dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8426

VikingBob
Go Jets Go!
Premium Member
join:2004-06-05
MB Canada

2 recommendations

VikingBob

Premium Member

Suspected Mass Exploit Against Linksys E1000 / E1200 Routers

From »isc.sans.edu/forums/diar ··· rs/17621
Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromised Linksys routers these last couple of days. The routers, once compromissed, scan port 80 and 8080 as fast as they can (saturating bandwidth available).

It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune agains the exploit used. E1000 routers are end-of-life and don't appear to have an immune firmware available.

As indicators, look for E1000/1200 routers which scan IP addresses sequentially on port 80/8080. Some of the routers may have modified DNS settings to point to Google's DNS server (8.8.8.8 or 8.8.4.4).

...The initial request sent by the exploited routers if they find port 80 or 8080 open is GET /HNAP1/ . HNAP is a REST based web service that can be used to administer these routers. It is possible that the exploited vulnerability is part of HNAP (it had problems in the past), or that HNAP is just used to fingerprint the router to select the right exploit to send.
If you've got one of these, be aware. An ISC reader notes, "Might have something to do with this 0-day exploit
»www.defensecode.com/publ ··· sory.pdf "
SpHeRe31459
Premium Member
join:2002-10-09
Sacramento, CA

SpHeRe31459

Premium Member

Not just people with E1000's it looks people with E1200 ver. 1 hardware are SOL too...

seaman
Premium Member
join:2000-12-08
Seattle, WA

seaman to VikingBob

Premium Member

to VikingBob
said by VikingBob:

E1000 routers are end-of-life and don't appear to have an immune firmware available.

Wow, there are certainly a lot of E1000's out there. Good reason to upgrade.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to VikingBob

Premium Member

to VikingBob
said by VikingBob:

The routers scan port 80 and 8080

look for routers which scan IP addresses sequentially on port 80/8080

i don't know what this means.. are the routers scanning local ports or remote ports?

how would one know if a router was "scanning ports"?

Raphion
join:2000-10-14
Samsara

Raphion

Member

said by redwolfe_98:

said by VikingBob:

The routers scan port 80 and 8080

look for routers which scan IP addresses sequentially on port 80/8080

i don't know what this means.. are the routers scanning local ports or remote ports?

how would one know if a router was "scanning ports"?

Remote, they are looking for other routers to infect. The routers infect others autonomously (presumably, maybe the scan is for some other purpose, but looking for targets to infect makes sense).

You'd have to put a sniffer on the WAN side of the router to spot the behavior directly, although as the article points out, it saturates the bandwidth with the scanning, so the internet becomes nearly inaccessible through the infected router, so you'd definitely notice that something was wrong.

I searched an http server's logs for the HNAP1 string, and found about 70 hits, beginning Dec 1st, so it's definitely out there, but not exactly wildfire. It does appear that any vulnerable router connected now would be infected within one day though.

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to VikingBob

Premium Member

to VikingBob
Hmmm.... Seems true that if remote management is off, should be ok?

sansisc
@comcastbusiness.net

3 recommendations

sansisc

Anon

Quick update

The list of vulnerable devices appears to be larger then E1000/1200. The worm itself contains these model numbers as targets: E4200 E3200 E3000 E2500 E2100L E2000 E1550 E1500 E1200 E1000 E900.

If anybody has access to a vulnerable / exploited device, and is able to collect full packets, we ( isc.sans.edu ) would appreciate a packet capture as we try to figure out the command and control channel, or if there is even one.

Disabling the remote admin will help, or limiting it to certain IPs. This is not a weak password issue. The vulnerable cgi feature ignores the username/password ( Linksys/Belkin has been informed about that problem by another party ).

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

Crap. I have an E1000 at the office, and E4200 at home....

planet
join:2001-11-05
Oz

planet

Member

Will disabling remote admin and UPnP mitigate this vulnerability?

sansisc
@comcastbusiness.net

5 recommendations

sansisc

Anon

yes, disabling the remote admin feature will prevent the exploit .

