Linksys Routers Exploited By "TheMoon" 134
UnderAttack writes "A vulnerability in many Linksys routers, allowing for unauthenticated code execution, is being used to mass-exploit various Linksys routers right now. Infected routers will start scanning for vulnerable systems themselves, leading to a very fast spread of this 'worm.'"
That's impossible (Score:5, Funny)
Linksys routers run Linux and Linux is Open Source. Therefore there are no bugs because theoretically someone can look at the code and fix the code.
This also means that it's impossible for bad people to look at the code and exploit the code because Open Source makes everyone honest by magic.
Oh, and by virtue of being able to look at the code, Linksys routers magically patch themselves before the bugs even come into existence!
In conclusion, Windows is the cause of all security problems.
Re: (Score:1)
Times like this, I wish I had mod points. That was amazing.
Re: (Score:2)
Re: (Score:1)
Re: That's impossible (Score:5, Informative)
Slow your roll there, not all linksys run linux. Most run vxworks rtos. Only the linksys routers flashed with ddwrt firmware run linux for sure.
Re: (Score:3)
Odd, I run tomato. [wikipedia.org] Which is also 'nix, so saying that ddwrt is the only way for sure isn't true.
Re: (Score:2)
Not quite the case... (Score:2)
Even if we limit our scope to routers-as-initially-purchased, there's still one stock model that runs Linux out of the box: the WRT54GL. It was made after Linksys otherwise switched to vxWorks, in an attempt to keep a hand in the Linux market.
I've got one. I flashed it with Tomato, but it definitely came with Linux on it.
Re:That's impossible (Score:5, Informative)
Only affecting models not running Linux currently...
how can i tell if my router is affected? (Score:2)
I have a WRT54 running the original linksys software.
I know you guys will say to push DDWRT onto it.
In any case, how can i tell if my router's been compromised?
It has been flakey lately but I figured that was just signal interference.
Re: (Score:3, Funny)
Re: (Score:2)
There's a small recessed reset button on the back of the router. You have to get a paper clip and try to push it in there. If the router starts saying "I'm sorry Dave, I can't let you do that," and hits you with an electric shock, it has been compromised.
Damn, the first time I can remember when I *actually* laughed out loud at a Slashdot post, and I'm without MOD points!
Re: (Score:2)
I have a WRT54 running the original linksys software. I know you guys will say to push DDWRT onto it. In any case, how can i tell if my router's been compromised? It has been flakey lately but I figured that was just signal interference.
Also running original firmware, with a newer Linksys. Short of doing the most reasonable thing and swapping out my firmware for third party, I'm thinking of upgrading to the latest manufacturers firmware and then treating the router's IP as an untrusted site in my browser, adding an exception only when I need to make a change. Perhaps this would thwart? Also not using the default IP, didn't see it mentioned if that would matter...
Re: (Score:2)
Re: (Score:2, Funny)
Also, Linksys is owned by Cisco. Cisco makes IOS for their routers. iOS is on iPhones. iPhones have never had a worm like this.
Ipso facto, this is unpossible
Re: (Score:3)
I tried to turn mine off, but it bit me! I tried throwing Androids at it, but zombies started flowing out of the Apple store to defend it!
Re: (Score:1)
Actually Belkin bought them from Cisco (Score:5, Informative)
Belkin purchased Linksys from Cisco last year. Linksys no longer has ties to Cisco, thus the unpossible is now possible.
and Belkin routers have a lovely feature that lets you schedule an automatic reboot so that you don't have to manually do it anymore... Rather than fixing the firmware problem that requires the frequent reboots.
Re: (Score:1)
As I stuffed DD-WRT onto my Netgear router the other day in the hope I wouldn't have to keep rebooting it, I wondered when someone would come up with this sad feature. I didn't have to wait long for my answer.
I miss my Motorolas that would never need to be rebooted. Alas, 802.11g wasn't cutting it anymore.
Re: (Score:2)
I ran a Buffalo WHR-G125 with DD-WRT without restarting it for years. There were times when I was on vacation with it unplugged, so I'm not sure what the maximum continuous uptime was, but I never once had an issue which required a restart.
Conclusion? Read reviews before you buy a router and see if people talk about having to restart it. They don't all need it. It's absurd that Linksys routers have been so bad for so long...
Agreed on Buffalo (Score:2)
My HighPower N300 Gigabit DD-WRT has been completely stable to the point that I forget it's there. And if it wasn't, as the name implies I could fix any issues by upgrading to DD-WRT (this is a supported and warrantied mode).
This has been a fantastic experience, and it just makes we wonder why people persist in buying Linksys just for their name. Everyone has known for years that they are utter shit, but they keep buying the things!
