an attack that targets modems with default setting and mainly TP-Link sets the dns of the modem to a malicious dns in order redirect users to malicious pages.68.168.98.196
50.28.34.201
41.77.138.18
23.253.94.129
216.55.138.88
5.45.75.11
94.23.243.148
however i noticed that the attacker was nice enough to set the secondary DNS to 8.8.8.8 so he would not interrupt the user service in case his dns went down (or so no one would notice and start investigating if his dns went down for a while...)
known residential modems exploit have been used, but the one that i liked is adding a line of java script in a web page that sends an http request to the modem from within the lan and change the settings (mainly targeted TP-Link modems and it requires the user to visit the page with malicious javascript within it)
p.s i can provide detailed info about the attack, if anyone finds it interesting. i might go deeper into this and try to find out what domains those malicious dns targets etc...