Page 3 of 3 FirstFirst 123
Results 21 to 24 of 24

Thread: Home routers under attack - archive

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Router-based botnet...

    FYI...

    Router-based botnet...

    - http://isc.sans.org/diary.html?storyid=6061
    Last Updated: 2009-03-24 13:13:59 UTC - "...document (pdf - dated January 11th, 2009) by Terry Baume* goes into detail about how a specific brand of DSL Modem (Netcomm NB5) can be compromised with malicious code that turns the device into a IRC based Bot - named PSYB0T 2.5L. While discovered several months ago, some recent entries on the DroneBL blog that (among further detail into "PSYB0T") state "We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure...". It certainly appears that PSYB0T may be alive and kicking! Some further insight into the possibility that this Bot is still evolving (Now Version 2.9L, 3 months later) has been presented on the TeamFurry blog**..."
    * http://www.adam.com.au/bogaurd/
    ** http://www.teamfurry.com/wordpress/2...s-cpu-devices/

    - http://www.dronebl.org/blog/8
    "You are only vulnerable if:
    • Your device is a mipsel device.
    • Your device has telnet, SSH or web-based interfaces available to the WAN
    • Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
    As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise)... Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT. If the above criteria is not met, then the device is NOT vulnerable.

    How can I tell if I have been infected?
    Ports 22, 23 and 80 are blocked as part of the infection process (but NOT as part of the rootkit itself, running the rootkit itself will not alter your iptables configuration). If these ports are blocked, you should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware. These steps will remove the rootkit and ensure that your device is not reinfected...
    Mar-24-2009 ...botnet itself is still active..."

    - http://www.theregister.co.uk/2009/03...tworking_worm/
    24 March 2009

    - http://www.eset.com/threat-center/blog/?p=810
    March 23, 2009 - "...targets routers and DSL modems..."

    Last edited by AplusWebMaster; 2009-03-24 at 16:26. Reason: Added ISC and ESET links...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Home routers (using DD-WRT) under attack...

    FYI...

    DD-WRT vuln...
    - http://isc.sans.org/diary.html?storyid=6853
    Last Updated: 2009-07-22 20:43:54 UTC - "... new vulnerability in DD-WRT that was being reported in the Register at:
    http://www.theregister.co.uk/2009/07...t_router_vuln/ .
    DD-WRT runs on routers by Linksys, D-Link Buffalo, ASUS and well as other routers. The complete list can be found at:
    http://www.dd-wrt.com/wiki/index.php/Supported_Devices
    This vulnerability will allow an attacker to run programs with root priviledges on a vulnerable router. More information can be found on the DD-WRT Forum at:
    http://www.dd-wrt.com/phpBB2/viewtop...er=asc&start=0 "

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy SMC router vuln - unpatched

    FYI...

    SMC router vuln - unpatched
    - http://www.wired.com/threatlevel/200...-warner-cable/
    October 20, 2009 - "A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue. Time Warner acknowledged the problem to Threat Level on Tuesday, and says it’s in the process of testing replacement firmware code from the router manufacturer, which it plans to push out to customers soon... The vulnerability lies with Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The device is one of several options Time Warner offers to customers who don’t want to install their own modem and router to use with the company’s broadband service..."

    - http://www.f-secure.com/weblog/archives/00001799.html
    October 23, 2009

    Last edited by AplusWebMaster; 2009-10-24 at 03:41.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation 2wire Gateway router/modem - update available

    FYI...

    2wire Gateway router/modem - update available
    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3962
    Last revised: 11/18/2009 - "The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot)...
    CVSS v2 Base Score: 7.8 (HIGH) ...

    - http://webvuln.com/advisories/2wire....of.service.txt
    Solution Status: Vendor issued firmware patches; Providers are in charge of applying the patches...
    WORKAROUND: Disable Remote Management in Firewall -> Advanced Settings...

    - http://www.us-cert.gov/cas/bulletins/SB09-327.html#high
    November 23, 2009

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •