Security

Default passwords: Change them or Chuck Norris might

Once again, cybercriminals are leveraging default passwords with malcode named after Chuck Norris. What's unusual is that the targets are not computers.

Once again, cybercriminals are leveraging default passwords with malcode named after Chuck Norris. What's unusual is that the targets are not computers.

--------------------------------------------------------------------------------------

Untold numbers of experts have written about the importance of changing default settings on IT-related hardware. One example of why that's important is Psyb0t. That particular malware rapidly compromised over 100,000 devices simply because default passwords were not changed.

New contender

While researching botnet constructs for an upcoming article, I came across a post in the Prague Daily Monitor: Czech experts uncover global virus network. Not exactly what I was looking for, but my curiosity got the best of me.

The article describes how Mgr. Jan Vykopal (chair of Masaryk University's Network Security Department), while working for the Defense Ministry, uncovered an extensive network of zombie gateway devices. Vykopal mentions:

"Modems were among the attacked devices as they are only poorly protected. The viruses were able to deflect the communication of Internet users to servers where they could be wiretapped."

Similar exploit

I then realized the malware Vykopal uncovered was similar to Psyb0t. Both rely on the following default conditions to be in place:

  • Remote login to the device is allowed
  • The default username and password for remote login were not changed.
What happens next

For argument's sake, say the malware becomes entrenched in a network's Internet gateway. That means the following is available to the attacker:

  • The malware can prevent access to the infected device.
  • The local network can be scanned for other vulnerable hardware.
  • The infected appliance can assist in distributed denial of service attacks.
  • The malware could launch password dictionary attacks on local computers.
  • The attacker can change the gateway's DNS settings.

Changing DNS settings, that's not good. While doing research for an article about Drive-by Pharming. I learned how malware can easily redirect Web browsers to malicious Web sites and their viral download droppers.

One good thing

For some reason, the malware developer decided to control the botnet via IRC, a technique that allows analysts to ferret out the command and control servers, thus limiting their usefulness. Also, the malware resides in the device's RAM, so all it takes is a restart to remove the malcode.

Preventative measures

Fortunately, this malware is easy to avoid. The following steps should keep your network's gateway device safe:

  • Disable remote access.
  • Change all default login settings.
  • Use a strong password.
  • Disable Universal Plug and Play.
  • Reboot the device.
  • Check for firmware updates and install if any are found.
Why Chuck Norris?

I guess the developer of this particular malcode is a Chuck Norris fan, hence the moniker:

"The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: ‘in nome di Chuck Norris', which means ‘in the name of Chuck Norris'."

I'd be okay with the name if that's what everyone would use. Sadly, that never seems to happen. I wonder how many different names this Chuck Norris malware will eventually have.

Final thoughts

Luckily, not becoming part of the Chuck Norris botnet is relatively easy. If it doesn't seem that way, please let us know in the comment section. TechRepublic members are more than willing to help.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

130 comments
wusang
wusang

I do appreciate this article's main gist is to really caution us not to ignore the very simple task of changing the default login/password. Even, just changing the password alone can prevent such "bot" to access our network, at least not being an easy cheese target and got targeted right away. For the smaller scale, down to our very own wireless network with our home networks for example. Some drive-bys can have some fun with some of these new wireless routers that still have the default login/password and they can changed them for you and then you wondered why our home wireless access suddenly disappeared, etc. Worse, if a shared printer is online and perhaps they would just print 99 pages of something, lol. Good article, Michael.

jkameleon
jkameleon

It's the simplest and only effective defense against it.

Ocie3
Ocie3

When DNS IP addresses are specified for a user's computer [i]via[/i] the Properties for the Windows XP Local Area Connection (which is the connection between the computer's Ethernet adapter and a gateway router to the Internet), do they take precedence over any DNS IP addresses that a router is configured to use?

