According to Security Watch at PCMag the following products are effected
E300, E900, E1000, E1200, E1500, E1550, E2000, E2100L, E2500, E3000, E3200, E4200, WAG320N, WAP300N, WES610N, WAP610N, WRT610N, WRT400N, WRT600N, WRT320N, WRT160N, and WRT150N.
If your one of the above routers do the following
- Access the router’s web-based setup page.
- Verify if your Linksys router has the latest firmware. Go to Linksys support site to check.
- Make sure that the Remote Management option under the Remote Management Access section is set to Disabled.
- Click the Security tab.
- Make sure that the Filter Anonymous Internet Requests option under Internet Filter is checked.
- Click Save Settings.
- Powercycle the router by unplugging it from the power source then plugging it back in. This should clear the cache and remove the malware if your router has been infected.
Its also a good practice to set firewall rules to block inbound connections.
Depending on your OS you can check to see if your infected with the following command
echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080
If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080.
Above is from Sudhir K Bansal via TheHackerNews. Read the full report here.
User with handle of Rew on Redit posts the .cgi that SANS wouldnt talk about. See his orgional Post here.
Here is the Proof of Concept Report here.
Also from CERT, there is a duel DNS redirrect reported on the same routers, and iOS including phones, while this is at banks in eroupe I would check it on your router as well.
DNS Router Redirect
To add to the orgional Post, Here are some SANS updates
The Moon Captured
List of currently known IPs (moonnets)
Non-SANS info for phones
Using Android Phones on your Router
For use in Windows to test to see if your router has been compromised open a command prompt. To do this,
Go to Start, in the run box type CMD
the correct ping echo syntax is this: (just copy and paste)
ping echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" ' nc routerip 8080
Same response as above means infection, if you get
"Ping could not find the host"
then you SHOULD be in the clear. If your infected follow the above steps to get by until Linksys puts out a patch.
Sorry about that, been a long day.
Edited by czarboom, 23 February 2014 - 02:41 AM.