem and/or renewed my ip address (ipconfig/release > ipconfig/renew [in cmd prompt]) the dns would change back to comcast, but then get hijacked again by utopia.net a few minutes later. The below is how I fixed the problem (IMPORTANT: You should still run a good antivirus program or two so that any remaining infection can be removed.)

 

I found the registry keys for the network and deleted the profile, then changed the signature DNS suffix back to comasts:

(Go to start and run REGEDIT [be careful as messing with these files can seriously harm your computer])

 

  • Delete any utopia.net profile from here

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

 

  • Change the signature (DNS suffix) back to comcast's “hsd1.tx.comcast.net” for any that are "utopia.net"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

 

 


I have utopia.net in my registry but my DNS is Comcast's.  I don't see any need to make these changes.


I am not a Comcast employee; I am just a customer, volunteering my time to help other customers here in the Forums.
Expert

Re: DPC3941T Modem hacked? Utopia.net

@RobertWy

Did you have one that said utopia.net and and another that showed the correct DNS Suffix?
Silver Problem Solver

Re: DPC3941T Modem hacked? Utopia.net


jweaver0312 wrote:
@RobertWy

Did you have one that said utopia.net and and another that showed the correct DNS Suffix?

Yes.  And ipconfig is correct.

Microsoft Windows [Version 10.0.16299.64]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Users\rwyco>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-CBAI5AM
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.tx.comcast.net

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : hsd1.tx.comcast.net
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 00-25-AB-A4-78-06
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:2c6:4f00:9ef::611d(Preferred)
Lease Obtained. . . . . . . . . . : Saturday, December 2, 2017 2:17:44 AM
Lease Expires . . . . . . . . . . : Saturday, December 9, 2017 2:17:44 AM
IPv6 Address. . . . . . . . . . . : 2601:2c6:4f00:9ef:61a3:cb32:23ef:64ad(Preferred)
Temporary IPv6 Address. . . . . . : 2601:2c6:4f00:9ef:15e9:f682:cfec:d700(Preferred)
Link-local IPv6 Address . . . . . : fe80::61a3:cb32:23ef:64ad%2(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.174(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, December 1, 2017 4:08:47 PM
Lease Expires . . . . . . . . . . : Tuesday, December 12, 2017 5:36:08 AM
Default Gateway . . . . . . . . . : fe80::5ee3:eff:fecf:1c63%2
10.0.0.1
DHCP Server . . . . . . . . . . . : 10.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 50341291
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-EF-BC-F0-00-25-AB-A4-78-06
DNS Servers . . . . . . . . . . . : 2001:558:feed::2
2001:558:feed::1
75.75.76.76
75.75.75.75
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.tx.comcast.net
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 3168
Physical Address. . . . . . . . . : 30-E3-7A-AF-A3-43
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 30-E3-7A-AF-A3-44
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 30-E3-7A-AF-A3-47
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:c42:38b2:f5ff:ff51(Preferred)
Link-local IPv6 Address . . . . . : fe80::c42:38b2:f5ff:ff51%11(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 352321536
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-EF-BC-F0-00-25-AB-A4-78-06
NetBIOS over Tcpip. . . . . . . . : Disabled


I am not a Comcast employee; I am just a customer, volunteering my time to help other customers here in the Forums.
Expert

Re: DPC3941T Modem hacked? Utopia.net

Ok. @Quirkyhndl

Did your registry already have anything in it showing the proper DNS Suffix or did it all say utopia.net instead?
Silver Problem Solver

Re: DPC3941T Modem hacked? Utopia.net


jweaver0312 wrote:
Ok. @Quirkyhndl

Did your registry already have anything in it showing the proper DNS Suffix or did it all say utopia.net instead?

My registry has both.

 

I do not have the DPC6941T any more.  It was replaced by an Arris TG1682G.  (Full disclosure.Smiley Happy)


I am not a Comcast employee; I am just a customer, volunteering my time to help other customers here in the Forums.
Expert

Re: DPC3941T Modem hacked? Utopia.net

Understood. I swapped mine out for a 1682 a while back as well. I was mainly trying to ask that question to @Quirkyhndl mainly. My registry had both while mine shows hsd1.nj.comcast.net. I was starting to make a theory that the for the people were for some reason they would get utopia.net is probably because it’s not getting into their registry and update it. I was trying to ask Quirkyhndl to see if theirs only had utopia.net while ours had both yet showed the correct DNS suffix.
Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