Ocie3
Ocie3

How sad. Thank-you, Michael, for an interesting and provocative article. Who knew? Years ago, when I was quite new to the role of home computer network admin, my landlord signed on for Comcast broadband and he was allowed to let me use it, too. So, his girlfriend gave him an old Speedstream router that had two ports. About the only thing which I can remember about that router was, while its firewall was activated, we could not also run firewalls on our respective computers. If we did, then we could not send or receive any packets from the Internet. I never found out why that occurred or whether there was some configuration remedy for it. The router was not accompanied by much documentation, only basic instructions for cabling it and accessing the configuration interface, but not what the options were or what they did. What I overlooked, though, was resetting the password, which his girlfriend had not done, so it was still "admin". To make a long story short, someone gained access to the router [i]via[/i] the Internet, changed its password, and used the router to access my computer while it was running and I was using it. No malware, just a real-time hacker who began by disabling Norton Anti-Virus. When I realized what was going on, of course, I disconnected my computer from the router. .... .... .... .... .... .... That is why today I have a Cisco Linksys WRT54G NAT router that is cabled (1) to the Ethernet adapter on my computer and (2) to the ISP's "DSL modem", a Zyxel (?) 660 Series router that reportedly has a DHCP server running in it. Although I "purchased" that router from my ISP, I do not have any access to it, or, at least, I've never been told how to access it. Of course, I do not have documentation for it, just some basic cabling instructions for installing the hardware. The "dynamic" IP address assigned by the ISP does not, in fact, change for several weeks or even months, apparently unless and until I power off/on the "DSL modem". With regard to the Linksys router, when I first installed it (replacing the old Speedstream router), I implemented all of the preventive measures that are recommended in your article. Nonetheless, let's hope that the "virus" which attacks network devices does not go any further than Europe, Asia and South America. But I would not bet that it won't.

james.prial
james.prial

Do I need to change the default password for my router too?

Neon Samurai
Neon Samurai

.. It just stares at it until the router cracks itself. Hehe.. read that in another article on the subject. (Chuck Noris can kill to stones with one bird)

seanferd
seanferd

Unless your upstream device can force or block DNS requests, and is set to do so.

savio.lau
savio.lau

To James: You should definitely change your default password. That's the first step in making your router secure. Better yet - you should further lock it down. Many routers provide management functions over the Wifi link and/or the Internet (called remote management in Linksys routers). These should be disabled. If you only allow wired connections from inside the network to access the router admin functions, a lot of the attack risk is mitigated right away. Many routers also can be forced to set the administration page as https access only. This helps to prevent password snooping. I have to say that, after some analysis, the code for this attack is not new and has been around We found sections of the Trojan Mytob inside: http://www.sophos.com/blogs/gc/g/2010/02/23/routers-poor-passwords-risk-chuck-norris/ Mytob has been around for a few years already so the password they attempt to crack is well known. So why wouldn't anybody want to change from a password that is already public knowledge? Savio Lau, SophosLabs Canada

cliff
cliff

I change the defaults on ANYTHING I put into service. Default passwords have been a quick and easy exploit since the inception of networking.

Michael Kassner
Michael Kassner

I recommend that any default configuration be changed. I don't know your network topology, but there may be a way for the bad guys to get to the router.

seanferd
seanferd

Chuck Norris doesn't have a chin under his beard. He has another fist.

Ocie3
Ocie3

As far as I can determine, the Linksys WRT54G does not have an option to force or block DNS requests, although it has an option to enable a DHCP server which enables an option to specify as many as three DNS IP addresses. According to the article, under "What Happens Next", Chuckle can "change the router's DNS settings". As long as the settings do not overrule a DNS IP address specified by the operating system, that would not matter. (But I suppose that some routers can filter DNS requests and send their own instead.)

JCitizen
JCitizen

that is the only way to log onto my router from the interior - exterior is blocked.

james.prial
james.prial

Thanks Savio. The router I have (Linksys BEFSR41) is not wireless at all. I can't find anywhere is the settings to use https access only..

