PDA

View Full Version : Heads Up: DSL Router Vulnerability.



Murray P
07-06-2005, 09:35 AM
Read the linked Computer World article by Juha Saarinen (http://computerworld.co.nz/news.nsf/NL/38D7256C9E5E29D5CC257015000E4726) re D-Link 504G DSL routers shipped by Ihug, DSE and prossibly others.

An extra precaution for anybody else who is running any brand of DSL router/modem, they should be aware that they need to change the login and password to the routers control panel from the default one that it shipped with (the issue above is a step up from that though).

John H
07-06-2005, 10:05 AM
Hmmm, that probably applies to Dynalink adsl routers as well, as you say Murray. They ship with a standard name/password. Have just changed mine! Thanks...

Jen
07-06-2005, 10:33 AM
I think it is more to do with the fact the remote administrator interface is open by default on those routers, and added to that are well known default username and password ... :rolleyes:

Terry Porritt
07-06-2005, 11:42 AM
In the Dynalink 'ADSL Router Quick Set-up Guide', there are 'Important tips for security' which cover just these very issues. That is, change the routers administrative user name and password, and do not enable remote access to the router unless you know how to handle security.

The other point made is not to send the router away for repair or replacement without resetting to factory defaults, or wiping internet account login details.

Chilling_Silence
07-06-2005, 04:40 PM
And this is "News"?!

People, the first thing you do when you get a router:
Change the Admin password (and username if possible)
Change the port, port 80 is no good
Change the settings for remote access (Unless you need it enabled for one reason or another)

News... Geez a quick port-scan will tell them who's vulnerable :p

b1naryb0y
07-06-2005, 04:47 PM
This further highlights the fact that you must always change the default password. You could take all possible precautions, and apply all security updates, but if you don't change the password you leave yourself wide open.

As always you shouldn't have any services running that you don't require, ie remote access.
Change the default port to something other than port 80, 8080 etc. And adopt the "block everything and only allow what I need" policy

Safari
07-06-2005, 04:48 PM
And this is "News"?!

People, the first thing you do when you get a router:
Change the Admin password (and username if possible)
Change the port, port 80 is no good
Change the settings for remote access (Unless you need it enabled for one reason or another)

News... Geez a quick port-scan will tell them who's vulnerable :p

I will be news for a lot of people. It is not just serious computer people getting broadband these days, it is the normal home user who doesn't know to update antivirus, has never heard of a firewall and doesn't even know to recycle the router first before calling for help if connection has dropped.

How do you expect them to change admin passwords and other router settings when they don't even know sometimes what a router is and what it does.

KiwiTT_NZ
07-06-2005, 04:51 PM
Good point Safari. How are we going to tell them ?

Chilling_Silence
07-06-2005, 04:52 PM
To the average home user, I suppose, but its not like its late-breaking news, right?

My IP begins with 203.173.145, so a quick:
nmap -A -T4 -P0 -p 80 -vv 203.173.145.1-254

Will tell you who's open and who's not.... I did that one day a while back, but with Woosh... Found a couple of people who'd left their routers wide open with default passwords.

I was very tempted...... ..... ......

Murray P
07-06-2005, 04:58 PM
I could be wrong but, as I undersatnd it, this is not just a simple matter of the admin login to the control panel and remote access. In this instance, it is wide open on the WAN side, similar to the Dynalink bug that allowed anyone caring to have a casual look, to access the routers settings including firmware. That's not just a user issue but a bug in the software.

b1naryb0y
07-06-2005, 05:02 PM
similar to the Dynalink bug that allowed anyone caring to have a casual look, to access the routers settings including firmware. That's not just a user issue but a bug in the software.

Sounds similar to he vulnerability currently affecting the DSL-504T (http://secunia.com/advisories/15422/) range

pctek
07-06-2005, 08:51 PM
Most of them have the login and password as **** we all know what.
Should be common sense to chnage it. In fact most documentation I have seen for various brands tell you to chnage it. Guess most peole don't even RTFM.

