Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93098 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Home routers under attack...


  • Please log in to reply
67 replies to this topic

#61 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 27 May 2014 - 10:15 AM

FYI...

D-Link DIR-505/505L Wireless Router - Firmware updates
- https://secunia.com/advisories/58972/
Release Date: 2014-05-27
Criticality: Moderately Critical
Where: From local network
Impact: System access
Solution Status: Partial Fix
Operating System: D-Link DIR-505, 505L Wireless Router
No CVE references.
... vulnerability has been reported in D-Link DIR-505 and D-Link DIR-505L Wireless Routers, which can be exploited by malicious people to compromise a vulnerable device...
Related to: https://secunia.com/SA58728/ *
The vulnerability is reported in versions 1.07 and prior.
Solution: Apply update if available.
Original Advisory:
- http://securityadvis...x?name=SAP10029

* Original Advisory: D-Link:
- http://securityadvis...x?name=SAP10027
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#62 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 04 June 2014 - 05:11 AM

FYI...

Unpatchable systems ...
- https://www.computer...tchable_systems
June 2, 2014 - "... Broadband routers humming away peacefully in attics and home offices have become the latest targets of sophisticated cyber criminal groups... In March, the security consultancy Team Cymru warned* that hackers had compromised some 300,000 small- and home-office broadband routers made by firms D-Link, Micronet, Tenda, and TP-Link, among others. That attack followed a similar incident in which compromised home routers were used in attacks on online banking customers in Poland and the appearance, in February, of a virus dubbed "The Moon"** which spreads between Linksys E-Series home routers, exploiting an authentication bypass vulnerability in the systems. Worse, these attacks relied on the same set of problems common to embedded systems: poor (or "commodity") engineering, insecure default settings, the use of hard-coded (permanent) "backdoor" accounts, and a lack of sophistication on the part of device owners, Team Cymru reported... When security is absent from the design of the device, there are few options for securing it after the fact, short of replacing the hardware and software entirely... with so many legacy systems that are so lacking in basic security features, the risk of compromise is always there..."
* http://www.team-cymr...HOPharming.html

** http://grahamcluley....on-router-worm/
"... a worm that was spreading between Linksys routers. What’s unusual about the worm, which has been dubbed “The Moon”, is that it doesn’t infect computers. In fact, it never gets as far as your computer. And that means up-to-date anti-virus software running on your computer isn’t going to stop it. The worm never reaches a device which has anti-virus protection running on it..."
I.E., see firmware updates: http://support.links.../routers/EA6900
And this: http://isc.sans.org/...ml?storyid=4282 ... an old post, but it still applies.
___

- http://blogs.cisco.c...ently-observed/
June 17, 2014 - "... Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices... While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 20 June 2014 - 05:14 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#63 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 26 August 2014 - 02:43 AM

FYI...

Netis routers - backdoor open ...
- http://blog.trendmic...-open-backdoor/
Aug 25, 2014 - "Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cybercriminals to easily run arbitrary code on these routers, rendering it vulnerable as a security device. What is this backdoor? Simply put, it is an open UDP port listening at port 53413. This port is accessible from the WAN side of the router. This means that if the router in question has an externally accessible IP address (i.e., almost all residential and SMB users), an attacker from anywhere on the Internet can access this backdoor... This backdoor is “protected” by a single, -hardcoded- password located in the router’s firmware. Netcore/Netis routers appear to all have the -same- password. This “protection” is essentially -ineffective- as attackers can easily log into these routers and users cannot modify or disable this backdoor... In order to determine if their router is vulnerable, users can use an online port scanner... probe at port 53413:
> https://www.grc.com/port_53413.htm
... Users have relatively few solutions available to remedy this issue. Support for Netcore routers by open source firmware like dd-wrt and Tomato is essentially limited; only one router appears to have support at all. Aside from that, the only adequate alternative would be to -replace- these devices."
___

