anuseems Posted February 13, 2014 Share Posted February 13, 2014 (edited) From » https://isc.sans.edu/forums/diary/Suspected+Mass+Exploit+Against+Linksys+E1000+E1200+Routers/17621 Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromised Linksys routers these last couple of days. The routers, once compromissed, scan port 80 and 8080 as fast as they can (saturating bandwidth available). It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune agains the exploit used. E1000 routers are end-of-life and don't appear to have an immune firmware available. As indicators, look for E1000/1200 routers which scan IP addresses sequentially on port 80/8080. Some of the routers may have modified DNS settings to point to Google's DNS server (8.8.8.8 or 8.8.4.4). ...The initial request sent by the exploited routers if they find port 80 or 8080 open is GET /HNAP1/ . HNAP is a REST based web service that can be used to administer these routers. It is possible that the exploited vulnerability is part of HNAP (it had problems in the past), or that HNAP is just used to fingerprint the router to select the right exploit to send.If you've got one of these, be aware. An ISC reader notes, "Might have something to do with this 0-day exploithttp://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf Edited February 13, 2014 by anuseems Link to comment Share on other sites More sharing options...
kn_andre Posted February 13, 2014 Share Posted February 13, 2014 Just read the Article source too, but they did not Offer any Measures to take against it .... :( :( :( Kudos for sharing .... Cheers .. Link to comment Share on other sites More sharing options...
jackieo Posted February 13, 2014 Share Posted February 13, 2014 buy a new router - I dont own that one so im good to go. Link to comment Share on other sites More sharing options...
kn_andre Posted February 13, 2014 Share Posted February 13, 2014 Thats Rather drastic ....... :( :( :( .. A more better Way should be found to Block / Stop this Exploit and fast too ... Cheers .. Link to comment Share on other sites More sharing options...
leland Posted February 13, 2014 Share Posted February 13, 2014 (edited) When you buy a new router get one that can use open source firmware like Tomato (most Asus routers work for this but check first) and you won't have to worry if the manufacturer cares enough to patch issues like this. This is why I moved away from Linksys and D-Link routers. However unlike Linksys, D-Link did patch security issues found in it's older models a while back. I however do not trust they will care enough to do so. Stay safe... :)PS There are some Asus models that can be had for under $50 that support this. You don't have to break the bank to get one. Edited February 13, 2014 by leland Link to comment Share on other sites More sharing options...
BrainDedd Posted February 14, 2014 Share Posted February 14, 2014 When you buy a new router get one that can use open source firmware like Tomato (most Asus routers work for this but check first) and you won't have to worry if the manufacturer cares enough to patch issues like this. This is why I moved away from Linksys and D-Link routers. However unlike Linksys, D-Link did patch security issues found in it's older models a while back. I however do not trust they will care enough to do so. Stay safe... :)PS There are some Asus models that can be had for under $50 that support this. You don't have to break the bank to get one.The E1000 and E1200 should support Tomato anyway without getting a new router ...http://tomato.groov.pl/?page_id=69 Link to comment Share on other sites More sharing options...
ricktendo Posted February 14, 2014 Share Posted February 14, 2014 I have a E2500, hopefully I am fine Link to comment Share on other sites More sharing options...
Recommended Posts