Codex
07-06-2005, 08:53 PM
nope manuals are for n00bs

bmason
07-06-2005, 09:50 PM
I can confirm that my DLink 504g had port 80 open to the outside world by default. Was quite a surprise. They shouldn't even be allowing it to run on port 80.

John H
07-06-2005, 10:05 PM
Oh pullease, spare us all the self righteousness this thread is descending into, and "noob" stereotyping. I thought PressF1 had started to leave that behind in recent weeks.

I did RTFM at the time, and did see that instruction (or something like). I had both a hardware and software firewall turned on so didn't see much point in changing the default user name and password at the time - the priority then was to get the router set up and working.

Two years down the track and no intrusions. I just didn't choose to join Paranoics Anonymous at the time.

PS this is not a reply to bmason.

plod
07-06-2005, 10:17 PM
Was out wardriving last weekend and was totally amazed, not by how many hotspots we found but by the amount that weren't locked down. A quick look at what sought of router being displayed and using the default usename and password and wham we are in. Didn't do anything nasty besides surfing the net and downloading a few files, checked the emails.
Just tring to locate one close to home so i can get internet for free LOL
P.S don't ask me how, I'm not the brains behind the operation(as some of you might of guessed)

Growly
07-06-2005, 10:43 PM
Wow - remote administering people's routers across the internet because they'd left them open with default passwords was so last year. Needless to say that anyone with a port scanner, a knowledge of the default webserver running on said router, and the ability to download a manual could do so much damage to poor unsuspecting net surfers...

Murray P
08-06-2005, 01:34 AM
Wow - remote administering people's routers across the internet because they'd left them open with default passwords was so last year. Needless to say that anyone with a port scanner, a knowledge of the default webserver running on said router, and the ability to download a manual could do so much damage to poor unsuspecting net surfers...

Not just picking on you Growly, but your post is a handy example.

For all like minded posters, pull your arrogant little ego's in, shut up and listen for a second or two, long enough to absorb this.

Do you stop helping because a vulnerability was common knowledge to some here last year? Because the same stupid virus or dialler has struck again, because someone has a BIOS glitch that was patched years ago but only became apparent when they installed new hardware. Maybe we shouldn't shouldn't help people who use Win98, it's so passe, were're too 1337 to bother our heads with it.

This router thing is similar to others, yes. It should have been fixed when first discovered in this model, yes. A whole bunch of routers are shipping that do not have the firmware patch to fix it, yes. There are other models with a similar problem that have just been discovered, yes. People will be caught out by this, yes. So what's your freakin problem, apart from the fact you can't be bothered anymore!

If you made it this far, congratulations on your improving attention deficit. If you didn't, you won't mind me telling you to go take a flying .... .... head

Dragonslayer
08-06-2005, 06:05 PM
Are the D-LINK modems that XTRA ship affected?

I currently use a Dynalink RTA770W, and that doesn't have any ports open on the WAN side for access (Telnet, HTTP etc), so is very secure.
I also changed the Web Admin Login name and Password to stop any LAN access to the configuration.

plod
08-06-2005, 06:24 PM
Wow - remote administering people's routers across the internet because they'd left them open with default passwords was so last year. Needless to say that anyone with a port scanner, a knowledge of the default webserver running on said router, and the ability to download a manual could do so much damage to poor unsuspecting net surfers...
well it might of been so last year, but just goes to show whats out there.

Graham L
08-06-2005, 06:46 PM
There's not need to get cross with each other. ;)

Default account name and passwords are always going to be with us. How else do you make a system secure by setting safe passwords and other settings if there isn't a way to get in. It often happens that passwords are forgotten. People die. People leave employment. There has to be a way to reset to a known configurartion. Because that's a known configuration (with or without passwords) it is not a secure one.

There will always be people who don't read the instructions. There will always be people who read, then ignore the instructions. A small minority will have secure systems. ;)

Growly
08-06-2005, 09:32 PM
Wow - once again.

