Hi, team. William Pitcock wrote:
On Mon, 2010-02-22 at 16:21 +0200, Gadi Evron wrote:
Last week Czech researchers released information on a new worm which exploits CPE devices (broadband routers) by means such as default passwords, constructing a large DDoS botnet. Today this story hit international news.
What makes this any different than psyb0t, which was discovered in the wild last year?
Or Coldlife aka Coldbot, which dates back to circa 2004 (at least)? It came bundled with a list of 2K+ compromised routers. Secure your routers, folks! This includes D-Link, Juniper, and Cisco. They're all targets, and regularly exploited. Juniper: SSH brute force, some telnet (ugh!) brute force. Cisco: telnet and SSH brute force, some old web bugs. <http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml> <http://www.cymru.com/Documents/secure-ios-template.html> <http://www.cymru.com/gillsr/documents/junos-template.pdf> Updates and suggestions welcome! Compromised routers are useful for DoS, sure, but more useful as proxies and IRC bounces. Remember the first big wave of DNS amplification attacks against Stormpay, et al.? That same perp built a large overlay network of tunnels between compromised routers (most of which spoke eBGP). Concerned that your routers might be compromised? Send us a note at team-cymru@cymru.com and we'll let you know what we've seen. We'll need your ASN(s) or CIDR block(s). Thanks, Rob. -- Rob Thomas Team Cymru https://www.team-cymru.org/ ASSERT(coffee != empty);