» »

Nenavaden črv napada Linksysove usmerjevalnike

Nenavaden črv napada Linksysove usmerjevalnike

Slo-Tech - Po internetu se je začel širiti zelo nenavaden črv, ki cilja na Linksysove usmerjevalnike in za zdaj ne počne nič drugega, razen da se širi karseda hitro. Črv napada številne modele Linksysovih usmerjevalnikov (potrjeno E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900 ter nekateri WRT in Valet), pri čemer pa so usmerjevalniki z najnovejšo strojno programsko opremo (firmware) varni (različica 2.0.06). Nekateri modeli so sicer že tako stari, da niso več podprti in morajo uporabljati starejše, ranljive verzije.

Črva so odkrili pri ponudniki dostopa do interneta v Wyomingu, ker je črv zasedel vse razpoložljive kapacitete in upočasnil njihovo omrežje. Ko črv okuži usmerjevalnik, začne prek vrat 8080 in 80 preverjati, ali so na internetu drugi usmerjevalniki, ki bi jih lahko okužil. Nanje se priključi z zlorabo HNAP (Home Network Administration Protocol), ki je namenjen oddaljenim posodobitvam in konfiguriranju usmerjevlaniku, ki jih izvaja lokalni ponudnik dostopa do interneta. Črv s preverjanjem, na katerih naslovih dobi odgovor na zahtevke po povezavi HNAP, ugotovi, kje so še ostali usmerjevalniki. Nanje se potem poveže prek ranljivosti v eni izmed CGI-skript.

Ko črv okuži usmerjevalnik, za zdaj nima zločestih namenov, čeprav ima nekaj vnosov, ki bi lahko kazali na klicanje krmilno-nadzornih strežnikov. Večino svojega časa preživi v iskanju drugih usmerjevalnikov (išče v 670 omrežjih, ki pripadajo ISP-jem v več državah), ki bi jih še lahko okužil. Sicer pa nastavi DNS-strežnike na 8.8.8.8 in 8.8.4.4. To so IP-ji Googlovih javnih DNS-strežnikov. Zakaj to stori, ni jasno. Ker črv vsebuje nekaj slik iz filma The Moon, se ga je prijelo isto ime. Ponovni zagon usmerjevalnika okužbo odstrani. Raziskovalci si še belijo glavo z vprašanjem, čemu služi ta črv in kaj se z njim preizkuša. Morebiti gre namreč za generalko pred resnim napadom.

Da je vaš usmerjevalnik okužen, lahko spoznate po visokem izhodnem prometu na vratih 8080 in 80 ter nenavadnih vhodnih povezavah na vratih, ki so manjša od 1024. Ranljivost pa lahko preverite s spodnjim ukazom. Če vrne ustrezen odziv v formatu XML, je usmerjevalnik potencialno ranljiv.
echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

22 komentarjev

japol ::

Kam to vpišem da preverim?

carota ::

Samo routerji s stock firmware-om so ranljivi in remote admin morajo imeti vklopljen.

Rias Gremory ::

The worm only scans port 80 and 8080 (http and https). Changing the port will prevent this attack. Restricting access to the admin interface by IP address will help as well.
Glorious PC gaming master race https://www.reddit.com/r/pcmasterrace/

hojnikb ::

še dober, da obstajajo alternativni firmwarei..
#teamred
MediaBox: AMD R5 1600 AF, 16GB DDR4, 256GB SSD, 1060 6GB, B450M-DS3H, W10

BlaY0 ::

Ne rabiš alternative... pri nas noben ISP ne daje svojim uporabnikov teh routerjev.

hojnikb ::

kar še ne pomeni, da teh routerjov nemorš sam kupit ;((

PS:
Ne, nimam linksys-a...
#teamred
MediaBox: AMD R5 1600 AF, 16GB DDR4, 256GB SSD, 1060 6GB, B450M-DS3H, W10

BlaY0 ::

Ja, in noben nima po defaultu vklopljenega remote administration-a.

dr.Akula ::

Različica firmwara navedenega v novici (2.0.06) je tako poimenovana samo za router E1200. Za druge so zadnje različice poimenovane z drugimi številkami, kolikor sem zdajle preletel.

Jaz imam E3200 z zadnjim firmwarom, ampak je bil izdan maja 2012, tako da najbrž ni črv-proof. Je pa Remote admin že od vedno izklopljen.
ni podatka

MrStein ::

črv vsebuje nekaj slik iz filma The Moon

8-O

A je to praksa, da malware zraven nosi tak balast?
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!