I had the same thing happen. Please contact me. Once they have access to your modem they have access to your devices. A new modem will not help. Comcast will not take responsibility. My cell phones, iPads, everything have been hacked. This is a nightmare. They are usingy devices for fraudulent activity. I am a wreck since I have 3 children and this has been going on for two years. My local police would not help because comcast would not take responsibility.
Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

I'm having the same problems and mine is 10.10.1. Comcast won't help. All of my devices have been hacked into. I am going to call the FCC.
Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

I got a new modem and it didn't help. All of my devices were hacked. Comcast won't help and all of my account have been hacked into as well. They are using my devices for fraudulent activity. I am so overwhelmed. I did go to the police too in my small town and that was useless with Comcast denying that there was anything wrong.
Silver Problem Solver

Re: DPC3941T Modem hacked? Utopia.net


lauraw75 wrote:
I got a new modem and it didn't help. All of my devices were hacked. Comcast won't help and all of my account have been hacked into as well. They are using my devices for fraudulent activity. I am so overwhelmed. I did go to the police too in my small town and that was useless with Comcast denying that there was anything wrong.

Have you tried removing utopia.net from your registry?  That is where the issue is; not with the modem/gateway.

https://www.google.com/search?q=remove+utopia.net&rlz=1C1CHBF_enUS729US729&oq=remove+utopia.net&aqs=...


I am not a Comcast employee; I am just a customer, volunteering my time to help other customers here in the Forums.
Regular Visitor

Re: DPC3941T Modem hacked? Utopia.net

I am having the same issue on my new gateway tg1682g that I just receieved last week. My internet was working fine during xmas but the next day it just disconnected throughout the whole day. I checked my ipconfig and it routed me to utopia.net. Now I’m trying to figure out how to fix this annoying problem and so far none of the suggestions above worked for me. I tried deleting all values containing utopia in regedit and it still reroutes my dns to utopia.net. Does anyone know how to permanently remove it?
Regular Visitor

Re: DPC3941T Modem hacked? Utopia.net

I added this to the Windows host file: 127.0.0.1 utopia.net

The file is located at: C:\Windows\System32\drivers\etc

I also searched the registry for utopia and found 3 results and deleted them.

 

Then I opened a command prompt and put:
ipconfig/release
ipconfig /flushdns
ipconfig /renew

now, the utopia stuff no longer shows up when I ipconfig /all.

 

The reason I even knew I was infected with something was that I saw that I've used almost 1200 GB of Bandwidth this month vs. my usual no more than 500gb a month. Luckily I had a courtesy month so didn't get charged.

(so far) so good..

Regular Visitor

Re: DPC3941T Modem hacked? Utopia.net

Alright so I deleted two more registry entries containing utopia. Ran ipconfig release, flush, and renew but it still pops up as utopia.net? I did a full wipe on my PC and whenever I plug my modem back in, I realized that the dns server is already set to utopia to begin with. I just recently upgraded this equipment last week too. So did Comcast actually give me a faulty modem that is preset to reroute the dns server to utopia.net??? I already called CS and they tell me that this is the “first” time they experienced this. Sigh, I might just consider buying myself a modem to alleviate this problem with their current gateway models.
New Poster

Re: DPC3941T Modem hacked? Utopia.net

This exact issue happened to me also. I was able to fix it by changing the user name and password of the gateway and then by changing the wireless name and passwords of both the 2.4 and 5 network. I did this last night and have had no issues since. I hope this helps. By the way. This is not a Comcast issue and is another way that the gateway can be hacked into due to not changing the generic username and password on the device.
New Poster

Re: DPC3941T Modem hacked? Utopia.net

"utopia.net" yes I had seen the change the DNS server changed to that.
Expert
Moved:

Re: DPC3941T Modem hacked? Utopia.net

Your post has been removed to a secure, hidden area for violating Forum Guidelines [circumventing the language filters]. If you are not familiar with the Guidelines you may review them here. http://forums.xfinity.com/t5/Forum-Community/Forums-Policy-and-Guidelines/td-p/2618379

Contributor

Re: DPC3941T Modem hacked? Utopia.net


Robgage wrote:
This exact issue happened to me also. I was able to fix it by changing the user name and password of the gateway and then by changing the wireless name and passwords of both the 2.4 and 5 network. I did this last night and have had no issues since. I hope this helps. By the way. This is not a Comcast issue and is another way that the gateway can be hacked into due to not changing the generic username and password on the device.

I assure you that the username, password, ssid, and the password are all changed as soon as the modem is reset or a new one is obtained on my end.

 

Still amused that this thread keeps getting marked as resolved or best answers chosen.

