dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3324
share rss forum feed


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

Linux embedded devices being used in botnet

The below two URLs don't really explain *how* they gained access to said DD-WRT/OpenWRT/Tomato boxes, but based on what I can figure out, it's this:

If you have SSH or telnet open to the world (e.g. WAN-side), and have a fairly insecure password (such the default password of "admin" in Tomato), brute-force SSH/telnet attempts will eventually succeed.

Those who don't permit incoming SSH/telnet to the router via WAN, or allow SSH but disallow passwords (instead requiring keys) should be fine.

OpenWRT apparently leaves telnet open until you've set a root password.

»dronebl.org/blog/8

»it.slashdot.org/article.pl?sid=0···from=rss
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.

pandora
Premium
join:2001-06-01
Outland
kudos:2
Isn't the default for Tomato not to enable remote access?


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23
said by pandora:

Isn't the default for Tomato not to enable remote access?
Correct. I don't think there's any portion of the Tomato installation where telnet/SSH are left open on the WAN side.

This is mainly for people using OpenWRT, and for DD-WRT/Tomato/etc. users who *have* permitted telnet/SSH open via WAN.

tlhIngan

join:2002-07-08
Richmond, BC
kudos:1
reply to koitsu
Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home...


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23
said by tlhIngan:

Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home...
I didn't know there were Windows trojans which were brute-forcing SSH/telnet passwords on LAN routers. I don't think the original article mentioned anything of the such -- are you aware of anything like this in the wild?


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to tlhIngan
said by tlhIngan:

Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home...
Care to explain how an infected Windows box would be able to infect a router running DD-WRT/Tomato/OpenRT?


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

2 edits
reply to koitsu
Thanks for the heads up on such bad reporting all over the place.

I'm glad to see »dronebl.org/blog/8 "Update 4 -- Before you read anything else, read this".

Headlines such as: »OpenWRT/DD-WRT vulnerability
...are laughable since it would take some rather poor setup. Definitely not defaults.

I did some quick searching but can't find what default setups may be this bad. Anyone?

I then alerted the OpenWrt forum. They had nothing I could find on this.


Potty Time

join:2005-07-03
united state
reply to koitsu
So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does

Thank you.


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

4 edits
said by Potty Time:

So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does :( :( :(
Yes, out-of-the-box you're safe. Tomato, at no stage during installation or post-installation, permits SSH or telnet via the WAN interface (only the LAN).

If you want to verify what your settings are:

Administration -> Admin Access -> SSH Daemon

If "Enable at Startup" is checked:
 
- Make sure the "Remote Access" box IS NOT checked
- Otherwise, if "Remote Access" IS checked:
  -- Make sure under the "Remote Web/SSH Admin Restriction"
     section, there are a list of specific IPs listed which
     your router allows WAN-side SSH connections from.
  -- In this scenario, you should also make sure that the
     "Allow Password Login" box IS NOT checked, and instead
     rely entirely on SSH keys.
     The "exploit" involves brute-forcing passwords, so
     by turning off password-based SSH authentication,
     you can essentially defeat the problem entirely
  -- If you DON'T specify a list of IPs in the "Remote
     Web/SSH Admin Restriction" section, AND "Allow Password
     Login" is checked:
     --- Anyone on the Internet will be able to connect to
         the SSH daemon on your router and try to
         brute-force guess your root password -- and
         depending upon what your password is (many folks
         leave it as the default, "admin"), could gain
         access to your router and turn it into a DDoS
         client
 

It doesn't appear that Telnet is ever permitted WAN-side, unless you explicitly create a firewall rule using a start-up script or via some other means. And that's good, especially since Telnet passwords are sent in plaintext over the socket. :-)

HTH...

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
reply to Potty Time
said by Potty Time:

So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does

Thank you.
You can visit »www.grc.com/x/ne.dll?bh0bkyd2 and let "Shields Up" determine if you have any open ports. It is safe, and easy to do. It requires that your browser permit scripting.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use."


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

1 edit
reply to koitsu
Things are coming together. A very bad condition existed on some DSL modems and there's a good paper on this: »www.adam.com.au/bogaurd/PSYB0T.pdf

Having a specific target explains why someone would make code that runs in Debian-mipsel, which all the routers we're talking about do.

But please don't loose perspective. 100,000+ worms exist that will infect PCs and now embedded Linux in modems and routers has... 1! And it takes a pretty bad setup to expose. And such a bad setup has been vulnerable all along!

(pssst... pandora... Steve Gibson would *never* require scripts except to specifically test scripting. Try all of grc.com with NoScript blocking everything and even the menus all work fine. I watched him develop those menus in html quite specifically.)


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by Bill_MI:

(pssst... pandora... Steve Gibson would *never* require scripts except to specifically test scripting. Try all of grc.com with NoScript blocking everything and even the menus all work fine. I watched him develop those menus in html quite specifically.)
And I'll bet that he coded it all using a programmer's text editor, not a fancy GUI html code generator application.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
»portscan.dcs-net.net
»nature-pics.com