Kac ::

Zanimivo. V soboto sem imel problem z dvema routerjema istega slo ponudnika interneta. http ni delal drugo pa je nekako delovalo. Po resetu vse normalno.

Daniel ::

Meni E3200 s Tomatom vrne tole:

root@unknown:/tmp/home/root# echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" |
nc localhost 8080
nc: can't connect to remote host (127.0.0.1): Connection refused
root@unknown:/tmp/home/root#

Sicer pa že dlje časa vsak dan v LOG-ih berem te zadeve...

Feb 13 04:39:56 unknown authpriv.info dropbear[1610]: Child connection from 222.186.62.71:3654
Feb 13 04:40:22 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:40:26 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:05 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:49 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:49 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:54 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:55 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:56 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:58 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:59 unknown authpriv.warn dropbear[1610]: Bad password attempt for 'root' from 222.186.62.71:3654
Feb 13 04:41:59 unknown authpriv.info dropbear[1610]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:3654
Feb 13 04:42:00 unknown authpriv.info dropbear[1611]: Child connection from 222.186.62.71:1488
Feb 13 04:42:11 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:11 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:12 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:13 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:16 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:17 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:18 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:19 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:22 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:26 unknown authpriv.warn dropbear[1611]: Bad password attempt for 'root' from 222.186.62.71:1488
Feb 13 04:42:26 unknown authpriv.info dropbear[1611]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:1488
Feb 13 04:42:34 unknown authpriv.info dropbear[1612]: Child connection from 222.186.62.71:1935
Feb 13 04:43:45 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:46 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:47 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:48 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:49 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:49 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:50 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:51 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:52 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:53 unknown authpriv.warn dropbear[1612]: Bad password attempt for 'root' from 222.186.62.71:1935
Feb 13 04:43:53 unknown authpriv.info dropbear[1612]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:1935
Feb 13 04:43:54 unknown authpriv.info dropbear[1613]: Child connection from 222.186.62.71:1471
Feb 13 04:44:02 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:03 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:03 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:04 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:05 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:06 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:07 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:08 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:09 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:10 unknown authpriv.warn dropbear[1613]: Bad password attempt for 'root' from 222.186.62.71:1471
Feb 13 04:44:10 unknown authpriv.info dropbear[1613]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:1471
Feb 13 04:44:11 unknown authpriv.info dropbear[1614]: Child connection from 222.186.62.71:3208
Feb 13 04:44:16 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:17 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:18 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:19 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:20 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:22 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:23 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:24 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:25 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:25 unknown authpriv.warn dropbear[1614]: Bad password attempt for 'root' from 222.186.62.71:3208
Feb 13 04:44:26 unknown authpriv.info dropbear[1614]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:3208
Feb 13 04:44:26 unknown authpriv.info dropbear[1615]: Child connection from 222.186.62.71:1589
Feb 13 04:44:36 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:37 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:38 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:39 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:40 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:41 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:41 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:44 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:45 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:46 unknown authpriv.warn dropbear[1615]: Bad password attempt for 'root' from 222.186.62.71:1589
Feb 13 04:44:46 unknown authpriv.info dropbear[1615]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.71:1589
Feb 13 05:00:01 unknown syslog.info root: -- MARK --
Feb 13 05:02:00 unknown authpriv.info dropbear[1618]: Child connection from 94.22.138.62:38783
Feb 13 05:02:01 unknown authpriv.warn dropbear[1618]: Login attempt for nonexistent user from 94.22.138.62:38783
Feb 13 05:02:02 unknown authpriv.info dropbear[1618]: Exit before auth: Disconnect received
Feb 13 05:02:02 unknown authpriv.info dropbear[1619]: Child connection from 94.22.138.62:38855
Feb 13 05:02:03 unknown authpriv.warn dropbear[1619]: Login attempt for nonexistent user from 94.22.138.62:38855
Feb 13 05:02:03 unknown authpriv.info dropbear[1619]: Exit before auth: Disconnect received
Feb 13 05:02:04 unknown authpriv.info dropbear[1620]: Child connection from 94.22.138.62:38931
Feb 13 05:02:04 unknown authpriv.warn dropbear[1620]: Login attempt for nonexistent user from 94.22.138.62:38931
Feb 13 05:02:05 unknown authpriv.info dropbear[1620]: Exit before auth: Disconnect received
Feb 13 05:49:00 unknown authpriv.info dropbear[1621]: Child connection from 125.65.165.235:44080
Feb 13 05:49:02 unknown authpriv.warn dropbear[1621]: Bad password attempt for 'root' from 125.65.165.235:44080
Feb 13 05:49:03 unknown authpriv.info dropbear[1621]: Exit before auth (user 'root', 1 fails): Disconnect received
Feb 13 05:49:03 unknown authpriv.info dropbear[1622]: Child connection from 125.65.165.235:45193
Feb 13 05:49:06 unknown authpriv.warn dropbear[1622]: Bad password attempt for 'root' from 125.65.165.235:45193
Feb 13 05:49:06 unknown authpriv.info dropbear[1622]: Exit before auth (user 'root', 1 fails): Disconnect received
Feb 13 05:49:06 unknown authpriv.info dropbear[1623]: Child connection from 125.65.165.235:46301
Feb 13 05:49:09 unknown authpriv.warn dropbear[1623]: Bad password attempt for 'root' from 125.65.165.235:46301
Feb 13 05:49:09 unknown authpriv.info dropbear[1623]: Exit before auth (user 'root', 1 fails): Disconnect received
Feb 13 06:00:01 unknown syslog.info root: -- MARK --
Feb 13 06:22:03 unknown authpriv.info dropbear[1626]: Child connection from 222.186.62.42:4530
Feb 13 06:22:07 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:08 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:09 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:09 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:10 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:11 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:11 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:12 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:13 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:14 unknown authpriv.warn dropbear[1626]: Bad password attempt for 'root' from 222.186.62.42:4530
Feb 13 06:22:14 unknown authpriv.info dropbear[1626]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 222.186.62.42:4530