Michael Kassner
Michael Kassner

I remember Mytob and have written about it. Yet, I do not see the comparison. Mytob attacked computers. This malware is completely focused on perimeter devices.

dayen
dayen

It only take once and you change all defaults passwords and Names no Administrators instead like chuckapoo for Chuck don't give them a starting place make it hard 26 letters to start if Russian 36 letters user hate us but were secure

seanferd
seanferd

Well, I sure am glad it was that simple. Sweet. :D

JCitizen
JCitizen

I've always wanted to catch a rootkit on my honeypot in the lab, but apparently my indepth defense strategy has abated this so far. I don't violate any of my defensive measures, as that would be pointless of course, in proving whether the security utility of my defense actually works. I have run GMER and rooted out many troublesome infections on client computers though. I'm not sure all versions of kernel mode rootkits can be flushed out by it. If you trust the developer from the PRC who wrote Icesword, it has a serious reputation as an undefeatable rootkit blood-hound.

Ocie3
Ocie3

It is interesting that the firewall resolved 204.69.234.0 as it did. It doesn't surprise me that there is no domain associated with it. Either Internet Media Network Inc. owns that IP address, or Ultra DNS Network owns it, and the relationship between the two is unclear. According to WhoIs By IP Address (which I posted previously on this thread), the CIDR is 204.69.234.0/24. The acronym means "Classless Inter-Domain Routing" as explained by: http://encyclopedia2.thefreedictionary.com/Classless+Inter-Domain+Routing FWIW, I have been running Malwarebytes Antimalware about once a week for several months. It has never detected any malware on this computer, neither has any other anti-malware scanner. Is it just me or are you, too, seeing a recent rise in false positives?? Hijack This reported some DPFs remaining for an uninstalled program, and I had it remove them, nothing else unusual. But I ran it after fixing the HOSTS file. ;-) [b]Now[/b] the firewall network log Line 0 shows the svchost.exe DHCP server outbound UDP packet remote point as 255.255.255.255:67 (!) ... which actually looks familiar. Line 1 is unchanged; the Linksys WRT54G DHCP server (192.168.1.1:67) sends a UDP packet to the svchost.exe DHCP server via the Ethernet NIC (192.168.1.21:68). I probably replaced HOSTS, with the one from MVPS that was created on 2009-12-22, during the last week of December. However, it still seems as though that weird Line 0 entry has been there for much longer. So many things happened in January it just seemed like six months instead of one, I suppose! Interesting what a missing "comment" (#) symbol can cause, isn't it! Thank-you [i]very[/i] much, Seanferd, for all of the time and effort that you spent to help me find the source of the weird entry on Line 0 of the firewall network log. Thumbs up!

seanferd
seanferd

You can eliminate a lot of the normal traffic with filters. I think that the IP technically uses UltraDNS nameservers. There just doesn't seem to be a domain name associated with the address. Or the packets are somehow being routed through the /24 that UDNS owns here. http://www.corporationwiki.com/Florida/Bradenton/internet-media-network-inc-2802547.aspx Hrm. http://whois.domaintools.com/188.40.35.42 I would seriously consider running http://www.malwarebytes.org/mbam.php or at least http://free.antivirus.com/hijackthis/ Check your HOSTS file. I believe you may find something. http://www.google.com/search?q=204.69.234.0

