Forgot your password?
typodupeerror
Worms Security Wireless Networking Hardware IT

Linksys Routers Exploited By "TheMoon" 134

Posted by timothy
from the do-you-want-to-connect-automatically? dept.
UnderAttack writes "A vulnerability in many Linksys routers, allowing for unauthenticated code execution, is being used to mass-exploit various Linksys routers right now. Infected routers will start scanning for vulnerable systems themselves, leading to a very fast spread of this 'worm.'"
This discussion has been archived. No new comments can be posted.

Linksys Routers Exploited By "TheMoon"

Comments Filter:
  • by CajunArson (465943) on Thursday February 13, 2014 @04:45PM (#46240757) Journal

    Linksys routers run Linux and Linux is Open Source. Therefore there are no bugs because theoretically someone can look at the code and fix the code.

    This also means that it's impossible for bad people to look at the code and exploit the code because Open Source makes everyone honest by magic.

    Oh, and by virtue of being able to look at the code, Linksys routers magically patch themselves before the bugs even come into existence!

    In conclusion, Windows is the cause of all security problems.

    • by Anonymous Coward

      Times like this, I wish I had mod points. That was amazing.

    • by Zantac69 (1331461)
      Search your feelings, you know it to be true.
    • by Anonymous Coward on Thursday February 13, 2014 @04:52PM (#46240811)

      Slow your roll there, not all linksys run linux. Most run vxworks rtos. Only the linksys routers flashed with ddwrt firmware run linux for sure.

      • by Mashiki (184564)

        Odd, I run tomato. [wikipedia.org] Which is also 'nix, so saying that ddwrt is the only way for sure isn't true.

        • I believe you're picking nits slightly. Regardless, you're totally right and the above AC is technically wrong. There are a good number of alternative router OSes available, many of which run *nix.
      • Even if we limit our scope to routers-as-initially-purchased, there's still one stock model that runs Linux out of the box: the WRT54GL. It was made after Linksys otherwise switched to vxWorks, in an attempt to keep a hand in the Linux market.

        I've got one. I flashed it with Tomato, but it definitely came with Linux on it.

    • Re:That's impossible (Score:5, Informative)

      by Narcocide (102829) on Thursday February 13, 2014 @04:54PM (#46240835) Homepage

      Only affecting models not running Linux currently...

      • I have a WRT54 running the original linksys software.
        I know you guys will say to push DDWRT onto it.
        In any case, how can i tell if my router's been compromised?
        It has been flakey lately but I figured that was just signal interference.

        • Re: (Score:3, Funny)

          by Anonymous Coward
          There's a small recessed reset button on the back of the router. You have to get a paper clip and try to push it in there. If the router starts saying "I'm sorry Dave, I can't let you do that," and hits you with an electric shock, it has been compromised.
          • There's a small recessed reset button on the back of the router. You have to get a paper clip and try to push it in there. If the router starts saying "I'm sorry Dave, I can't let you do that," and hits you with an electric shock, it has been compromised.

            Damn, the first time I can remember when I *actually* laughed out loud at a Slashdot post, and I'm without MOD points!

        • I have a WRT54 running the original linksys software. I know you guys will say to push DDWRT onto it. In any case, how can i tell if my router's been compromised? It has been flakey lately but I figured that was just signal interference.

          Also running original firmware, with a newer Linksys. Short of doing the most reasonable thing and swapping out my firmware for third party, I'm thinking of upgrading to the latest manufacturers firmware and then treating the router's IP as an untrusted site in my browser, adding an exception only when I need to make a change. Perhaps this would thwart? Also not using the default IP, didn't see it mentioned if that would matter...

      • Just because some of their routers run *nix doesn't mean the software Linksys put on it is flawless. Doesn't matter what it's running if their grubby little hands were all over it.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Also, Linksys is owned by Cisco. Cisco makes IOS for their routers. iOS is on iPhones. iPhones have never had a worm like this.

      Ipso facto, this is unpossible

      • by fullmetal55 (698310) on Thursday February 13, 2014 @05:07PM (#46240965)

        Belkin purchased Linksys from Cisco last year. Linksys no longer has ties to Cisco, thus the unpossible is now possible.

        and Belkin routers have a lovely feature that lets you schedule an automatic reboot so that you don't have to manually do it anymore... Rather than fixing the firmware problem that requires the frequent reboots.

        • by operagost (62405)

          As I stuffed DD-WRT onto my Netgear router the other day in the hope I wouldn't have to keep rebooting it, I wondered when someone would come up with this sad feature. I didn't have to wait long for my answer.

          I miss my Motorolas that would never need to be rebooted. Alas, 802.11g wasn't cutting it anymore.

          • by Mashdar (876825)

            I ran a Buffalo WHR-G125 with DD-WRT without restarting it for years. There were times when I was on vacation with it unplugged, so I'm not sure what the maximum continuous uptime was, but I never once had an issue which required a restart.
            Conclusion? Read reviews before you buy a router and see if people talk about having to restart it. They don't all need it. It's absurd that Linksys routers have been so bad for so long...

            • My HighPower N300 Gigabit DD-WRT has been completely stable to the point that I forget it's there. And if it wasn't, as the name implies I could fix any issues by upgrading to DD-WRT (this is a supported and warrantied mode).

              This has been a fantastic experience, and it just makes we wonder why people persist in buying Linksys just for their name. Everyone has known for years that they are utter shit, but they keep buying the things!

        • "I can't get online. Is the internet down again?"

          "Did you forget to reboot the router - again?!"

          Have no fear. Belkin is here! With this new firmware reboots are scheduled automatically! ***applause***
          Now the entire family is happy again.

        • Belkin purchased Linksys from Cisco last year.