Router je na statičnem Ip-ju in ne vem, ali se sploh da kako znebiti teh poskusov logiranja.

de199 ::

izklopi remote admin
ali pa preusmeri remote admin na naslov v tvojem omrežju, ki NI ZASEDEN

Daniel ::

Žal zadevo rabim. Sedaj se, izklopil SSH in zaenkrat pustil Remote Acess do routerja preko brskalnika, če to ne bo pomagalo, pa bom izklopil še remote acess in uporabil VPN za dostop.

MrStein ::

fail2ban ali kaj podobnega.

Če najdeš že narejen paket, še meni povej.
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!

BlaY0 ::

A na wan portu ne moreš blokirati inputa z določenega source naslova? Kakšen router je pa to?

Hayabusa ::

Ne moreš na Remote Acessu dovoliti prijavo samo iz določenega ipja (white listanega)? Da za ostale sploh ne dovoli vnosa up.imena & gesla .
Upam da nimaš sshja na portu 22.

Zgodovina sprememb…

  • spremenilo: Hayabusa ()

jlpktnst ::

Hum, remote access rabiš imet odprt za tole?

Drugač na E1000 ima moja trenutna verzija druge cifre: Firmware Version: 2.1.02 build 5 May 6, 2011

Na tale test se ne odziva, očitno ni odprto karkoli že naj bi bil problem.

Daniel ::

Izklop oddaljenega SSH dostopa je rešil težavo. Hvala vsem.

BlaY0 ::

To itak. Tudi izklop routerja bi rešil to "težavo".

Da se jasno omejiti s katerih source IP-jev boš pustil SSH na svoj router. Ena od rešitev je tudi knockd.

Daniel ::

Vem, da tudi to gre, vendar ne dostopam zmeraj od doma, kjer imam tako dinamičen ip, včasih tudi iz 3G omrežja, pri tastu, tujina itd. Bi kar težko vpisal vse razpone IP-naslovov.

BlaY0 ::

V ta namen imaš knockd. Sam si izmisliš nek "password" v obliki zaporedja poslanih paketov, na podlagi katerega ti odpre firewall recimo za nadaljne 3 minute.

Daniel ::

Moram malo naštudirati samo delovanje tega, saj mi vsi ti ukazi še niso čisto domači. A lahko zaporedje pošlješ kar s Putty-em?


Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

Hekerski napad od interneta odrezal skoraj milijon strank Deutsche Telekoma

Oddelek: Novice / Varnost
94274 (2287) ales85
»

Mirai je dobil naslednika

Oddelek: Novice / Varnost
63396 (2172) Ahim
»

Odkrita zlonamerna koda v usmerjevalnikih (strani: 1 2 )

Oddelek: Novice / Varnost
6728292 (10324) AC_DC
»

SIOL modem

Oddelek: Omrežja in internet
121812 (1429) telexdell
»

Napad na Border Gateway Protocol

Oddelek: Novice / Varnost
278239 (6417) AndraZK

Več podobnih tem