The SANS Institute’s Internet Storm Center reports a surge in probes against port 32764, which matches the port used by an alleged backdoor in Linksys routers that was reported over the New Year’s Day holiday.
“At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network,” wrote SANS CTO Johannes Ullrich.
Ullrich said there was relatively little scanning activity on that port prior to Thursday when three source IPs began conducting probes on that port, scanning as of this morning close to 20,000 records against more than 4,000 targets.
Most of the probes are coming from one of the three source IP addresses in question, as well as from the Shodan search engine.
The alleged backdoor was disclosed in a Github post by a hacker Eloi Vanderbeken of France. He uploaded a PowerPoint presentation to Github describing the backdoor he found not only in five different Linksys DSL modem/routers, but also in a number of Netgear, Cisco and SerComm home and business boxes.
“I didn’t want to lose my time in writing a full report, it’s a very simple backdoor that really doesn’t deserve more than some crappy slides,” Vanderbeken wrote.
His slides describe his journey over Christmas to regain access to his home router’s admin console after losing what he describes as a very long and complex password. He began by conducting an Nmap scan where he found the router listening and responding over 32764 to a number of commands. After finding and downloading the firmware for his Linksys gear and reverse engineering its MIPS binary code, he found he could exploit a buffer overflow and cause the router to revert to its default settings.
Vanderbeken was then able to use this opening to get a command shell and write a script that gave him administrator access to the router.
It’s unclear from his Github entry whether any of the hardware manufacturers were notified of the weakness.
Researchers, meanwhile, spent a good amount of time last year looking at the security home and small office networking gear and found a number of serious issues. Cisco Linksys EA2700 boxes were found to be vulnerable to cross-site scripting attacks, file-path traversal attacks, cross-site request forgery and even a potential source code disclosure, according to pen-tenster Phil Purviance, who reported his findings to Cisco last March.
Prior to that, IOActive researchers Sofiane Talmat and Ehab Hussein shared research that demonstrated that home routers and modems from ISPs can be chained together to redirect traffic in click-fraud scams, keep blocks of users from reaching the Internet, or launch denial of service attacks. Talmat and Hussein were also able to take advantage of vulnerable firmware and upload their own in simulated attacks. Their new firmware took the place of factory-installed firmware, rendering factory-reset options useless.