psybot infections

I have been receiving a number of TCP hits coming in all attacking port 23. My ISP emailed me a couple of days ago to tell me that they thought that the origin of the hits was psybot which infects modems and routers.

The link below gives some details about the bot:-

formatting link
The bot infects various modems/routers which makes it impossible to detect using virus/trojan scans on your PC.

How do you detect if your modem or router are infected? The only way I can think of would be to have a sniffer sitting on the network side of the modem checking all outgoing traffic.

Reply to
JC
Loading thread data ...

Can't say that I've seen any, but I haven't had anything listening on port 23 for perhaps ten years. Telnet (RFC0854 from May 1983) isn't exactly known as a secure application.

A list of 6000 usernames and 13,000 passwords were also included, to be used for brute force entry to Telnet and SSH logins which are open to the LAN and sometimes even the public WAN side of the routers.

Shades of the W32/Deloder from March 2003. Idiots will always be idiots, and refuse to learn from the past. Default, or terribly easy passwords on an interface wide open to the world. LAN side only access makes it harder on the bad guy - they've got to 0wn3 the computer behind the router in order to access it. Want to guess how hard that is?

Yeah - you have to think instead. Like trying to connect to port 22 or 23 on the Internet address (not the 192.168.1.1 side where it is less vulnerable) of your modem/router. Hell, you could even use one of the many Internet port scanning services.

Why not change the password on the modem/router to something more secure, and disable Internet side access to that port?

Old guy

Reply to
Moe Trin

On 03/28/2009 07:26 PM, JC sent:

Hello JC:

If your undisclosed equipment lacks telnet based administrative capability, you have little to fear. As in all cases, the best defense for this attack is a very strong administrative password and up-to-date firmware.

Sheesh! Zlob fades & here comes another...

Pete

Reply to
1PW

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.