Netis Router Backdoor “Patched” but not really
- http://blog.trendmic...but-not-really/
Oct 3, 2014 - "... the ShadowServer Foundation* has been kind enough to scan for IP addresses affected by this vulnerability... the same number of devices were at risk (we note that the number has risen at the time of this writing)... Netis has addressed the vulnerability with a firmware update for the router models vulnerable to the backdoor (downloadable from their official website’s download page**)... instead of removing the code that pertains to the backdoor (which is in essence an open UDP port), the update instead closes the port and hides its controls. What this basically means is that the backdoor is still in the router – just that it’s closed by default, and only someone who already knows about the backdooritself and has the technical knowledge to open it can access it... The fact that the port is still there means it can still be opened and used for malicious purposes, especially if the attackers manage to get a hold of the password to the router’s web console and can obtain access to the LAN side of the router (via, say, malware on a client PC). It still leaves the router (and the network tied to it) open to attack. It’s like patching up a hole in the wall with a door and then just giving the owner of the house a key to that door – the keys can still be stolen, and the hole can still be used to break into the house. Should you still update? Yes. We highly recommend installing the update if you still wish to use your Netcore/Netis router, as it does at least give you access control over the port (if you know what you’re doing), and overall makes the router more secure. However, we want to stress that users should also make their router passwords stronger as well -immediately- after applying this update - or, if their routers do not require password access, then for them to activate that feature through the web console and THEN make the password as strong as they can possibly be. Strong passwords practices include making it as long as the password form allows, as well as using special symbols and numbers along with letters. We will continue to monitor this particular issue and update as necessary."
* https://netisscan.shadowserver.org/
"... 885,093 distinct IPs have responded to our probe..."

** http://www.netis-sys...m/en/Downloads/
___

- http://atlas.arbor.net/briefs/
High Severity
28 Aug 2014
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 05 October 2014 - 09:55 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#64 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 08 October 2014 - 04:38 AM

FYI...

Belkin routers - heartbeat.belkin.com -outage- taking routers down
- https://isc.sans.edu...l?storyid=18779
2014-10-07 21:30:53 UTC - "According ot various reports, many users of Belkin routers are having problems connecting to the internet as of last night. It appears that the router will occasionally ping heartbeat.belkin.com to detect network connectivity, but the "heartbeat" host is not reachable for some (all?) users. Currently, the host responds to ICMP echo requests, but apparently, many Belkin routers are still down.
As a workaround, you can add an entry to the routers host file pointing heartbeat.belkin.com to 127.0.0.1. This appears to remove the block. The "block" only affects the DNS server on the device. It will route just fine. You can still get hosts on your network to work as long as you set a DNS server -manually- for example using Google's DNS server at 8.8.8.8. .
For a statement from Belkin, see:
- https://belkinintern...c.statuspage.io
... Belkin also pointed to this page on its community forum:
- http://community.bel.../m-p/5796#M1466 "
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#65 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 13 October 2014 - 08:18 AM

FYI...

D-Link DSR routers - OpenSSL SSL/TLS Handshake Security Issue
- https://secunia.com/advisories/61383/
Release Date: 2014-10-13
Where: From local network
Impact: Manipulation of data, Exposure of sensitive information
Solution Status: Vendor Patch
Operating System:
D-Link DSR-1000, 1000N, 500, 500N Router
CVE Reference(s):
- https://web.nvd.nist...d=CVE-2014-0224 - 6.8
Last revised: 09/23/2014
... security issue in multiple D-Link products, which can be exploited by malicious people to disclose and manipulate certain data. The security issue is caused due to a bundled vulnerable version of OpenSSL...
Solution: Update to firmware version 1.09.b61.
Original Advisory:
- http://securityadvis...x?name=SAP10045
9 Oct 2014 - "... can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic between the client and device... These firmware updates address the security vulnerabilities in affected D-Link devices..."
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#66 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 06 November 2014 - 09:55 AM

FYI...

Linksys SMART WiFi firmware ...
- http://www.kb.cert.org/vuls/id/447516
Last revised: 03 Nov 2014
Impact: A remote, unauthenticated attacker may be able to read or modify sensitive information on the router.
Solution: Apply an Update:
If possible, users are encouraged to -update- their -firmware- to the latest version to remediate these vulnerabilities..."
> https://web.nvd.nist...d=CVE-2014-8244 - 7.5 (HIGH)
Last revised: 11/03/2014
"Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request..."

> http://support.links...upport/routers/
___

Bad Wi-Fi router password could be a major security threat
- http://bgr.com/2014/...ty-and-hacking/
Nov 5, 2014 - "... Looking at more than 2,000 households in America, Avast* found that 25% of consumers use their address, name, phone number, street name and other easily guessed terms as passwords for their routers... half of routers are “poorly protected by default or common, easily hacked password combinations such as admin/admin or admin/password, or even admin/no-password.” After gaining access to a household Wi-Fi router, hackers could use it to redirect Internet users to -malicious- websites instead of the actual sites they want to visit — such as a -fake- online banking site masquerading as the real thing — in order to steal sensitive information including login credentials that could be then used for other malicious attacks. The procedure is also known as DNS hijacking**. Avast also found that just less than half of Americans believe their home network is secure, with 16% revealing they have been the victims of hackers in the past..."
* https://blog.avast.c...curity-attacks/
Nov 5, 2014

** https://en.wikipedia...i/DNS_hijacking
"... subverting the resolution of Domain Name System (DNS) queries. This can be achieved by -malware- that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server... A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 06 November 2014 - 08:01 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#67 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 29 May 2015 - 01:30 PM

FYI...

