Yes, I think the ddwrt firmware is vulnerable. In fact, I am fairly certain that my router has been infected. I have been locked out of my gui access. Not sure how to fix the problem or if a possible workaround exists. If anybody has any information about this please post.
I am also having problems accessing my router thru the gui. I was able to access my router using telnet. Once I was in telnet as was able to change the gui password.
Immediately after I did that I was able to access my router thru the gui, however after I made any changes that required a reboot of the router I was locked out again.
I am also having problems accessing my router thru the gui. I was able to access my router using telnet. Once I was in telnet as was able to change the gui password.
Immediately after I did that I was able to access my router thru the gui, however after I made any changes that required a reboot of the router I was locked out again.
I have some further information. Your router is vulnerable if you allow remote management on your box. Also, if you are able to telnet into the box you also are not infected. Also, if remote management is turned on make sure you have a good password, seems like the worm tries to brute force for access. check here for more details check the comments, they are helpful:
http://it.slashdot.org/article.pl?sid=09/03/23/2257252&from=rss
Update3 from DroneBL:
To disinfect, simply powercycle your device and take appropriate action to lock it down, including the latest firmware updates, and using a secure password.
Couldn't hurt to do a 30/30/30 and reconfig either.
If you're not using a long and complex password on a router that's publicly facing the internet, you're asking for problems though.
... take appropriate action to lock it down, including the latest firmware updates, and using a secure password.
Couldn't hurt to do a 30/30/30 and reconfig either.
If you're not using a long and complex password on a router that's publicly facing the internet, you're asking for problems though.
that should be the standart securitiy behaviour of a user incl shutting downof unused sevices facing the wan.
if u follow this u will have no problems _________________ Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
I just talked to a friend here at work that has remote admin enabled on his box, and can confirm that something was trying to brute force his SSH password. I don't have remote admin enabled on my router yet, but he recommended the guide in the wiki for preventing brute force attacks. You might have a strong password, but the attacks can still use up resources.
If your SSH port is on default 22, chances are like 99% that there will be brute force attempts on it. I would say change the port and use public key crypto (disable password login). Brute forcing a private key is like a zillion times more difficult than brute forcing the password. So difficult that I'm sure the worm doesn't even begin to try, and moves on..
I would like to say that DD-WRT isn't cause of this vulnerability - router configuration is!
I am a kind of paranoic - I have left Remote Access disabled and I have also added this line to firewall script:
Code:
iptables -I INPUT 1 -i `nvram get wan_iface` -p tcp -j DROP
to be 100% sure that noone can manage my router from outside
Actually I don't see many cases when remote administration from arbitary IP adresses is needed.
If it is another person's router I would suggest setting IP restriction on remote administration. To do this enable Remote Administration and add this line to your firewall script:
Code:
iptables -I INPUT 1 -i `nvram get wan_iface` -s ! 10.11.22.33 -p tcp -j DROP
replace 10.11.22.33 with IP address of computer from which you will administer the router.
Also I suggest using strong passwords (or preferably SSH private key authentication) and only encrypted protocols (e.g. SSH) over the internet, and never Telnet of HTTP over internet.
For people using SSH over internet for TCP over SSH tunneling I would suggest trying DD-WRT VPN build and OpenVPN if possible.