If it came across as arrogant, then I apologise - as I will again and again:

Perhaps, Murray P, you responded so because you felt that my post was an attack on you? I feel that you have alot of personal angst, for to take this post and defend with such vigour? I'm sorry I struck a nerve, I mean no harm. Whatever the reason, I apologise. I sought not to criticise - my issue was simply that this is not new, and that it has been a long time threat. Although it is as real as ever, I was dictated by the cynicism I felt at the time to - with what could be taken ( and was taken ) as blatant arrogance - reiterate the fact that the threat is far from brand new, and is something we've had to deal with for much time, and will for much more time. This is something Chill himself said, but in less a caustic tone (and I commend him for it). Infact I went on to say exactly what you yourself did - although it may not appear as such.


well it might of been so last year, but just goes to show whats out there. I completely agree, that's what I was trying to say. No contradiction necessary.


Do you stop helping because a vulnerability was common knowledge to some here last year? Because the same stupid virus or dialler has struck again, because someone has a BIOS glitch that was patched years ago but only became apparent when they installed new hardware. Maybe we shouldn't shouldn't help people who use Win98, it's so passe, were're too 1337 to bother our heads with it.You mentioned that my post was a handy example, and used it to deal with the group of posters you claim to fit the above description. That's fine - but let it be known that at no stage did I complain, at no stage did I refuse help, at no stage did I deny the value of this thread or its contents. Infact I love old-school.

Never, I assure you, would actually use the term "so last year" in self righteous manner, or in any manner not meant as a joke - for that would be actively encouraging the blatant Americanisation (no 'z') that our society frequently faces.

In the end I think I've become the target of alot of built up anger for what I thought was an innocent - if not a poorly targeted - joke. I apologise, but you need not lecture me further.

Mantis
08-06-2005, 10:40 PM
so if you change the default password AND

disable HTTP Remote Access does this fix the vunerability???

OR do you have to change the port for remote access even though it is disabled?

M.

Murray P
08-06-2005, 11:30 PM
so if you change the default password AND

disable HTTP Remote Access does this fix the vunerability???

OR do you have to change the port for remote access even though it is disabled?

M.

One of the points is, this router has shipped with a firmware version that does not allow you to disable remote access.

Growly, take the word "example" literally, I include Chill and anyone else who dismissed the issue in jest or otherwise. If you want to take it individually I feel I said enough to point out otherwise.

Yep, I get pissed off from time to time and the attitude displayed by some in this thread did that for me, for sure. But no, I did not take it as a personal attack, I do not have alot of personal angst, or collective for that matter and do not usually go around dissing people (not here anyway).

The only reason I got peeved was because a number of people "apparently" dismissed the issues and therefore downgraded an alert that will be relevant to a lot of people regardless of how "known" it is or, how trivial it is to rectify (except for the firmware fault that some still haven't caught on to).

Anyway, the benefit of the tiff, is that the thread has been kept alive for a little longer than it might have been so, good on ya everyone :thumbs:

jasinspace
15-01-2009, 02:03 PM
hi,

I just discovered this vulnerability on my dsl-504g router after doing a port scan. I have changed the password, disabled http remote access and changed the port number. Now can't access the routers web interface at all. I thought 'remote' meant via the internet. Can I regain access to the routers settings? Do I even need to??

I realize I have been open to intrusion for a long time! Is there anything I need to check see if anyone still has access to my pc? the sheildsUP port scan now says port 80 is 'stealth'.

thanks for your time,
jas

CYaBro
15-01-2009, 02:15 PM
hi,

I just discovered this vulnerability on my dsl-504g router after doing a port scan. I have changed the password, disabled http remote access and changed the port number. Now can't access the routers web interface at all. I thought 'remote' meant via the internet. Can I regain access to the routers settings? Do I even need to??

I realize I have been open to intrusion for a long time! Is there anything I need to check see if anyone still has access to my pc? the sheildsUP port scan now says port 80 is 'stealth'.

thanks for your time,
jas

What did you change the port number to?

You will need to enter it when trying to access the routers config page.
EG: If you changed the port number to 8080 and your routers IP address is 192.168.1.1 then enter this in your internet browser:

192.168.1.1:8080

Chilling_Silence
15-01-2009, 02:18 PM
You can always do a Factory Reset to bring things back to normal :)

jasinspace
15-01-2009, 05:19 PM
thanks guys. all sorted now :)