Ocie3
Ocie3

in this context is something that I don't quite comprehend. [i]i.e.[/i], as to what is going on in the two UDP exchanges. (1) Why would the svchost.exe DHCP server send a UDP packet [b]from[/b] local point "All:68" [b]to[/b] "Media][AS12008]204.69.234.0:67 ?? That would be a UDP packet from "Bootstrap Protocol Client" to "Bootstrap Protocol Server". (The start of the string for the remote point appears to be the firewall's attempt to resolve the IP address to a URL, and the only one that I can recall seeing which looks like that.) (2) The next line logs the WRT54G router at 192.168.1.1:67 sending a packet to 192.168.1.21:68 (the Ethernet NIC), and the firewall reports that the svchost.exe DHCP server is the recipient. That would be a UDP packet from "Bootstrap Protocol Server" to "Bootstrap Protocol Client". On the face of it, the exchanges are made because the DHCP servers run by svchost.exe and by the router, respectively, are booting but that is not useful information. Looking at robtex.com for 204.69.234.0, the reference to AS12008 seems to be a DNS server, a node on the UltraDNS network of servers (-?-). Whether that IP address is for that DNS server, or it is instead for a device that is linked to the DNS server, is not clear to me. With regard to Wireshark, I have the most recent version installed with the most recent version of WinPCap. I have looked at some traffic real-time. So far, I have not defined any filter(s) to collect specific packets in a capture file. I need to read more of the documentation. .... much more!

seanferd
seanferd

is even scarier. Not that it is necessarily how those ports are are being used by whatever is using them. Have you ever tried Wireshark?

Ocie3
Ocie3

WhoIs By IP Address (http://tools.whois.net): OrgName: Internet Media Network, Inc. OrgID: IMN-4 Address: 420 S Smith Rd City: Tempe StateProv: AZ PostalCode: 85281 Country: US NetRange: 204.69.234.0 - 204.69.234.255 CIDR: 204.69.234.0/24 NetName: MAILORDER3 NetHandle: NET-204-69-234-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Assignment NameServer: UDNS1.ULTRADNS.NET NameServer: UDNS2.ULTRADNS.NET Comment: RegDate: 1994-08-26 Updated: 2000-09-19 RTechHandle: RJ48-ARIN RTechName: Joffe, Rodney RTechPhone: +1-480-858-9000 RTechEmail: rjoffe@centergate.com _____________________ Maybe I should query Mr. Joffe as to why the svchost.exe DHCP server would send a UDP packet to Internet Media Network, Inc. every time that Windows XP boots. On the face of it, perhaps it is behavioral tracking, and if that is the case, maybe I should sue them for invasion of privacy. If it were a front for a botnet, then I think that my computer would likely be too busy for me to do much with it. Certainly, over time the computer has become slow to launch programs, and there is evidence (mostly old, not as much recently) that an undetectable roootkit has existed on this computer. It seems likely that it has invaded again since I most recently ran Darik's Boot And Nuke (DBAN) to wipe the HDD, then re-installed everything afresh. So I have been working toward doing that again.

santeewelding
santeewelding

I get the first part. The second part escapes me by design.

JCitizen
JCitizen

and maybe heavily brow beat the ISP people for making my clients use them. Maybe have my lawyer call them? HA! ]:)

Ocie3
Ocie3

I gave up Internet gaming for Lent, and I'm still suffering withdrawal symptoms! If I quit using the Internet for anything, then that would be a radical change indeed. Not that I wouldn't have anything to do, though. The router is not essential to using the Internet, but without its firewall, the software firewall would really become overburdened, using many more CPU cycles just to process and [i]drop[/i] the packets which are currently dropped by the router's firewall. So the router is worth it.

