dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3573

koitsu
MVM
join:2002-07-16
Mountain View, CA
Humax BGW320-500

koitsu

MVM

Linux embedded devices being used in botnet

The below two URLs don't really explain *how* they gained access to said DD-WRT/OpenWRT/Tomato boxes, but based on what I can figure out, it's this:

If you have SSH or telnet open to the world (e.g. WAN-side), and have a fairly insecure password (such the default password of "admin" in Tomato), brute-force SSH/telnet attempts will eventually succeed.

Those who don't permit incoming SSH/telnet to the router via WAN, or allow SSH but disallow passwords (instead requiring keys) should be fine.

OpenWRT apparently leaves telnet open until you've set a root password.

»dronebl.org/blog/8

»it.slashdot.org/article. ··· from=rss
pandora
Premium Member
join:2001-06-01
Outland

pandora

Premium Member

Isn't the default for Tomato not to enable remote access?

koitsu
MVM
join:2002-07-16
Mountain View, CA
Humax BGW320-500

koitsu

MVM

said by pandora:

Isn't the default for Tomato not to enable remote access?
Correct. I don't think there's any portion of the Tomato installation where telnet/SSH are left open on the WAN side.

This is mainly for people using OpenWRT, and for DD-WRT/Tomato/etc. users who *have* permitted telnet/SSH open via WAN.
tlhIngan
join:2002-07-08
Richmond, BC

tlhIngan to koitsu

Member

to koitsu
Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home...

koitsu
MVM
join:2002-07-16
Mountain View, CA
Humax BGW320-500

koitsu

MVM

said by tlhIngan:

Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home...
I didn't know there were Windows trojans which were brute-forcing SSH/telnet passwords on LAN routers. I don't think the original article mentioned anything of the such -- are you aware of anything like this in the wild?

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller to tlhIngan

Premium Member

to tlhIngan
said by tlhIngan:

Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home...
Care to explain how an infected Windows box would be able to infect a router running DD-WRT/Tomato/OpenRT?

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

2 edits

Bill_MI to koitsu

MVM

to koitsu
Thanks for the heads up on such bad reporting all over the place.

I'm glad to see »dronebl.org/blog/8 "Update 4 -- Before you read anything else, read this".

Headlines such as: »OpenWRT/DD-WRT vulnerability
...are laughable since it would take some rather poor setup. Definitely not defaults.

I did some quick searching but can't find what default setups may be this bad. Anyone?

I then alerted the OpenWrt forum. They had nothing I could find on this.

Potty Time
join:2005-07-03
united state

Potty Time to koitsu

Member

to koitsu
So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does

Thank you.

koitsu
MVM
join:2002-07-16
Mountain View, CA
Humax BGW320-500

4 edits

koitsu

MVM

said by Potty Time:

So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does :( :( :(
Yes, out-of-the-box you're safe. Tomato, at no stage during installation or post-installation, permits SSH or telnet via the WAN interface (only the LAN).

If you want to verify what your settings are:

Administration -> Admin Access -> SSH Daemon

If "Enable at Startup" is checked:
 
- Make sure the "Remote Access" box IS NOT checked
- Otherwise, if "Remote Access" IS checked:
  -- Make sure under the "Remote Web/SSH Admin Restriction"
     section, there are a list of specific IPs listed which
     your router allows WAN-side SSH connections from.
  -- In this scenario, you should also make sure that the
     "Allow Password Login" box IS NOT checked, and instead
     rely entirely on SSH keys.
     The "exploit" involves brute-forcing passwords, so
     by turning off password-based SSH authentication,
     you can essentially defeat the problem entirely
  -- If you DON'T specify a list of IPs in the "Remote
     Web/SSH Admin Restriction" section, AND "Allow Password
     Login" is checked:
     --- Anyone on the Internet will be able to connect to
         the SSH daemon on your router and try to
         brute-force guess your root password -- and
         depending upon what your password is (many folks
         leave it as the default, "admin"), could gain
         access to your router and turn it into a DDoS
         client
 

It doesn't appear that Telnet is ever permitted WAN-side, unless you explicitly create a firewall rule using a start-up script or via some other means. And that's good, especially since Telnet passwords are sent in plaintext over the socket. :-)

HTH...
pandora
Premium Member
join:2001-06-01
Outland

pandora to Potty Time

Premium Member

to Potty Time
said by Potty Time:

So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does

Thank you.
You can visit »www.grc.com/x/ne.dll?bh0bkyd2 and let "Shields Up" determine if you have any open ports. It is safe, and easy to do. It requires that your browser permit scripting.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

1 edit

Bill_MI to koitsu

MVM

to koitsu
Things are coming together. A very bad condition existed on some DSL modems and there's a good paper on this: »www.adam.com.au/bogaurd/ ··· YB0T.pdf

Having a specific target explains why someone would make code that runs in Debian-mipsel, which all the routers we're talking about do.

But please don't loose perspective. 100,000+ worms exist that will infect PCs and now embedded Linux in modems and routers has... 1! And it takes a pretty bad setup to expose. And such a bad setup has been vulnerable all along!

(pssst... pandora... Steve Gibson would *never* require scripts except to specifically test scripting. Try all of grc.com with NoScript blocking everything and even the menus all work fine. I watched him develop those menus in html quite specifically.)

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by Bill_MI:

(pssst... pandora... Steve Gibson would *never* require scripts except to specifically test scripting. Try all of grc.com with NoScript blocking everything and even the menus all work fine. I watched him develop those menus in html quite specifically.)
And I'll bet that he coded it all using a programmer's text editor, not a fancy GUI html code generator application.