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
Think it's stupid in routers? Patriot missile systems used to have a timing bug that would reduce accuracy the longer the unit was in operation. The bug was that the time in seconds since initialization was being converted from an int to a float and divided by 10, causing precision to go down as the time value went up. The inaccuracy was pronounced after 8 hours of continuous operation and the workaround was to restart the unit frequently (actually, it was apparently to assume that the units would be restar
Re: (Score:1)
Re: (Score:2)
Belkin purchased Linksys from Cisco last year.
Man, I don't think I was aware of that. So now I have to add Linksys to my list of brands to never purchase? [wikipedia.org] This is getting too confusing.
Re: (Score:2)
From experience, Belkin also has a nice feature whereby wifi stops working after a certain amount of data has been transferred over it, requiring you to have a scheduled reboot setup for at least once a week.
Re: (Score:2)
Actually, linksys has been owned by Belkin for over a year:
http://www.bloomberg.com/news/... [bloomberg.com]
Re: (Score:3, Informative)
As a result, there are now two brands of hardware that I will refuse to purchase. I swore off (and at) Belkin when I bought one of their APs and it wouldn't let me change the network for its management IP. It was hardcoded to 192.168.1.0/24, and their "customer service" response was "by design, FOAD."
I have a few of their surge suppressors, but generally anything with the Belkin name doesn't come into my house after that experience. Also, I'll never buy one of their PDUs for the datacenter - if their con
Re: (Score:1)
Re: (Score:1)
Forget hacksaw, apply your favorite exploding target and a high power rifle. I guarantee it will be wireless, and no one will be accessing it anymore.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's right, shit like this.
Thanks
Re:That's impossible (Score:4, Insightful)
Last I checked vxworks is not linux...
Re: (Score:1)
You are incorrect. It's my new open-source OS, VXINLX (aka VX is not linux) that is, of course, not Linux.
How to pronounce VXINLX is left as an exercise for the reader.
pronunciation (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Is this a case of default password, instead of a "Linux" vunerability?
Re: (Score:2)
It wasn't Trolling (Score:5, Insightful)
Trolling: "Gee, LinkSys uses Linux and it's an open source product. So much for the myth (or bullshit) that open source is more secure!" Or "See, open source is shit! Closed source would never have had this happen to it because this exploit could only have been found by seeingt he source!"
The GP, OTOH, mixed satire and sarcasm - a la "The Daily Show" and "Colbert Report" to poke fun at the false sense of security one may have with using open source and that regardless of the product we use, we all need to be vigilant with our security. Who knows what the intention of this worm is.
Also, I took the GP's comment as a little teasing at the expense of some of the rapid members of the open source community and the folks seem to jump on all the Windows failings and yet, brush aside similar failings in open source software.
I thought it was quite clever on a multitude of levels while expressing in very simple sentences.
You got the correct message (Score:2)
I'm glad you got the satire... I've been running Linux on any machine under my direct control since 2000 and I did my Master's thesis by hacking on a Linux Security Module for domain & type enforcement back when the 2.6 Kernel was still in beta... so I'm not exactly shilling for Microsoft.
I'm also not a fan of complacency. While I really like that a whole lot of devices run Linux, if they can't be updated to address security issues in a very easy (even completely automated) manner, then Linux can be jus
Re: (Score:3)
Yay for common sense (both you and Anonymous above). I run Windows....I have nothing against Linux, but working in Windows pays the bills. I patch regularly, I browse intelligently....and I haven't had a virus on *MY* machine since the Ping-Pong virus back in the DOS days.........(that was a cool virus, BTW).
Open Source isn't a cure-all. Neither is Closed Source. User behavior and knowledge is the best cure-all.
Re: (Score:1)
poorly configured... (Score:1)
...web server
56k Connections are still less safe (Score:2)
Re: (Score:1)
just don't verbally abuse your router because the FBI will bust down your door and drag you off to gitmo
Network company supplied routers vul'n (Score:5, Insightful)
Use this supplied router. Do NOT modify it.
But it has admin/admin as user name and password and is 192.168.1.1
Can I fix that.
Do NOT modify the settings on the supplied router.
*facepalm*
Re: (Score:3)
My ex-girlfriend's parents had a wireless router like that... both the wireless and web interface had default settings that they weren't supposed to change. And it gets better. Administration from the WAN side was enabled (supposedly for support). Yes, with the default UN/PW. Only Frontier could make TWC look somewhat competent.
Re: Network company supplied routers vul'n (Score:2)
Frontier has become better about not requiring a windows box. I'm pretty sure this directly related to having "smarter" routers as opposed to just a "dumb" modem.