New Poster

Re: DPC3941T Modem hacked? Utopia.net

I have an ARRIS TG1682G and this happened to me as well - I set my DNS servers back to default, changed my SSID and Key, and I am checking all my devices for malware. Spoke with comcast and they said thats all that can be done and this is a fairly common malware issue. Hope this has nothing to do with the "Guest WiFi" (?) feature or whatever it's called.. disabled a few days ago when I saw it on xFi

 

hmph Man Indifferent

New Poster

Re: DPC3941T Modem hacked? Utopia.net COMCAST IS SUPER DISHONEST

Then tell us what the script is, its filenames, location, etc. I'll hack into my system and remove it manually. None of the antivirus or anti-malware apps can find it. This is why I insist (until you prove otherwise) that the utopia.net attack comes from the WAN into the modem. 

Regular Visitor

Re: DPC3941T Modem hacked? Utopia.net

Set DNS servers manually under Win 10 settings-network & internet-change adapter options.
IPv4: 75.75.75.75
75.75.76.76
IPv6:
2001:558:feed::1
2001:558:feed::2
Problem solved for me.

New Poster

Re: DPC3941T Modem hacked? Utopia.net

If you have many devices and/or guests coming, then it is not feasible to set every device manually to a fixed DNS.
Has Comcast acknowledged the problem officially at this stage?

 

I can also rule out a device vulnerability as I have seen it on: iOS, Android, Chromebooks, PCs, MacOS...

 

They seem to want to refer to their "security assurance department at 1-888-565-4329" every single time and typically respond that they are not responsible for what is going on on your computer.

I have verified that the DNS settings are coming from the router... now I cannot prove 100% for sure if it might be because of a cross-site-scripting vulnerabity or if there is an external attack that changes the router settings - or if they have a wrong default when rebooting (as some suggested), but it is definitely a vulnerarbity on the router side and no firmware update is available.

 

Several chat representatives offered meanwhile to send an XB6 router that would not have the problem - but Comcast's distribution logistics are extraordinarily stubborn and will refuse this to be sent to customers who are not on the 400MB/1GB tier yet. Their adherence to process trumps common sense and customer service. And they misunderstand what they are saying "we cannot" with what it means "we as an organization choose not to" help.

 

Contributor

Re: DPC3941T Modem hacked? Utopia.net


@ wrote:

If you have many devices and/or guests coming, then it is not feasible to set every device manually to a fixed DNS.
Has Comcast acknowledged the problem officially at this stage?

 

I can also rule out a device vulnerability as I have seen it on: iOS, Android, Chromebooks, PCs, MacOS...

 

They seem to want to refer to their "security assurance department at 1-888-565-4329" every single time and typically respond that they are not responsible for what is going on on your computer.

I have verified that the DNS settings are coming from the router... now I cannot prove 100% for sure if it might be because of a cross-site-scripting vulnerabity or if there is an external attack that changes the router settings - or if they have a wrong default when rebooting (as some suggested), but it is definitely a vulnerarbity on the router side and no firmware update is available.

 

Several chat representatives offered meanwhile to send an XB6 router that would not have the problem - but Comcast's distribution logistics are extraordinarily stubborn and will refuse this to be sent to customers who are not on the 400MB/1GB tier yet. Their adherence to process trumps common sense and customer service. And they misunderstand what they are saying "we cannot" with what it means "we as an organization choose not to" help.

 


Finally, someone else with a brain chimes in... You hit the nail dead on the head with the wrong default when the modem reboots. You can confirm this on a brand new freshly installed OS by rebooting the modem and PC at the same time. Because windows retains the DNS servers in the registry, they get stored, and this is what most malware programs pick up, despite it not actually being malware, it is just a retained setting. It is still necessary to delete it, since windows is dumb and will revert to using it whenever it feels like it. My work around (as previously posted) is to set the DNS servers manually in an external router. This will prevent the utopia.net from hitting the client devices since they are always getting the DNS from the external router, and the external router is manually set to google dns.

 

I also experienced the annoying BS about the XB6... PROMISED that a technician would bring me one... but same story when he arrived... "you must have the gig service"

Regular Visitor

Re: DPC3941T Modem hacked? Utopia.net

[deleted]

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

I recently saw this as malware loaded through extensions to chrome on a win 10 pc.
New Poster

Re: If you have problems with "Utopia.net" hijacking your DNS, read on.

Done this 20+ times as well as every suggestion on the internet and it still comes back. I can’t tell you how many Comcast reps I’ve talked too, but literally none has had anything useful to say and somehow they seem to know less than me.
Silver Problem Solver

Re: If you have problems with "Utopia.net" hijacking your DNS, read on.