Ocie3
Ocie3

Quote: "However, if the DNS can be changed in the LAN config, DHCP will push those addresses to the other devices in the network, providing DHCP is on for DNS in those devices as well." Funny that you should mention it. One instance of svchost.exe runs a DHCP server every time that Windows XP boots. IIRC, that began about seven months ago, and AFAIK I did not do anything to enable it. It might have begun running after a Microsoft Patch Tuesday (August or September 2009 -?-). Since then, the UDP packet that the svchost.exe DHCP server sends to Media][AS12008]204.69.234.0:67 is always the first line of the firewall network log. The next line always records an [i]inbound[/i] UDP packet [b]to[/b] 192.168.1.21:68 (the Ethernet NIC on my computer, Port 68) [b]from[/b] 192.168.1.1:67, which I suppose is the router's LAN address, using Port 67. That line was also never recorded before svchost.exe began running its DHCP server. When I turn the svchost.exe DHCP server off by using the Windows XP Administration Services utility, evidently nothing can access the Internet -- at least not [i]via[/i] the OS! I certainly did not have that problem [b]before[/b] svchost.exe began running its "DHCP service". At present, the DHCP server is enabled in the Linksys WRT54G router but no DNS IP addresses are specified. I have specified DNS IP addresses in the router before and deleted the ones that I had configured [i]via[/i] Properties for the Windows XP Local Area Connection (the Ethernet NIC). After Steve Gibson's criticism of consumer routers on the [i]Security Now![/i] podcast, I decided to delete them from the router, and returned to specifying them for the LAC [i]via[/i] the OS. AFAICD, those are the DNS IP addresses that are in use. For example, the Gibson Research Corp. "DNS Nameserver Performance Benchmark" utility shows the three IP addresses that I've specified as the ones that it uses for the benchmark test. If I deleted them from the LAC Properties and recorded them for the WRT54G DHCP server instead, I don't know what the Benchmark utility would show.

seanferd
seanferd

If the modem is capable of redirecting DNS requests, then I agree. You'd have to find out if the modem can do that, or if it has been flashed with malware from the WAN side that can do that. Some modems do this, in fact. Some ISPs do it, but that is a bit of a different animal. And if someone took over a BGP router...

seanferd
seanferd

Nor the routers from a lot of vendors. I don't think any Linksys. 2Wire, Belkin, D-Link, etc. do this. It is usually a smaller brand, designed to be "easy" for the customer. The really weird ones are those (even the bigger brands) which have all sorts of extra bells and whistles, like URL blocking, timed blocking, etc., but don't allow you to turn off DHCP just for DNS on the WAN side. Plain odd, IMO. Question, Michael: What if your clients have a networked LAN where they expect to share files between computers? Configuring OpenDNS on the local machine tends to break local name resolution. I realize that you can fix that by editing HOSTS files in a statically-addresses network, or that "VPN" exceptions can be configured at OpenDNS (some do automatically via the in-house v2 updater). But with the OpenDNS exceptions type of config, you still have LAN requests going out over the net and depending on an NXDOMAIN response. (And I can't tell you how many enterprise networks seem to rely on this.) A pet peeve of mine is junk DNS requests, and other junk packets like spam. So, sorry if I'm like pontificating or something. ;)

JCitizen
JCitizen

on that site, that should be at least encouraging to you Michael! HA! :)

JCitizen
JCitizen

My gateway is now getting long in tooth, but I did notice it rebooted on some heavy load I was giving it. I was able to logon using correct credentials but no configuration changes were evident. However their was no log of the event either!! At least your information points to the cause. I may have to buy a new ZoneAlarm Z100, as it should have all the new hardware by now. They use GPL linux for their firmware, as does my old Sofaware. Checkpoint prices range from 170 or so to a little over 200 and up from there. Of course services stack on top of that, if you want filtering.

Michael Kassner
Michael Kassner

I don't think my Netgear devices do. Or as I mentioned earlier, I assign OpenDNS right on the workstations.

Michael Kassner
Michael Kassner

I never allow the perimeter device to assign DNS. If it is a small client, I statically set OpenDNS on the individual workstation. Just because of all the DNS issues that now exist.

Michael Kassner
Michael Kassner

I remember that now. That's one reason why I use another hardware firewall between the DSL/Cable gateway device and the internal network.

