Nenavaden črv napada Linksysove usmerjevalnike @ Slo-Tech

Novice » Varnost »
Nenavaden črv napada Linksysove usmerjevalnike

Nenavaden črv napada Linksysove usmerjevalnike

Matej Huš :: 14. feb 2014 ob 09:06
Varnost

Slo-Tech - Po internetu se je začel širiti zelo nenavaden črv, ki cilja na Linksysove usmerjevalnike in za zdaj ne počne nič drugega, razen da se širi karseda hitro. Črv napada številne modele Linksysovih usmerjevalnikov (potrjeno E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900 ter nekateri WRT in Valet), pri čemer pa so usmerjevalniki z najnovejšo strojno programsko opremo (firmware) varni (različica 2.0.06). Nekateri modeli so sicer že tako stari, da niso več podprti in morajo uporabljati starejše, ranljive verzije.

Črva so odkrili pri ponudniki dostopa do interneta v Wyomingu, ker je črv zasedel vse razpoložljive kapacitete in upočasnil njihovo omrežje. Ko črv okuži usmerjevalnik, začne prek vrat 8080 in 80 preverjati, ali so na internetu drugi usmerjevalniki, ki bi jih lahko okužil. Nanje se priključi z zlorabo HNAP (Home Network Administration Protocol), ki je namenjen oddaljenim posodobitvam in konfiguriranju usmerjevlaniku, ki jih izvaja lokalni ponudnik dostopa do interneta. Črv s preverjanjem, na katerih naslovih dobi odgovor na zahtevke po povezavi HNAP, ugotovi, kje so še ostali usmerjevalniki. Nanje se potem poveže prek ranljivosti v eni izmed CGI-skript.

Ko črv okuži usmerjevalnik, za zdaj nima zločestih namenov, čeprav ima nekaj vnosov, ki bi lahko kazali na klicanje krmilno-nadzornih strežnikov. Večino svojega časa preživi v iskanju drugih usmerjevalnikov (išče v 670 omrežjih, ki pripadajo ISP-jem v več državah), ki bi jih še lahko okužil. Sicer pa nastavi DNS-strežnike na 8.8.8.8 in 8.8.4.4. To so IP-ji Googlovih javnih DNS-strežnikov. Zakaj to stori, ni jasno. Ker črv vsebuje nekaj slik iz filma The Moon, se ga je prijelo isto ime. Ponovni zagon usmerjevalnika okužbo odstrani. Raziskovalci si še belijo glavo z vprašanjem, čemu služi ta črv in kaj se z njim preizkuša. Morebiti gre namreč za generalko pred resnim napadom.

Da je vaš usmerjevalnik okužen, lahko spoznate po visokem izhodnem prometu na vratih 8080 in 80 ter nenavadnih vhodnih povezavah na vratih, ki so manjša od 1024. Ranljivost pa lahko preverite s spodnjim ukazom. Če vrne ustrezen odziv v formatu XML, je usmerjevalnik potencialno ranljiv.

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

22 komentarjev

japol :: 14. feb 2014, 09:22

Kam to vpišem da preverim?

carota :: 14. feb 2014, 09:39

Samo routerji s stock firmware-om so ranljivi in remote admin morajo imeti vklopljen.

Rias Gremory :: 14. feb 2014, 09:40

The worm only scans port 80 and 8080 (http and https). Changing the port will prevent this attack. Restricting access to the admin interface by IP address will help as well.

Mirno gledamo, kako naš svet propada,
saj za časa našega življenja ne bo popolnoma propadel.

hojnikb :: 14. feb 2014, 09:41

še dober, da obstajajo alternativni firmwarei..

#brezpodpisa

BlaY0 :: 14. feb 2014, 10:08

Ne rabiš alternative... pri nas noben ISP ne daje svojim uporabnikov teh routerjev.

hojnikb :: 14. feb 2014, 10:10

kar še ne pomeni, da teh routerjov nemorš sam kupit ;((

PS:
Ne, nimam linksys-a...

#brezpodpisa

BlaY0 :: 14. feb 2014, 10:20

Ja, in noben nima po defaultu vklopljenega remote administration-a.

dr.Akula :: 14. feb 2014, 10:37

Različica firmwara navedenega v novici (2.0.06) je tako poimenovana samo za router E1200. Za druge so zadnje različice poimenovane z drugimi številkami, kolikor sem zdajle preletel.

Jaz imam E3200 z zadnjim firmwarom, ampak je bil izdan maja 2012, tako da najbrž ni črv-proof. Je pa Remote admin že od vedno izklopljen.

ni podatka

MrStein :: 14. feb 2014, 11:13

črv vsebuje nekaj slik iz filma The Moon

A je to praksa, da malware zraven nosi tak balast?

Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!

Kac :: 14. feb 2014, 12:17

Zanimivo. V soboto sem imel problem z dvema routerjema istega slo ponudnika interneta. http ni delal drugo pa je nekako delovalo. Po resetu vse normalno.

Daniel :: 14. feb 2014, 12:18

Meni E3200 s Tomatom vrne tole:

root@unknown:/tmp/home/root# echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" |
nc localhost 8080
nc: can't connect to remote host (127.0.0.1): Connection refused
root@unknown:/tmp/home/root#

Sicer pa že dlje časa vsak dan v LOG-ih berem te zadeve...

Feb 13 04:39:56 unknown authpriv.info dropbear[1610]: Child connection from 222.186.62.71:3654
Feb 13 04:40:22 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:40:26 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:05 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:49 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:49 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:54 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:55 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:56 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:58 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:59 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:59 unknown authpriv.info dropbear[1610]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:3654
Feb 13 04:42:00 unknown authpriv.info dropbear[1611]: Child connection from 222.186.62.71:1488
Feb 13 04:42:11 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:11 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:12 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:13 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:16 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:17 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:18 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:19 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:22 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:26 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:26 unknown authpriv.info dropbear[1611]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:1488
Feb 13 04:42:34 unknown authpriv.info dropbear[1612]: Child connection from 222.186.62.71:1935
Feb 13 04:43:45 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:46 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:47 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:48 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:49 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:49 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:50 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:51 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:52 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:53 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:53 unknown authpriv.info dropbear[1612]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:1935
Feb 13 04:43:54 unknown authpriv.info dropbear[1613]: Child connection from 222.186.62.71:1471
Feb 13 04:44:02 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:03 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:03 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:04 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:05 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:06 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:07 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:08 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:09 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:10 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:10 unknown authpriv.info dropbear[1613]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:1471
Feb 13 04:44:11 unknown authpriv.info dropbear[1614]: Child connection from 222.186.62.71:3208
Feb 13 04:44:16 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:17 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:18 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:19 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:20 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:22 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:23 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:24 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:25 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:25 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:26 unknown authpriv.info dropbear[1614]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:3208
Feb 13 04:44:26 unknown authpriv.info dropbear[1615]: Child connection from 222.186.62.71:1589
Feb 13 04:44:36 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:37 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:38 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:39 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:40 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:41 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:41 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:44 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:45 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:46 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:46 unknown authpriv.info dropbear[1615]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:1589
Feb 13 05:00:01 unknown syslog.info root: -- MARK --
Feb 13 05:02:00 unknown authpriv.info dropbear[1618]: Child connection from 94.22.138.62:38783
Feb 13 05:02:01 unknown authpriv.warn dropbear[1618]: Login attempt for nonexistent user from 94.22.138.62:38783
Feb 13 05:02:02 unknown authpriv.info dropbear[1618]: Exit before auth: Disconnect received
Feb 13 05:02:02 unknown authpriv.info dropbear[1619]: Child connection from 94.22.138.62:38855
Feb 13 05:02:03 unknown authpriv.warn dropbear[1619]: Login attempt for nonexistent user from 94.22.138.62:38855
Feb 13 05:02:03 unknown authpriv.info dropbear[1619]: Exit before auth: Disconnect received
Feb 13 05:02:04 unknown authpriv.info dropbear[1620]: Child connection from 94.22.138.62:38931
Feb 13 05:02:04 unknown authpriv.warn dropbear[1620]: Login attempt for nonexistent user from 94.22.138.62:38931
Feb 13 05:02:05 unknown authpriv.info dropbear[1620]: Exit before auth: Disconnect received
Feb 13 05:49:00 unknown authpriv.info dropbear[1621]: Child connection from 125.65.165.235:44080
Feb 13 05:49:02 unknown authpriv.warn dropbear[1621]: Bad password attempt for 'root' from 125.65.165.235:44080
Feb 13 05:49:03 unknown authpriv.info dropbear[1621]: Exit before auth (user 'root', 1 fails): Disconnect received
Feb 13 05:49:03 unknown authpriv.info dropbear[1622]: Child connection from 125.65.165.235:45193
Feb 13 05:49:06 unknown authpriv.warn dropbear[1622]: Bad password attempt for 'root' from 125.65.165.235:45193
Feb 13 05:49:06 unknown authpriv.info dropbear[1622]: Exit before auth (user 'root', 1 fails): Disconnect received
Feb 13 05:49:06 unknown authpriv.info dropbear[1623]: Child connection from 125.65.165.235:46301
Feb 13 05:49:09 unknown authpriv.warn dropbear[1623]: Bad password attempt for 'root' from 125.65.165.235:46301
Feb 13 05:49:09 unknown authpriv.info dropbear[1623]: Exit before auth (user 'root', 1 fails): Disconnect received
Feb 13 06:00:01 unknown syslog.info root: -- MARK --
Feb 13 06:22:03 unknown authpriv.info dropbear[1626]: Child connection from 222.186.62.42:4530
Feb 13 06:22:07 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:08 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:09 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:09 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:10 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:11 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:11 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:12 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:13 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:14 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:14 unknown authpriv.info dropbear[1626]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.42:4530

