Suspected Mass Exploit Against Linksys E1000 / E1200 Routers
Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromissed Linksys routers these last couple of days. The routers, once compromissed, scan port 80 and 8080 as fast as they can (saturating bandwidth available).
It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune agains the exploit used. E1000 routers are end-of-life and don't appear to have an immune firmware available.
As indicators, look for E1000/1200 routers which scan IP addresses sequentially on port 80/8080. Some of the routers may have modified DNS settings to point to Google's DNS server (8.8.8.8 or 8.8.4.4).
If you have any insight, please let us know.
Update: The initial request sent by the exploited routers if they find port 80 or 8080 open is GET /HNAP1/ . HNAP is a REST based web service that can be used to administer these routers. It is possible that the exploited vulnerability is part of HNAP (it had problems in the past), or that HNAP is just used to fingerprint the router to select the right exploit to send.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf
Anonymous
Feb 12th 2014
1 decade ago
http://blog.spiderlabs.com/2013/05/under-the-hood-linksys-remote-command-injection-vulnerabilities.html
Anonymous
Feb 13th 2014
1 decade ago
Anonymous
Feb 13th 2014
1 decade ago
So, if you need some testing done, let me know and I will power them up.
Anonymous
Feb 13th 2014
1 decade ago
It mentions recent malicious activity observed on home-based routers. Vulnerabilities are exploited on them to allow attackers to remotely change the DNS configuration and perform malicious redirections.
Anonymous
Feb 13th 2014
1 decade ago