seanferd
seanferd

Just to add my little comments: It never occurred to me to use the router's LAN address to specify the DNS for the WinXP Local Area Connection. It is quite possible your router does not work that way. For that matter, I'm not sure what its LAN address is. Of course, http://192.68.1.1 accesses the router's configuration interface. Usually, one and the same, unless you've configured it differently. Currently the DHCP server is enabled and the router assigns LAN addresses 21 - 70 (I don't know how it would work, if I didn't do that), That's DHCP for you. but no DNS IP addresses are specified. Usually, I'd imagine that there would not be any. But if you can turn off DHCP/auto for just DNS on the WAN side (facing to your modem), you can statically configure DNS servers besides your ISP's. This takes precedence over the modem (unless the modem or ISP redirect all DNS requests*). And if the client computers' DNS config points to the router (very likely 192.68.1.1) as shown in TCP/IP settings or ipconfig /all output, the DNS server addresses configured in the router's WAN/internet config will be used. * There are ways of getting around this, usually, by forcing DNS on TCP 53, UDP 5353, or TCP 5353. Can be done with the right router/firmware, or a program like Delegate run from a client computer.

seanferd
seanferd

I agree completely with what you are saying, to my knowledge. Client can point to router, or directly to internet DNS (assuming no servers). Router should point to an internet DNS server, or happy campers there will not be. But, and maybe this is our point of confusion, some routers push the internet DNS server config to the clients. I kid thee not. I believe all Airport routers do this, for example. But this behavior also seems to occur in a lot of routers from unmemorable vendors, along with a lot of other really odd behaviors. Was that it?

Neon Samurai
Neon Samurai

I should also have mentioned; under the admin section is an option to download a backup of your router settings or upload an existing settings.bin file; use it. Based on past experience and Sinister's more recent run through several router brands, I'm convinced that it's the hardware not holding up to the traffic. If you put enough load on your router, you may find that every few months (I'm in around six months'ish), it dumps all it's settings and when you connect in, you find the admin defaults back in place. You can set it all by hand again but if you've a settings.bin backup, you just upload it, reboot the router and continue with no more than five minutes "fix" time. The oddity seems to be a huge gaping whole in the router market. The consumer routers do there job but can be overwhelmed, in the 100~200$ range, fair enough. In the enterprise market, your looking at $2000+ routers for cisco and such but they're going to take a heck of a load without complaint. In-between, there's nothing; a big open space. This is the domain of homebuilt routers; take a Pentium2 with ram and two nicks and clarkconnect/clearOS, a raw Debian install or whatever else turns it into a dedicated gateway/router machine (including wifi NIC). I've no idea what your network traffic needs are like but it's something to keep in mind if you find your consumer router falls over too frequently.

Neon Samurai
Neon Samurai

Years ago, Linksys stopped delivering firmware updates for my router so I went through the alternative firmware available at the time; Tommato, dd-wrt, OpenWRT, an OpenWRT fork with browser interface. Tommato is a good starter. It's limited compared to the others but is the Ubuntu of new users to router firmware. dd-wrt is my preference do to a larger feature set than Tommato without going to the industrial extreme of OpenWRT. OpenWRT is some serious alternative firmware. It's command line administrated like a Cisco box. If your comfortable getting around a Linux box by cli for firewall, routing and such then it's worth a look. There is also a package manager for adding software in; my week with OpenWRT included a few interesting additions like a kismet type wireless scanner. I can't remember the name of it but there is a version of OpenWRT that comes with a browser interface. I ran it for about a month before moving settling on dd-wrt. There are about three other more obscure alternative firmware kicking around but I never remember there names. On my dd-wrt, there are two tabs for DNS; setup and services. Under setup: local dns = 0.0.0.0 static dns 1 = opendns 1 static dns 2 = opendns 2 Under services: use domain = lan&wan domain = lan (makes my machine names become machinename.lan) dnsmasq = enabled localdns = enabled The router issues 192.168.1.1 to the internal machines by dhcp as the DNS address. It then sits in the middle forwarding the requests to the static1 and static2 external dns. This means it can forward on external domain requests and intercept local domain requests (machine.lan). For your IP addresses, the IP you connect to webforms with is the internal IP of the router box. It should be providing dhcp for your internal machines and taking it's external IP from the ISP's modem plugged into the outside port. If the ISP modem worked with the linksys firmware, it'll work just fine with the dd-wrt; there should be no changes needed for it. Last: the install. DD-wrt is kind of a big firmware so when you first install it you'll download two files. A dd-wrt-mini.bin type applicable filename and the dd-wrt-general.bin (or voip.bin). You first install the mini firmware which can be done through the Linksys existing firmware update admin page. Once the mini firmware is in place, you go to it's firmware admin update page and upload the generic.bin or voip.bin or vpn.bin as prefered. The bigger firmware adds on the additional features beyond the basic features in the mini.bin firmware. Of course, you should take some time to go through the dd-wrt.org (or is it .com now) website. The supported hardware list is extensive and also directs you to the firmware download pages. WRT54G is supported so drop that in the HCL form field and it'll give you teh firmware links. They also have a good howto on installing the firmware along with other things; look for the dd-wrt wiki section. What is interesting also is alternative firmware for NAS boxes. When I got my Linksys NAS200, there was a very early OSS firmware in development but not close to the maturity of trusting my data to it yet. I should go back and see how it's progressed. The NAS200 stock firmware makes "limited" look expansive by comparison.