          Man, I don't think I was aware of that. So now I have to add Linksys to my list of brands to never purchase? [wikipedia.org] This is getting too confusing.

        • by GNious (953874)

          From experience, Belkin also has a nice feature whereby wifi stops working after a certain amount of data has been transferred over it, requiring you to have a scheduled reboot setup for at least once a week.

      • by bobstreo (1320787)

        Actually, linksys has been owned by Belkin for over a year:

        http://www.bloomberg.com/news/... [bloomberg.com]

        • Re: (Score:3, Informative)

          by FuegoFuerte (247200)

          As a result, there are now two brands of hardware that I will refuse to purchase. I swore off (and at) Belkin when I bought one of their APs and it wouldn't let me change the network for its management IP. It was hardcoded to 192.168.1.0/24, and their "customer service" response was "by design, FOAD."

          I have a few of their surge suppressors, but generally anything with the Belkin name doesn't come into my house after that experience. Also, I'll never buy one of their PDUs for the datacenter - if their con

    • by X0563511 (793323) on Thursday February 13, 2014 @05:10PM (#46240983) Homepage Journal

      Last I checked vxworks is not linux...

      • by operagost (62405)

        You are incorrect. It's my new open-source OS, VXINLX (aka VX is not linux) that is, of course, not Linux.

        How to pronounce VXINLX is left as an exercise for the reader.

    • by silviuc (676999)
      Those mentioned in the posting run vxworks not linux. Troll better next time.
    • Is this a case of default password, instead of a "Linux" vunerability?

    • by Elbart (1233584)
      This drivel get's 3 points? /. is really dead.
  • ...web server

  • I heard if you have a 56k connection that the NSA can listen to your internet.
    • by crutchy (1949900)

      just don't verbally abuse your router because the FBI will bust down your door and drag you off to gitmo

  • by RichMan (8097) on Thursday February 13, 2014 @04:49PM (#46240783)

    Use this supplied router. Do NOT modify it.

    But it has admin/admin as user name and password and is 192.168.1.1
    Can I fix that.

    Do NOT modify the settings on the supplied router.

    *facepalm*

    • My ex-girlfriend's parents had a wireless router like that... both the wireless and web interface had default settings that they weren't supposed to change. And it gets better. Administration from the WAN side was enabled (supposedly for support). Yes, with the default UN/PW. Only Frontier could make TWC look somewhat competent.

    • by Mashdar (876825)
      Is "network company" an ISP?
  • by Anonymous Coward on Thursday February 13, 2014 @04:51PM (#46240793)

    Here is a list of router models mentioned in the binary:
    E4200
    E3200
    E3000
    E2500
    E2100L
    E2000
    E1550
    E1500
    E1200
    E1000
    E900

    • by mmell (832646)
      I couldn't determine (maybe I read too fast, missed it) . . . is this an exploit against those models as shipped, or is this an exploit against Linksys routers which have been flashed to run a more current version of DD-WRT? I suspect the former, but I can't confirm that.

      If it's the former, then a software fix (flash to latest DD-WRT) is already available for those technically competent to implement it. If the latter . . . oi vey.

  • Well I'm checking my router now and I don't see any is*#&$*#%(*#$# CARRIER MOONED

  • by satuon (1822492) on Thursday February 13, 2014 @04:56PM (#46240853)

    I have a Linksys router with dd-wrt, would it be affected?

  • by allcoolnameswheretak (1102727) on Thursday February 13, 2014 @04:56PM (#46240865)

    Does this also apply to LinkSys Routers that have been Tomatoed?

  • On the Moon, nerds get their pants pulled down and they are spanked with Moon rocks.

    .
  • by Mike Van Pelt (32582) on Thursday February 13, 2014 @05:17PM (#46241037)
    I'm sure glad I installed DDWRT on my E3000 about a year ago.
  • TheMoon (Score:5, Funny)

    by confused one (671304) on Thursday February 13, 2014 @05:28PM (#46241137)
    Jade Rabbit suffered a failure and needed additional processing resources. It has reached out and now All Your Base Are Belong to Jade.
  • by EMG at MU (1194965) on Thursday February 13, 2014 @05:34PM (#46241175)
    The web administration port should not be open to the public internet by default on these routers.
    • by Anonymous Coward

      The web administration port should not be open to the public internet by default on these routers.

      If you can access it from your browser on the LAN, it is open to the public. Your browser accepts lists of URLs to load from any page you visit. Those URLs can trigger the flaw.

      XSS + CSRF breaks the Intranet/Internet barrier. It is safer to assume such a barrier does not exist. Your router should be secure from malicious traffic on any interface.

      • What? My E4200 immediately refuses connection on the WAN side if administration is disabled on such. What am I missing?
        • by Anonymous Coward

          Read the parent post more closely. Your browser visits a malicious site (or a legit site with a malicious link/image in a combox), which causes the browser to hit the router's LAN side.

        • If you know any html, the subject line answers the question. If you don't, you might just have to trust that if I put something like the above in my web page, it causes visitors to hack their own router for me.

  • Can't... help.... myself...

    http://www.youtube.com/watch?v... [youtube.com]

  • But, but, but, do I need antivirus for my Mac?? (wait for it).... NO, Macs don't get viruses!!!! (this has little to do with the actual topic here, just trying to add to the hysteria)
  • NoScript in FireFox provides an Application Boundary Enforcer with a rule to block access to Local resources from the WAN. The rule looks like this:

    # This one guards the local network, like LocalRodeo
    # LOCAL is a placeholder which matches all the LAN
    # subnets (possibly configurable) and localhost
    Site LOCAL
    Accept from LOCAL
    Deny

    I have not tested, but I think this will prevent a malicious website from exploiting this vulnerability

All warranty and guarantee clauses become null and void upon payment of invoice.

Working...