koitsu MVM join:2002-07-16 Mountain View, CA Humax BGW320-500
|
koitsu
MVM
2009-Mar-23 9:22 pm
Linux embedded devices being used in botnetThe below two URLs don't really explain *how* they gained access to said DD-WRT/OpenWRT/Tomato boxes, but based on what I can figure out, it's this: If you have SSH or telnet open to the world (e.g. WAN-side), and have a fairly insecure password (such the default password of "admin" in Tomato), brute-force SSH/telnet attempts will eventually succeed. Those who don't permit incoming SSH/telnet to the router via WAN, or allow SSH but disallow passwords (instead requiring keys) should be fine. OpenWRT apparently leaves telnet open until you've set a root password. » dronebl.org/blog/8» it.slashdot.org/article. ··· from=rss |
|
pandora Premium Member join:2001-06-01 Outland |
pandora
Premium Member
2009-Mar-24 12:08 am
Isn't the default for Tomato not to enable remote access? |
|
koitsu MVM join:2002-07-16 Mountain View, CA Humax BGW320-500
|
koitsu
MVM
2009-Mar-24 12:19 am
said by pandora:Isn't the default for Tomato not to enable remote access? Correct. I don't think there's any portion of the Tomato installation where telnet/SSH are left open on the WAN side. This is mainly for people using OpenWRT, and for DD-WRT/Tomato/etc. users who *have* permitted telnet/SSH open via WAN. |
|
|
to koitsu
Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home... |
|
koitsu MVM join:2002-07-16 Mountain View, CA Humax BGW320-500
|
koitsu
MVM
2009-Mar-24 8:15 am
said by tlhIngan:Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home... I didn't know there were Windows trojans which were brute-forcing SSH/telnet passwords on LAN routers. I don't think the original article mentioned anything of the such -- are you aware of anything like this in the wild? |
|
|
to tlhIngan
said by tlhIngan:Also works if you don't change your password and your computer gets infected behind the router. Or if you get infected while out and about, then bring your laptop back home... Care to explain how an infected Windows box would be able to infect a router running DD-WRT/Tomato/OpenRT? |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
2 edits |
to koitsu
Thanks for the heads up on such bad reporting all over the place. I'm glad to see » dronebl.org/blog/8 "Update 4 -- Before you read anything else, read this". Headlines such as: » OpenWRT/DD-WRT vulnerability...are laughable since it would take some rather poor setup. Definitely not defaults. I did some quick searching but can't find what default setups may be this bad. Anyone? I then alerted the OpenWrt forum. They had nothing I could find on this. |
|
|
to koitsu
So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does Thank you. |
|
|
koitsu MVM join:2002-07-16 Mountain View, CA Humax BGW320-500
4 edits |
koitsu
MVM
2009-Mar-24 6:34 pm
said by Potty Time:So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does :( :( :( Yes, out-of-the-box you're safe. Tomato, at no stage during installation or post-installation, permits SSH or telnet via the WAN interface (only the LAN). If you want to verify what your settings are: Administration -> Admin Access -> SSH Daemon If "Enable at Startup" is checked:
- Make sure the "Remote Access" box IS NOT checked
- Otherwise, if "Remote Access" IS checked:
-- Make sure under the "Remote Web/SSH Admin Restriction"
section, there are a list of specific IPs listed which
your router allows WAN-side SSH connections from.
-- In this scenario, you should also make sure that the
"Allow Password Login" box IS NOT checked, and instead
rely entirely on SSH keys.
The "exploit" involves brute-forcing passwords, so
by turning off password-based SSH authentication,
you can essentially defeat the problem entirely
-- If you DON'T specify a list of IPs in the "Remote
Web/SSH Admin Restriction" section, AND "Allow Password
Login" is checked:
--- Anyone on the Internet will be able to connect to
the SSH daemon on your router and try to
brute-force guess your root password -- and
depending upon what your password is (many folks
leave it as the default, "admin"), could gain
access to your router and turn it into a DDoS
client
It doesn't appear that Telnet is ever permitted WAN-side, unless you explicitly create a firewall rule using a start-up script or via some other means. And that's good, especially since Telnet passwords are sent in plaintext over the socket. :-) HTH... |
|
pandora Premium Member join:2001-06-01 Outland |
to Potty Time
said by Potty Time:So for a Tomato user who has never messed with any of the SSH/telnet settings, am I safe? How can I check and be certain that I don't have it open WAN-side?? I would hate for my precious little router to become infected or whatever this does Thank you. You can visit » www.grc.com/x/ne.dll?bh0bkyd2 and let "Shields Up" determine if you have any open ports. It is safe, and easy to do. It requires that your browser permit scripting. |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
1 edit |
to koitsu
Things are coming together. A very bad condition existed on some DSL modems and there's a good paper on this: » www.adam.com.au/bogaurd/ ··· YB0T.pdfHaving a specific target explains why someone would make code that runs in Debian-mipsel, which all the routers we're talking about do. But please don't loose perspective. 100,000+ worms exist that will infect PCs and now embedded Linux in modems and routers has... 1! And it takes a pretty bad setup to expose. And such a bad setup has been vulnerable all along! (pssst... pandora... Steve Gibson would *never* require scripts except to specifically test scripting. Try all of grc.com with NoScript blocking everything and even the menus all work fine. I watched him develop those menus in html quite specifically.) |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
|
NetFixer
Premium Member
2009-Mar-25 7:52 pm
said by Bill_MI:(pssst... pandora... Steve Gibson would *never* require scripts except to specifically test scripting. Try all of grc.com with NoScript blocking everything and even the menus all work fine. I watched him develop those menus in html quite specifically.) And I'll bet that he coded it all using a programmer's text editor, not a fancy GUI html code generator application. |
|