[From nobody Tue Mar 24 08:27:38 2009
Return-Path: <alg-bounces@austinlug.org>
Received: from mail.rackspace.com ([unix socket])
	by mail.rackspace.com (Cyrus v2.3.8-Invoca-RPM-2.3.8-5) with LMTPA;
	Tue, 24 Mar 2009 03:22:39 -0500
X-Sieve: CMU Sieve 2.3
Received: from mx1.sat.rackspace.com (mx1.sat.rackspace.com [64.39.1.223])
	by mail.rackspace.com (8.13.1/8.13.1) with ESMTP id n2O8McOJ008978
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <tweeks@mail.rackspace.com>; Tue, 24 Mar 2009 03:22:39 -0500
Received: from slicehost.austinlug.org (slicehost.austinlug.org
	[173.45.237.134])
	by mx1.sat.rackspace.com (8.14.2/8.14.2) with ESMTP id n2O8MWgm022620
	for <tweeks@rackspace.com>; Tue, 24 Mar 2009 03:22:37 -0500
	(envelope-from alg-bounces@austinlug.org)
Received: from slicehost.austinlug.org (localhost [127.0.0.1])
	by slicehost.austinlug.org (Postfix) with ESMTP id A620926C31B;
	Tue, 24 Mar 2009 08:22:26 +0000 (UTC)
X-Original-To: alg@austinlug.org
Delivered-To: alg@austinlug.org
Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.172])
	by slicehost.austinlug.org (Postfix) with ESMTP id 7E22A26C2D2
	for <alg@austinlug.org>; Tue, 24 Mar 2009 08:22:22 +0000 (UTC)
Received: by wf-out-1314.google.com with SMTP id 29so3125860wff.28
	for <alg@austinlug.org>; Tue, 24 Mar 2009 01:22:21 -0700 (PDT)
Received: by 10.142.185.21 with SMTP id i21mr3275321wff.220.1237882941522;
	Tue, 24 Mar 2009 01:22:21 -0700 (PDT)
Received: from ?192.168.0.151? (97-113-250-30.tukw.qwest.net [97.113.250.30])
	by mx.google.com with ESMTPS id b39sm9634703rvf.2.2009.03.24.01.22.20
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Tue, 24 Mar 2009 01:22:20 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v753.1)
In-Reply-To: <20090324074545.GA32374@io.com>
References: <20090324074545.GA32374@io.com>
Message-Id: <B2A94C90-588F-40CC-8300-AE1D0C1BC0DC@intarcorp.com>
From: "Jeremiah T. Gray" <jtg@intarcorp.com>
Date: Tue, 24 Mar 2009 01:22:17 -0700
To: "The Austin \(TX\) Linux and General Discussion Mailing List"
	<alg@austinlug.org>
X-Mailer: Apple Mail (2.753.1)
Subject: Re: [alg] Botnet worm attacks openwrt?
X-BeenThere: alg@austinlug.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "The Austin \(TX\) Linux and General Discussion Mailing List"
	<alg@austinlug.org>
List-Id: "The Austin \(TX\) Linux and General Discussion Mailing List"
	<alg.austinlug.org>
List-Unsubscribe: <http://austinlug.org/cgi-bin/mailman/listinfo/alg>,
	<mailto:alg-request@austinlug.org?subject=unsubscribe>
List-Archive: <http://austinlug.org/pipermail/alg>
List-Post: <mailto:alg@austinlug.org>
List-Help: <mailto:alg-request@austinlug.org?subject=help>
List-Subscribe: <http://austinlug.org/cgi-bin/mailman/listinfo/alg>,
	<mailto:alg-request@austinlug.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0836737665397815703=="
Mime-version: 1.0
Sender: alg-bounces@austinlug.org
Errors-To: alg-bounces@austinlug.org
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report='HTML_50_70 0.1,
	SXL_URI_NEW 0.1, __BOUNCE_CHALLENGE_SUBJ 0, __C230066_P5 0,
	__CP_URI_IN_BODY 0, __CT 0, __CTYPE_HAS_BOUNDARY 0,
	__CTYPE_MULTIPART 0, __CTYPE_MULTIPART_MIXED 0, __HAS_HTML 0,
	__HAS_LIST_HEADER 0, __HAS_LIST_HELP 0, __HAS_LIST_SUBSCRIBE 0,
	__HAS_LIST_UNSUBSCRIBE 0, __HAS_MSGID 0, __HAS_X_MAILER 0,
	__MIME_HTML 0, __MIME_VERSION 0, __SANE_MSGID 0,
	__TAG_EXISTS_HTML 0'
X-Length: 10890
X-UID: 54966


--===============0836737665397815703==
Content-Type: multipart/alternative; boundary=Apple-Mail-1--269783414


--Apple-Mail-1--269783414
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

 From the referenced article (http://dronebl.org/blog/8)

Infection strategy

Get a shell on the vulnerable device (methods vary). Once a shell is  
acquired, the bot does the following things:

# rm -f /var/tmp/udhcpc.env
# wget

So right off the bat, you're only vulnerable if you allow remote ssh/ 
telnet connections.  Weak (or default--ahem) passwords are probably  
the reason for the alleged 100k compromised hosts.

