Yesterday we were notified by one of our contributors Fausto Zuin of unusual activity.
He was seeing lots of full TCP connect scans to destination port 23.
I examined data based on some of his attacking sources and noticed there was also
udp 161 packets coming from the same sources towards the same victims.
The pattern looks like this:
A couple of telnet attempts and a couple of SNMP attempts.
The telnet packets tend to be small in the 50-100 byte range.
The SNMP packets are slightly larger in the 120 byte to 140 byte range.
12 attacking IP addresses were fingerprinted and 10 appear to be D-Link routers.
I suspect someone is using snmp to reconfigure the router to its default
password or to read it's admin password and then accessing the D-Link via telnet
to modify the routers configuration or firmware.
The D-Link DWL-1000AP had an snmp based password confidentiality vulnerablity
reported back in 2001. There were a default SNMP communities that could
be used to read or reset the admin password.
"A MIB walk using the read-only SNMP community of 'public' (default
read-only community for most devices) can allow an attacker access to
the "admin password" to the access point listed in clear text in OID
188.8.131.52.4.1.9184.108.40.206.2.0 as a string value."
This particular model also had a single Ethernet based LAN interface.
So most consumers using this as an AP would have had to point the Ethernet
connection towards the Internet. In most cases the LAN interface is a
trusted management interface so I believe that would leave it wide open
to snmp and telnet attacks from the internet.
I doubt this attack includes changing the firmware of the router itself
to become router based self propagating worm while possible it is more
difficult then compromising one of the home systems. Given control of a device
like this in the network it would be relatively simple to redirect consumer's
traffic to a site with client side exploits that would compromise any computer
that was not fully patched.
If you believe your dlink router has been compromised and have any additional details
please contact us via the contacts link at http://isc.sans.org/contact.html.