VikingBob
Go Jets Go!
Premium Member
join:2004-06-05
MB Canada

1 edit

1 recommendation

VikingBob

Premium Member

Re: Suspected Mass Exploit Against Linksys E1000 / E1200 Routers

There's more info on the ISC site today:
»isc.sans.edu/forums/diar ··· ar/17633 and »isc.sans.edu/forums/diar ··· ed/17630 - more vulnerable router models listed in the latter link, as also noted above - »Quick update

See also »Linksys router warning (all stock firmware) - "TheMoon"

I always disable remote admin and UPnP on my routers, and change the default pw... It should be disabled by default at the factory. If you really need it, then turn on those features, and keep a close eye on things.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

1 edit

85160670 (banned)

Member

"SAFE_HEX" ..... do NOT use Lynksys routers {{{ GRIN }}}
BTW, remote admin & UPnP { is Plug & Pray } should be OFF mode for HNAP !

lordpuffer
Legalize It Joe!
Premium Member
join:2004-09-19
Old Town, ME
Nokia XS-110G-A
Linksys Velop MX5300

lordpuffer to VikingBob

Premium Member

to VikingBob
I have an E4200v2 at home. Remote Management is disabled, and always has been. UPnP is enabled, and always has been. Like most home networks, I have numerous devices that share some files and that also use a networked printer. I believe that you need UPnP enabled to allow this type of sharing.

Does the fact that Remote Management alone is disabled mean that I am probably safe from this exploit?
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

1 recommendation

TheWiseGuy

MVM

I could be wrong but my understanding has always been that UPnP on the router is used for forwarding ports from the Internet to the LAN computers. I would think that turning it off on the router should not cause a problem for devices on the LAN that use UPnP to communicate.

I have UPnP on my router turned off. I have a networked printer, and a SiliconDust HDHomeRun Prime tuner on my network and share files between my computers and do not have any problems. I do have a switch after the router so that could have an effect. You might try turning it off and see if it changes anything.

In any case I believe the isc link in VikingBob See Profile's post indicates this worm requires remote admin to be turned on.

lordpuffer
Legalize It Joe!
Premium Member
join:2004-09-19
Old Town, ME
Nokia XS-110G-A
Linksys Velop MX5300

lordpuffer

Premium Member

Thank you for the information TheWiseGuy See Profile. I'll disable UPnP and see how things go.
SpHeRe31459
Premium Member
join:2002-10-09
Sacramento, CA

SpHeRe31459

Premium Member

said by lordpuffer:

Thank you for the information TheWiseGuy See Profile. I'll disable UPnP and see how things go.

I have both Remote Management and UPnP disabled on my E1200v1. It's never been a problem for my networked Brother laser printer.

Jan Janowski
Premium Member
join:2000-06-18
Waynesville, NC
·Carolina Mountai..
Synology RT2600ac
Linksys E2000

4 edits

Jan Janowski to VikingBob

Premium Member

to VikingBob
E2000v1 here. V1.0.04 Build 7 firmware, which I believe was the last for this unit (unless someone knows otherwise!). I believe E2000 also at end of life. E2000 Wireless via 5Ghz band. It's running (Hiding) behind a different Router on way different IP.

Remote Admin has always been OFF, as well as UPNP. Have no trouble with network printers.... NAS's, etc..

GRC 1-1056 Port probe & 8080 probe stealth here....

KoRnGtL15
Premium Member
join:2007-01-04
Grants Pass, OR

KoRnGtL15

Premium Member

Click for full size
Have the same router as you and that is not the latest firmware. You should upgrade ASAP for bug fixes any ways.

