Down the utopia.net rabbit hole..... Confluence Networks is hijacking Comcast routers and traffic.
My router is compromised! This is the 3rd or 4th router Comcast has given me (each one the same model) that has the upopia.net malware.
It all started with this which is no longer being flagged by Norton and is avoiding detection.
Attacker URL: wpad.utopica.net/wpdat.dat
At first I was able to block the 18.104.22.168 by using host file. THIS NO LONGER WORKS! My traffic is being hijacked and rerouted. This is ridiculous that I have my ISP exposing me to all sorts of ID theft. I cannot believe Comcast has allowed this to continue for YEARS now!!! This started happening almost 1 month ago after I moved to my new apartment that does not have Coax and I'm forced to use this malware router. This is a very tricky SOB and seems to be evovling and avoiding detection because my Norton NO LONGER flags the ERROR: Malicious Site: Malicious Domain Request 21 going to utopia.net (22.214.171.124)!!!
I can no longer use my Internet to do any secure transactions. I even caught this sneaky malware generating SNMP traffic to their domain. If you search for the IP above you get known malware / ransomware hits on it. Apparently the good old boys at "Confluence" networks are hard at work crafting this to avoid detection by your typical AV / Antimalware software.
(IMAGE not working for some reason)
Another test I did this morning was run a packet capture via the following command.
As soon as I connect to a bank site like chase it creates a connection to their server.
mint@mint ~ $ sudo tcpdump -vv -i wlp2s0 |grep 208.91.197
tcpdump: listening on wlp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
cdns02.comcast.net.domain > 10.16.0.55.57998: [udp sum ok] 23866 q: A? rf15.chase.com.utopia.net. 1/0/0 rf15.chase.com.utopia.net. A 126.96.36.199 (59)
10.16.0.55.50116 > 188.8.131.52.https: Flags [S], cksum 0x511a (correct), seq 2228039325, win 29200, options [mss 1460,sackOK,TS val 2702101278 ecr 0,nop,wscale 7], length 0
184.108.40.206.https > 10.16.0.55.50116: Flags [R.], cksum 0x7713 (correct), seq 0, ack 2228039326, win 8212, length 0
mint@mint /etc $ ping rf15.chase.com.utopia.net
PING rf15.chase.com.utopia.net (220.127.116.11) 56(84) bytes of data.
64 bytes from 18.104.22.168: icmp_seq=1 ttl=244 time=31.4 ms
64 bytes from 22.214.171.124: icmp_seq=2 ttl=244 time=30.7 ms
I would imagine this is re-directing credentials through the rouge website which has been in "business" for years now!!!
I'm extremely worried about my identity and have ceased using any financial or sensitive websites until I can get off Xfinity's rouge network!
I already tried dealing with their security department and it has not helped at ALL!
I have a rather exhaustive post I did regarding this issue that I posted on dslreports and I'll "barf" all the verbiage here.
NetRange: 126.96.36.199 - 188.8.131.52
Parent: NET208 (NET-208-0-0-0-0)
NetType: Direct Allocation
Organization: Confluence Networks Inc (CN)
OrgName: Confluence Networks Inc
Address: 3rd Floor, J & C Building, P.O. Box 362
City: Road Town
OrgNOCName: NOC Admin
EXCEPTfrom my other post>
Comcast EPON Router is using utopia.net DNS suffix - Hijacked? (YUP - 100%)
My Equipment (3rd router in a row to do this).
The last time they replaced it I disconnected everything and booted off a live Linux DVD and still got utopia.net so it appears to be hardcoded in the router.
I also get TONS of these block request everyday.
FW.IPv6 FORWARD drop , 3171 Attempts, 2019/9/30 17:58:00 Firewall Blocked FW.IPv6 FORWARD drop , 31 Attempts, 2019/10/02 18:35:58 Firewall Blocked FW.IPv6 FORWARD drop , 11265 Attempts, 2019/10/02 17:56:03 Firewall Blocked FW.IPv6 FORWARD drop , 3575 Attempts, 2019/10/01 17:58:01 Firewall Blocked
... View more