Michael Kassner
Michael Kassner

My routers, albeit they are not consumer grade divide that up. What the router points to and what the the clients point to can be two completely different DNS sources. Or am I not understanding what you two are referring?

Michael Kassner
Michael Kassner

My research has not shown that the invasive malware is that intelligent.

Ocie3
Ocie3

How long has [i]that[/i] been around? Just kidding! But somehow the thought never crossed my mind. Since the Linksys router is probably out of warranty, maybe I should consider your suggestion. It never occurred to me to use the router's LAN address to specify the DNS for the WinXP Local Area Connection. For that matter, I'm not sure what its LAN address is. Of course, http://192.68.1.1 accesses the router's configuration interface. Currently the DHCP server is enabled and the router assigns LAN addresses 21 - 70 (I don't know how it would work, if I didn't do that), but no DNS IP addresses are specified. According to the firewall network log, the IP address of, to quote the firewall Help, "Local point ? local IP address (name of the computer)" is 192.68.1.21. I've always thought of that as the LAN address for the Ethernet adapter of my computer. Of course, the IP address assigned by the ISP is for the "DSL modem" (router) which is connected to the WRT54G router. Legally, I own the "DSL modem" insofar as I bought it from Embarq, but I don't have documentation for it, or know the IP or LAN address to use to configure it. That said, AFAICD, it has been a while since Linksys issued a firmware update for the WRT54G and I don't expect any more. To update the firmware, I just downloaded and ran the corresponding program. If DD-WRT installs that easily, and the installer can be run on Windows XP, then maybe it would be worthwhile. Before I do that, I should find the most recent firmware update from Linksys, so that I can restore it if DD-WRT doesn't work out. Thanks for the tip!

seanferd
seanferd

The DNS specified on the computer usually points to the LAN address of the router, thereby using whatever resolvers are configured in the router. However, if the DNS can be changed in the LAN config, DHCP will push those addresses to the other devices in the network, providing DHCP is on for DNS in those devices as well. Some rather stupid actually work this way by default, or only this way. If you are a particularly adventurous sort, you could flash your router with DD-WRT, and check out the possibilities that open source firmware has to offer. It has a web interface as well as a CLI.

Michael Kassner
Michael Kassner

That is a great router but it is ancient. I hope you are current with the firmware version. I also would suggest that you just disable remote access from the public network.

Neon Samurai
Neon Samurai

If I remember the last BEFS I had to setup, I don't think Linksys included https for the administration interface. It may be under an "administration" settings area though. Usually it's "enable https administration" or some such thing. If not, be sure your "remote administration" is disabled so you don't have that port hanging open on the internet side. At least then, someone has to get inside the network to bound back out to your 192.168.0.1 IP address. Also, you can be sure that it has a strong admin password and limit how often you connect into it or leave it open in the browser. This will mitigate the risk of that cleartext (http) password being sniffed from inside your network. If your savvy, you might like Tommato or dd-WRT firmware instead of the Linksys provided one. I'm not sure that they support the BEFS boxes though so you'd have to decide if it's worth picking up a 100$ router that is supported. dd-WRT on a wrt350n has been good for my needs.