Router je na statičnem Ip-ju in ne vem, ali se sploh da kako znebiti teh poskusov logiranja.

de199 :: 14. feb 2014, 12:27

izklopi remote admin
ali pa preusmeri remote admin na naslov v tvojem omrežju, ki NI ZASEDEN

Daniel :: 14. feb 2014, 12:52

Žal zadevo rabim. Sedaj se, izklopil SSH in zaenkrat pustil Remote Acess do routerja preko brskalnika, če to ne bo pomagalo, pa bom izklopil še remote acess in uporabil VPN za dostop.

MrStein :: 14. feb 2014, 13:52

fail2ban ali kaj podobnega.

Če najdeš že narejen paket, še meni povej.

Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!

BlaY0 :: 14. feb 2014, 14:19

A na wan portu ne moreš blokirati inputa z določenega source naslova? Kakšen router je pa to?

Hayabusa :: 14. feb 2014, 14:23

Ne moreš na Remote Acessu dovoliti prijavo samo iz določenega ipja (white listanega)? Da za ostale sploh ne dovoli vnosa up.imena & gesla .
Upam da nimaš sshja na portu 22.

Zgodovina sprememb…

spremenilo: Hayabusa (14. feb 2014 ob 14:23)

jlpktnst :: 14. feb 2014, 15:37

Hum, remote access rabiš imet odprt za tole?

Drugač na E1000 ima moja trenutna verzija druge cifre: Firmware Version: 2.1.02 build 5 May 6, 2011

Na tale test se ne odziva, očitno ni odprto karkoli že naj bi bil problem.

Daniel :: 15. feb 2014, 11:17

Izklop oddaljenega SSH dostopa je rešil težavo. Hvala vsem.

BlaY0 :: 16. feb 2014, 00:06

To itak. Tudi izklop routerja bi rešil to "težavo".

Da se jasno omejiti s katerih source IP-jev boš pustil SSH na svoj router. Ena od rešitev je tudi knockd.

Daniel :: 17. feb 2014, 11:57

Vem, da tudi to gre, vendar ne dostopam zmeraj od doma, kjer imam tako dinamičen ip, včasih tudi iz 3G omrežja, pri tastu, tujina itd. Bi kar težko vpisal vse razpone IP-naslovov.

BlaY0 :: 17. feb 2014, 12:08

V ta namen imaš knockd. Sam si izmisliš nek "password" v obliki zaporedja poslanih paketov, na podlagi katerega ti odpre firewall recimo za nadaljne 3 minute.

Daniel :: 17. feb 2014, 14:31

Moram malo naštudirati samo delovanje tega, saj mi vsi ti ukazi še niso čisto domači. A lahko zaporedje pošlješ kar s Putty-em?

Vredno ogleda ...

	Tema	Sporočila	Ogledi	Zadnje sporočilo
	Tema	Sporočila	Ogledi	Zadnje sporočilo
»	Hekerski napad od interneta odrezal skoraj milijon strank Deutsche Telekoma McHusch Oddelek: Novice / Varnost	9	5859 (3872)	ales85 30. nov 2016 13:07:27
»	Mirai je dobil naslednika McHusch Oddelek: Novice / Varnost	6	4555 (3331)	Ahim 3. nov 2016 21:57:20
»	Odkrita zlonamerna koda v usmerjevalnikih (strani: 1 2 ) McHusch Oddelek: Novice / Varnost	67	41369 (23401)	AC_DC 12. feb 2016 10:53:47
»	SIOL modem Master_Yoda Oddelek: Omrežja in internet	12	2741 (2358)	telexdell 4. mar 2015 12:23:43
»	Napad na Border Gateway Protocol poweroff Oddelek: Novice / Varnost	27	10819 (8997)	AndraZK 6. sep 2008 17:08:40

Več podobnih tem

Zadnje novice

Zadnji članki

Išči:

Novice » Varnost »
Nenavaden črv napada Linksysove usmerjevalnike

Nenavaden črv napada Linksysove usmerjevalnike