Interesting.  I've never had this issue in all my years as a Comcast customer.  I wonder why it affects a few and not everyone?


I am not a Comcast employee; I am just a customer, volunteering my time to help other customers here in the Forums.
New Poster

Re: If you have problems with "Utopia.net" hijacking your DNS, read on.

Just to add my 2¢ to the conversation.

 

I noticed about an hour ago that my internet connection was down, and then it came back up pretty quickly. I just looked at the modem status, and I can see that the modem rebooted just about an hour ago, so that explains the brief outage. Note that I did not reboot the modem, and we have had no problems with power, so clearly somebody outside (Comcast, or a bad actor) rebooted the modem.

 

Shortly after the reboot, my fire wall asks "automountd wants to connect to applications.utopia.com." And when I look at my internet panel I see "Search Domains: utopia.com". I have never seen this before. (I use Google's name servers on my computer—8.8.8.8 and 8.8.4.4—and they have not been changed.) The DNS servers reported by my modem continue to be Comcast's—75.75.75.75 and 75.75.76.76.

 

So it looks like if this was a hijacking attempt (which I have had, with a different model of modem from Comcast), it isn't going to be too successful. But I have no opinion, yet, whether this is a hijacking attempt, or an intentional change of some sort at Comcast.

 

In any event, I solved it by blocking utopia.net with my firewall.

 

Computer: iMac

OS: High Sierra 10.13.3

Firewall: Little Snitch

New Poster

Re: If you have problems with "Utopia.net" hijacking your DNS, read on.

Hi Robert Wy

I can't tell you why this only affects some computers. I checked two computers at my house, and it is only affecting one of them. I can tell you that with an earlier model of a Comcast modem, I did have it hijacked, which suggests that either the modem had a vulnerability, or Comcast allowed someone access to their password file (passwords to the modem, not my account).

 

This feels like a "broken" attempt to hijack my modem, but I really can't tell.

Contributor

Re: DPC3941T Modem hacked? Utopia.net

I have reported here about UTOPIA.NET Hijack.  It just happened again on Monday when there was an outage in my area for 5 hours.  The modem upon power outage, restart, reboot goes directly to UTOPIA.NET once I saw this I pulled the ethernet from my macbook

So far no issues afterMondays UTOPIA.NET resurface, I did a dns flush on the mac, and delted registry entries on my Windows laptop.  UTOPIA.NET is hard coded on ce3rtain gateways.   I have the TG1682G.  Prior two Ciscos that were BROKEN???? anyway.  If you catch it remove it and comcast's DNS server will stablize as long as you factory reset not restart or power off.  That's my ten cents about it.  

New Poster

Re: If you have problems with "Utopia.net" hijacking your DNS, read on.

I do believe I have been hijacked as well using DPC3941T. I have had so many issues with internet connection and security for more than 10 years now, no matter what service provider I use. It has been more than one year since I switched to Comcast. Still have problems with internet/connection/security.

I received an email from Comcast saying a new device connected to my WiFi connection. In checking the devices connected to our network, there were 2 unknown devices connected. I paused both devices indefinitely, but the weird thing is that although I am connected on my WiFi (using iPhone 7), it does not show I am online. I am rather offline. I have only one bar on my signal on WiFi connection although I am in front of the router.

We have had several issues with our services, landline, TVs, internet all the time that I am tired of calling Comcast. Most recently, when the technician moved the modem to a different location, I noticed the lights on the modem changed all the time. Although we only have one telephone no. and the line is connected on Tel. 1 at the back of the modem, the second line lits up without any telephone line connected to it. I just reboot the modem, but it’s getting old to me now. But what can I do? The technician that came to fix the problem said it was supposed to be lit up! I told her that should not be since there is nothing connected to that port (tel. 2)!

My husband and I are both seniors. I am a little more savvy using the internet. We do not have any more computers using MS at home. All became dysfunctional after newly bought computers, laptops became malware corrupted. After several times of repairs, etc., no programs installed other than the OS, all files wiped out, the computers worked at the repair shop(s); once taken home, computers worked for a couple of days, a couple of weeks at most. Technicians and relatives I talked to think that was weird, thinking it was me and my doing! Not hardly! Hubby and I are old folks, DO NOT look, check out unfamiliar websites, DO NOT open unfamiliar/unsolicited emails, we are just some boring folks! I do not even subscribe to any social media stuff. Don’t know why this is happening. All I use now is my mobile IPhone. This new telecommunication thing is a necessary evil that we have to learn how to use it for most of our communicating needs nowadays, i.e., doctors appts, service providers confirmation on things, etc. Can someone help us, please?