PDA

View Full Version : Linksys router users - you have a problem

DJofSD
02-16-2014, 11:01 AM
https://threatpost.com/moon-worm-spreading-on-linksys-home-and-smb-routers/104268

A self-replicating worm is spreading among a number of different Linksys home and small business routers.

Ullrich said that until Linksys-Belkin releases a patch or new firmware, users can turn off remote administration as a mitigation. Running the latest firmware is advised, but Ullrich said it is unclear whether that will be a help with this vulnerability until a patch is ready. Users may also limit access to the remote administrator interface to specific IP addresses and change the port number of the administration interface to make it more difficult to find.

Most likely 90+% of routers are being used with factory default settings. This is the major source of the problem. Close the hole and your system is made a bit more secured.
headhawg
02-16-2014, 12:07 PM
There's no real need to have Remote Administration on anyway, and that's especially true for the average home user. I have a Netgear and I'm sure that RA is NOT enabled by default. Seems odd that the default would be 'on' on a Linksys.

It's probably a good time to review the security basics:



Change the default administrator password.
Update the firmware.
Turn off SSID broadcasting.
Enable encryption in this order of preference: WPA2, WPA, WEP.
Create a white list (access control list) of devices that can access the router.
If your router only has WEP or WPA you really need a new one.
DJofSD
02-16-2014, 12:41 PM
Not willing to spend the necessary time to research if it is or is not on by default, I just went ahead and stated it was to more or less make them go look. If the Linksys owner thinks it is off by default, they'll never look.

Or, in other words, just do it!
HUSKER55
02-18-2014, 06:22 PM
evidently I don't understand. The range is not that great and you have a password. How is this worm getting in?
headhawg
02-22-2014, 09:51 AM
The wireless connection is for devices inside your house (or whatever its maximum range is). The router connects to your ISP (then the Internet) via a wired connection. An attacker likely uses a port scanner to scan blocks of IP addresses and then port 8080. The worm would then check to see if the router is vulnerable and then run the CGI script on it. Apparently the vulnerability allows passwords to be bypassed. Just turn off remote administration until there's a firmware update.
DJofSD
02-22-2014, 11:20 AM
http://grahamcluley.com/2014/02/moon-router-worm/