Maybe they started hiring smarter helpdesk techs again. I swear it all went downhill after I stopped working there (did I just admit to that?).
I remember helping walk customers through their dialup connection issues while beating my hi-score on Galaga.
Re: (Score:2)
Model Numbers of affected devices. (Score:5, Informative)
Re: (Score:2)
mark calendar for firmware update, borrow junk unt (Score:2)
Getting a Netgear WND3700 would solve the problem. That particular model is one I'm happy with , but there are plenty of perfectly fine routers around.
Linksys will probably put out an update that fixes the problem. You could mark your calendar for 30 days from now and Google search "update Linksys firmware to find illustrated instructions showing what buttons to press to do the update.
If you wish, you could use an old, cheap router while waiting for the update. Your friendly neighborhood geek probably ha
Somebody had to do it (Score:2, Funny)
Well I'm checking my router now and I don't see any is*#&$*#%(*#$# CARRIER MOONED
Re: (Score:1)
Mine says "CHA1RF4CE CHIPENDALE"
Guess it's safe.
Re: (Score:2)
Hmm, Mine only says CHA
guess it got interrupted by the next tick prior to completion.
Re: (Score:2)
LOL I loved "The Tick"
Aren't you (Score:1)
supposed to be boycotting?
Is dd-wrt affected? (Score:3)
I have a Linksys router with dd-wrt, would it be affected?
Re:Is dd-wrt affected? (Score:5, Informative)
no, it's just the default firmware.
"Only routers running stock firmware are vulnerable. OpenWRT is not vulnerable to this issue."
from the comments on https://isc.sans.edu/forums/di... [sans.edu]
Default firmware only? (Score:3)
Does this also apply to LinkSys Routers that have been Tomatoed?
Re:Default firmware only? (Score:4, Funny)
No, but it does affect routers that have smiley face stickers applied to the top or sides.
Re:Default firmware only? (Score:5, Informative)
The worm infects a router with the following URL: submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2 &ttcp_ip=-h `cd
It appears to be that the action is executing (at a shell) a portion of the ttcp_ip parameter. It appears it's a bug in the router's web application code itself, and not some sort of kernel-level vulnerability.
Your routers are now ours, by way of our actions. (Score:2)
.
Re: (Score:2)
Dodged that bullet (Score:3)
Re: (Score:2)
Disabling Remote management will help but not fully solve the problem.
For instance a cross-scripting attack via your web browser could attempt to inject the worm on your side.
My problem is I've got two... no three.. relatives/families scattered all over the US who are running an E4200, an E3000 and a WRT54G who all happily run amok letting javascript run higgeldy-piggledy because to block it messes up their web browsing experience. :(
"Higgeldy-piggledy means a real mess!"
TheMoon (Score:5, Funny)
Why is the admin port open to the public? (Score:5, Insightful)
Re: (Score:1)
The web administration port should not be open to the public internet by default on these routers.
If you can access it from your browser on the LAN, it is open to the public. Your browser accepts lists of URLs to load from any page you visit. Those URLs can trigger the flaw.
XSS + CSRF breaks the Intranet/Internet barrier. It is safer to assume such a barrier does not exist. Your router should be secure from malicious traffic on any interface.
Re: (Score:2)
Re: (Score:1)
Read the parent post more closely. Your browser visits a malicious site (or a legit site with a malicious link/image in a combox), which causes the browser to hit the router's LAN side.
Re: (Score:2)
img src=http://local/hack.cgi (Score:2)
If you know any html, the subject line answers the question. If you don't, you might just have to trust that if I put something like the above in my web page, it causes visitors to hack their own router for me.
Re: (Score:2)
"One of these days... POW!!! Right in the kisser!" or "BANG, ZOOM! Straight to the moon!", to which she usually replies, "Ahhh, shut up!"
Better summary (Score:2)
TheMoon? We like the moon! (Score:2)
Can't... help.... myself...
http://www.youtube.com/watch?v... [youtube.com]
But what about my Mac?? (Score:2)
NoScript ABE for the win (Score:1)
NoScript in FireFox provides an Application Boundary Enforcer with a rule to block access to Local resources from the WAN. The rule looks like this:
# This one guards the local network, like LocalRodeo
# LOCAL is a placeholder which matches all the LAN
# subnets (possibly configurable) and localhost
Site LOCAL
Accept from LOCAL
Deny
I have not tested, but I think this will prevent a malicious website from exploiting this vulnerability
Re: (Score:1)
try clicking the X in the top right corner of the browser window
or change the URL from beta.slashdot.org to www.slashdot.org
if you're on a mobile, not sure... you may be stuffed there, but slashdot has always been pretty shit on a mobile