koitsu
Premium
join:2002-07-16
Mountain View, CA
| Linux embedded devices being used in botnet
The below two URLs don't really explain *how* they gained access to said DD-WRT/OpenWRT/Tomato boxes, but based on what I can figure out, it's this:
If you have SSH or telnet open to the world (e.g. WAN-side), and have a fairly insecure password (such the default password of "admin" in Tomato), brute-force SSH/telnet attempts will eventually succeed.
Those who don't permit incoming SSH/telnet to the router via WAN, or allow SSH but disallow passwords (instead requiring keys) should be fine.
OpenWRT apparently leaves telnet open until you've set a root password.
»dronebl.org/blog/8
»it.slashdot.org/article.pl?sid=0···from=rss
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer. |
|
pandora
Premium
join:2001-06-01
Outland |  Isn't the default for Tomato not to enable remote access? |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| said by pandora  :Isn't the default for Tomato not to enable remote access? Correct. I don't think there's any portion of the Tomato installation where telnet/SSH are left open on the WAN side.
This is mainly for people using OpenWRT, and for DD-WRT/Tomato/etc. users who *have* permitted telnet/SSH open via WAN. |
|
tlhIngan
join:2002-07-08
Richmond, BC | reply to koitsu
Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home... |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| said by tlhIngan :Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home... I didn't know there were Windows trojans which were brute-forcing SSH/telnet passwords on LAN routers. I don't think the original article mentioned anything of the such -- are you aware of anything like this in the wild? |
|
KodiacZiller
join:2008-09-04
73368
| reply to tlhIngan
said by tlhIngan :Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home... Care to explain how an infected Windows box would be able to infect a router running DD-WRT/Tomato/OpenRT? |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
 ·Comcast
2 edits | reply to koitsu
Thanks for the heads up on such bad reporting all over the place.
I'm glad to see »dronebl.org/blog/8 "Update 4 -- Before you read anything else, read this".
Headlines such as: »OpenWRT/DD-WRT vulnerability
...are laughable since it would take some rather poor setup. Definitely not defaults.
I did some quick searching but can't find what default setups may be this bad. Anyone?
I then alerted the OpenWrt forum. They had nothing I could find on this. |
|
Potty Time
join:2005-07-03
united state
| reply to koitsu
So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does 
Thank you. |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
4 edits | said by Potty Time :So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does :( :( :( Yes, out-of-the-box you're safe. Tomato, at no stage during installation or post-installation, permits SSH or telnet via the WAN interface (only the LAN).
If you want to verify what your settings are:
Administration -> Admin Access -> SSH Daemon
It doesn't appear that Telnet is ever permitted WAN-side, unless you explicitly create a firewall rule using a start-up script or via some other means. And that's good, especially since Telnet passwords are sent in plaintext over the socket. :-)
HTH... |
|
pandora
Premium
join:2001-06-01
Outland
 ·ooma
·Future Nine Corpor..
·Comcast
|  reply to Potty Time
You can visit »https://www.grc.com/x/ne.dll?bh0bkyd2 and let "Shields Up" determine if you have any open ports. It is safe, and easy to do. It requires that your browser permit scripting.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
1 edit | reply to koitsu
Things are coming together. A very bad condition existed on some DSL modems and there's a good paper on this: »www.adam.com.au/bogaurd/PSYB0T.pdf
Having a specific target explains why someone would make code that runs in Debian-mipsel, which all the routers we're talking about do.
But please don't loose perspective. 100,000+ worms exist that will infect PCs and now embedded Linux in modems and routers has... 1!  And it takes a pretty bad setup to expose. And such a bad setup has been vulnerable all along!
(pssst... pandora... Steve Gibson would *never* require scripts except to specifically test scripting. Try all of grc.com with NoScript blocking everything and even the menus all work fine. I watched him develop those menus in html quite specifically.) |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·AT&T Southeast
·Vonage
 ·Cingular Wireless
·AT&T CallVantage
| said by Bill_MI :(pssst... pandora... Steve Gibson would *never* require scripts except to specifically test scripting. Try all of grc.com with NoScript blocking everything and even the menus all work fine. I watched him develop those menus in html quite specifically.) And I'll bet that he coded it all using a programmer's text editor, not a fancy GUI html code generator application.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
»portscan.dcs-net.net
»nature-pics.com |
|