> How does one detect compromise?


Again from the referenced article:

It then takes several steps to lock anybody out of the device,  
including blocking telnet, sshd and web ports.

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

So you can presumably detect the presence of the software by your  
inability to access the compromised device via telnet, ssh, or http.




On Mar 24, 2009, at 12:45 AM, Paul Elliott wrote:

>
> This article on slashdot:
> http://it.slashdot.org/article.pl?sid=09/03/23/2257252
>
> claims that dsl modems-routers are being attaced by worms
> and that openwrt router are vunerable if not managed properly.
>
> What is the response from the openwrt people?
>
> How does one detect compromise?
>
> Router experts response?
>
>
> -- 
> Paul Elliott                       1(512)837-1096
> pelliott@BlackPatchPanel.com       PMB 181, 11900 Metric Blvd Suite J
> http://www.io.com/~pelliott/pme/   Austin TX 78758-3117
> _______________________________________________
> ALG Mailing List http://austinlug.org/cgi-bin/mailman/listinfo/alg


--Apple-Mail-1--269783414
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=ISO-8859-1

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; ">
=46rom the referenced article (<a =
href=3D"http://dronebl.org/blog/8">http://dronebl.org/blog/8</a>)<div><br>=
</div><div><div><i>Infection =
strategy</i></div><div><i><br></i></div><div><i>Get a shell on the =
vulnerable device (methods vary). Once a shell is acquired, the bot does =
the following things:</i></div><div><i><br></i></div><div><i># rm -f =
/var/tmp/udhcpc.env</i></div><div><i># =
wget</i></div><div><br></div><div>So right off the bat, you're only =
vulnerable if you allow remote ssh/telnet connections. =A0Weak (or =
default--ahem) passwords are probably the reason for the alleged 100k =
compromised hosts.</div><div><br></div><div><blockquote type=3D"cite"><div=
 style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">How does one detect =
compromise?</div></blockquote></div><div><br></div><div>Again from the =
referenced article:</div><div><br></div><div><div><i>It then takes =
several steps to lock anybody out of the device, including blocking =
telnet, sshd and web ports.</i></div><div><i><br></i></div><div><i># =
iptables -A INPUT -p tcp --dport 23 -j DROP</i></div><div><i># iptables =
-A INPUT -p tcp --dport 22 -j DROP</i></div><div><i># iptables -A INPUT =
-p tcp --dport 80 -j DROP</i></div><div><br></div><div>So you can =
presumably detect the presence of the software by your inability to =
access the compromised device via telnet, ssh, or =
http.</div><div><br></div><div><br></div></div><div><br></div><div><br></d=
iv><div><div>On Mar 24, 2009, at 12:45 AM, Paul Elliott wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><br></div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">This =
article on slashdot:</div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; "><a =
href=3D"http://it.slashdot.org/article.pl?sid=3D09/03/23/2257252">http://i=
t.slashdot.org/article.pl?sid=3D09/03/23/2257252</a></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><br></div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">claims =
that dsl modems-routers are being attaced by worms</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">and that openwrt router are vunerable if not managed =
properly.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">What is the response from the openwrt =
people?</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">How does one detect compromise?</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><br></div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Router =
experts response?</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><br></div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">--<span =
class=3D"Apple-converted-space">=A0</span></div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Paul =
Elliott <span class=3D"Apple-converted-space">=A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 </span>1(512)837-1096</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><a =
href=3D"mailto:pelliott@BlackPatchPanel.com">pelliott@BlackPatchPanel.com<=
/a> <span class=3D"Apple-converted-space">=A0 =A0 =A0 </span>PMB 181, =
11900 Metric Blvd Suite J</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><a =
href=3D"http://www.io.com/~pelliott/pme/">http://www.io.com/~pelliott/pme/=
</a> <span class=3D"Apple-converted-space">=A0 </span>Austin TX =
78758-3117</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; =
">_______________________________________________</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">ALG Mailing List <a =
href=3D"http://austinlug.org/cgi-bin/mailman/listinfo/alg">http://austinlu=
g.org/cgi-bin/mailman/listinfo/alg</a></div> =
</blockquote></div><br></div></body></html>=

--Apple-Mail-1--269783414--

--===============0836737665397815703==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ALG Mailing List http://austinlug.org/cgi-bin/mailman/listinfo/alg
--===============0836737665397815703==--
]