JCitizen
JCitizen

it seems some form of Unix/Linux is being used in the firmware of almost every router I have worked on lately. They seem to be very heavy on the java with these GUIs.

Neon Samurai
Neon Samurai

dd-wrt seemed to begin as the other alternative firmware did. I think it's originally based on Linksys released firmware code. A few years ago, the router vendor struck a deal to use it as the default firmware. It seems to be the first time a vendor has reached out to such a third party firmware. I'd be interested to see data on if the sponsoring of a third party firmware developer has given them more budget to focus on hardware as there engineering specialty.

JCitizen
JCitizen

I do the same for my Pro clients, I would learn some reg hacks for my Home clients, but they rebel too much on good security like that! HA! For SMBs and/or SOHOs, I tell them to do it, or quit hiring me - I don't want to be party to victimization.

JCitizen
JCitizen

That is good to hear, I think I saw Seanferd or Neon talking about that here.

Michael Kassner
Michael Kassner

My clients don't like it, but I disable the Windows default configuration that displays the previous user name when logging in.

JCitizen
JCitizen

My Safe@Office 500W allows for User ID AND password. That way the cracker has to guess at [b]TWO[/b] items in gaining access to the router, not just the password! But I block exterior administration, so they would have to be in the LAN already, in which case this may be a moot point. However, I was once compromised and the cracker not only got access to my local machine administrator account, but the NetGear router I had for a hardware firewall! It still is a popular model, but it taught me to lock down the hidden local machine account, and NOT use the default password from the factory. This was a long time ago,before I got CCNA certified. I've learned a great deal since then!(I hope :( ) Since then, I've been able to account for unknown malware on board by the outbound port blocking, and/or failed loggon attempts by my gateway syslog. You may think I get sacked a lot, but that is the hits you take when you run a honeypot in the lab. I don't always put them on the DMZ, because I didn't used to have information that was worth anything. The best way to learn security for me, was to take a slam in the gut! It is the best way to learn the cold facts about LAN security. Now they have certifications for security specialists; but our local college dropped all networking classes. The college president is one of those Liberals, who only wants to train artists, and doesn't understand anything about real world industrial training and community needs.

JCitizen
JCitizen

it is one more thing the cracker has to attack to gain access to my router, and he would have to do it from the interior; as I block all WAN side remote access.

Ocie3
Ocie3

a Cisco Linksys WRT54G, the user name field on the log-in panel evidently is not used, only the password field. Also, I have never found a configuration option that allows me to specify a user name, only one that allows me to change the password. Of course, the user name is only necessary when more than one person administers the router, and each user has a different password. Perhaps I could record one or more user names and corresponding passwords if I enabled "remote access" from the Internet (WAN) side of the router, but I have always had that feature disabled. Otherwise, if the user name is used at all when there is only one administrator, the user name becomes -- in effect -- just another password that is associated with the string which must be entered in the password field. :-)

Michael Kassner
Michael Kassner

Many routers/firewalls/etc do not give you the option to change the username. I checked SofaWare out and I don't see the connection. Forgive me, I must be having a brain-fart day.

JCitizen
JCitizen

I can change the default user name AND password. I noticed the last new Dlink router I played with had TWO user IDs that could be configured; I disabled the lower user based account and totally reconfigured the administrative one. They finally made it so you can change both, user ID and password, AND two kinds of accounts like an operating system, if my memory serves me correctly. (edited) My Safe@Office gateway won't allow but three attempts at logon, or it shuts down for thirty minutes. So dictionary attacks won't work for it. Especially since I would see the failures on my Syslog.

Michael Kassner
Michael Kassner

Why so many vendors do not allow you to change the username. It really doesn't make any sense.

JCitizen
JCitizen

name too. No point making it easy for crackers by the default "admin" or administrator!