DNS Changer Malware sets sights on Home Routers
- http://blog.trendmic...n-home-routers/
May 28, 2015 - "Home routers can be used to steal user credentials, and most people just don’t know it yet. Bad guys have found ways to use Domain Name System (DNS) changer malware* to turn the most inconspicuous network router into a vital tool for their schemes. We already know that routers sometimes ship with malicious DNS server settings**. In this scenario, the malware is used to tamper with the router and its DNS settings. In the event that users try to visit legitimate banking websites or other pages -defined- by the bad guys, the malware would redirect users to malicious versions of the said pages. This would allow cybercriminals to steal users’ account credentials, PIN numbers, passwords, etc. We’ve seen a growing number of related malicious sites in Brazil (nearly 88% of all infections), the United States, and Japan. These sites run a browser script that performs a brute-force attack against the victim’s router, from the internal network. With access to the administration interface through the right credentials, the script sends a single HTTP request to the router with a malicious DNS server IP address. Once the malicious version replaces the current IP address, the infection is done. Except for the navigation temporary files, no files are created in the victim machine, no persistent technique is needed and nothing changes. Modified DNS settings mean users do not know they are navigating to clones of trusted sites. Users that don’t change the default credentials are highly vulnerable to this kind of attack...
(Majority of affected routers are from Brazil):
> https://blog.trendmi...DNS_router3.png
Some of the -redirected- sites we noted are mobile-ready. This means that once a router gets its DNS settings changed, all devices in the router network are exposed to this attack, including mobile devices. The attack may not only be limited to online banking fraud. This kind of attack becomes especially dangerous for Internet of Things (IoT) or smart devices as cybercriminals can easily poison DNS names of authentication/feedback websites used by those devices and steal users’ credentials.
Best Practices: To prevent this attack and other router-centric ones, we strongly recommend that users configure routers to:
- Use strong passwords all user accounts.
- Use a different IP address than the default.
- Disable remote administration features.
It is a good idea to periodically audit the router DNS settings and pay attention to the visited websites that require credentials like e-mail providers, online banking, etc. They must all show a valid SSL certificate. Another useful preventive action is to install browser extensions that can block scripts before they get executed in the user’s browser, like NoScript***...
Malicious DNS servers:
176.119.37.193
176.119.49.210
52.8.68.249
52.8.85.139
64.186.146.68
64.186.158.42
218.186.2.16
218.186.2.6
192.99.111.84
46.161.41.146

Updated May 30, 2015, 4:32 AM PST "

 

* http://blog.trendmic...-are-you-ready/

** http://blog.trendmic...rning-messages/

*** https://noscript.net/
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 04 June 2015 - 03:32 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#68 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 08 October 2015 - 05:20 PM

FYI...

Netgear Routers under Attack... 10,000 vulnerable
- http://www.bleepingc...otect-yourself/
Oct 8, 2015 - "... a previously disclosed Netgear exploit that is now publicly being used to hack Netgear routers. This exploit allows a remote user to gain access to the administrative section of your router -without- knowing your login credentials as long as Remote Administration is enabled.  Once the router is exploited, attackers are modifying its DNS server settings so that any DNS requests are being routed to DNS servers under the attacker's control. This allows the attacker to perform man-in-the-middle attacks or -redirect- users to fake banking and shopping sites in order to steal credit card information or account credentials. It has been reported that approximately 10 thousand routers have been affected by this vulnerability... there is -no- available firmware update that resolves this issue, it is important that all Netgear users -disable- Remote Administration on their routers as a precaution. To be honest, unless you absolutely need it, all remote administration on all routers should be disabled as it is a potential door into your network. The known Netgear firmwares that are affected by this vulnerability are 300_1.1.0.31_1.0.1.img and N300-1.1.0.28_1.0.1.img. The known list of affected Netgear models are JNR1010v2, JNR3000,  JWNR2000v5, JWNR2010v5, N300,  R3250, WNR2020, WNR614, and WNR618.
For Netgear users, you can -disable- Remote Administration by clicking on the Advanced category to expand it and then clicking on Remote Management. At the screen below, -uncheck- Turn Remote Management On and then click on the Apply button."

> http://www.bleepstat...-management.gif
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 09 October 2015 - 12:54 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Related Topics



2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users