Last Release Date: Sept 27, 2012
Last Firmware version: 1.0.05 (build 7)

- Fixed router stability issue when using Apple airplay.
- Fixed wireless compatibility issue when WMM is disabled.
- Fixed some storage relative issues.
- Fixed local HTTPs accessing issue with some browsers.
- Fixed some minor bugs.
- Improved QoS bandwidth detection accuracy.
said by Jan Janowski:

E2000v1 here. V1.0.04 Build 7 firmware, which I believe was the last for this unit (unless someone knows otherwise!). I believe E2000 also at end of life. E2000 Wireless via 5Ghz band. It's running (Hiding) behind a different Router on way different IP.

Remote Admin has always been OFF, as well as UPNP. Have no trouble with network printers.... NAS's, etc..

GRC 1-1056 Port probe & 8080 probe stealth here....


Jan Janowski
Premium Member
join:2000-06-18
Waynesville, NC

Jan Janowski to VikingBob

Premium Member

to VikingBob
Yours is an E4200.. Mine is an E2000...

MacGyver

join:2001-10-14
Vancouver, BC

MacGyver to VikingBob

to VikingBob
I suspect that changing to third party firmware would mitigate this threat. Can anyone confirm?

KoRnGtL15
Premium Member
join:2007-01-04
Grants Pass, OR

1 recommendation

KoRnGtL15 to Jan Janowski

Premium Member

to Jan Janowski
Woops my bad! I read it wrong. Sorry! And yes 3rd party firmware is immune to this. Belkin/Linksys will have to fix this. They cant leave a whole line of routers vulnerable. EOL or not. Thousands exist if not hundreds. Apparently Belkin/Linksys is aware of it and working on fixes.

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to sansisc

Premium Member

to sansisc

Re: Quick update

If remote administration is configured for a port other than 80 or 8080, will that mitigate this particular exploit?

I think using non-default ports would stifle this exploit, but tomorrow's exploit might be able to scan other ports...

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to VikingBob

Premium Member

to VikingBob

Re: Suspected Mass Exploit Against Linksys E1000 / E1200 Routers

The full gamut of the affected Routers is available:
»www.computerworld.com/s/ ··· _routers

KoRnGtL15
Premium Member
join:2007-01-04
Grants Pass, OR

KoRnGtL15

Premium Member

Yep. New firmware in the works to fix it. Interesting part is how long will it take? Belkin buying Linksys. Will they be fast with the fix?

»community.linksys.com/t5 ··· p/771187

Malware Attack on Linksys Routers

02-16-2014 12:28 PM

Linksys is aware of the malware called "The Moon" that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.

MacGyver

join:2001-10-14
Vancouver, BC
·TELUS
Actiontec T3200M
Arcadyan WE410443-TS
Sipura SPA-2102

MacGyver to EGeezer

to EGeezer

Re: Quick update

A better idea, if possible, is to use IP filtering for an open service to limit the potential attack vectors. You can do that with cosumer based routers. For example, I only access my home PC via RDP from one static IP ever, so that is the only one permitted through. Before i did that, I happened to look at my event log and saw how much hammering was going on when I had it open to the world.

planet
join:2001-11-05
Oz

planet

Member

In the same breath, I wonder if Belkin will include in the firmware a fix for the WPS vulnerability in older E routers (specifically the E1000). These routers remain susceptable to Reaver hacking.
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway to siljaline

Premium Member

to siljaline

Re: Suspected Mass Exploit Against Linksys E1000 / E1200 Routers

Unfortunately, the article indicates that "the list might not be accurate or complete", so we may not know all of the affected models.

daveinpoway

1 recommendation

daveinpoway to MacGyver

Premium Member

to MacGyver

Re: Quick update

One problem is that the typical customer is not going to be informed about things like IP filtering. Some of these people are so ignorant that it is scary. As an example, one guy I know doesn't know how to enter a Wi-Fi password, so he runs his wireless network wide-open (with no authentication whatsoever).

Could he read the instruction manual for his router? Of course he could, but he doesn't seem to care. Perhaps he will start to care if the police show up some day and tell him that his network has been used to download child porn.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

1 recommendation

85160670 (banned)

Member

Meantime ASUS routers PWNED again, see ASUS topic
[ »arstechnica.com/security ··· ed-flaw/ ]