[kwlug-disc] Rogers says (said) I have a virus! Check your D-Link routers.

CrankyOldBugger crankyoldbugger at gmail.com
Wed Dec 10 20:12:21 EST 2014 

Score another win for openWRT

Congratulations! Your router did not respond to a UPnP discovery request.



On 10 December 2014 at 19:43, Khalid Baheyeldin <kb at 2bits.com> wrote:

> I have a vulnerable router, but since it has OpenWRT, it does not have
> the vendor bugs.
>
> Scan was negative.
>
> On Wed, Dec 10, 2014 at 7:04 PM, B. S. <bs27975 at yahoo.ca> wrote:
> > So I get a voice mail from Rogers saying I have a virus (nonsense!) and
> that if I don't contact them they'll shut down my internet within 48 hours
> - I could be affecting my neighbours, yada, yada. From 1-888-764-3771.
> Right!
> >
> > Went to Rogers website and was eventually able to dig out internet
> technical support number at
> https://www.rogers.com/web/content/contactus-technical-support,
> 1-855-381-7838.
> >
> > So called, hit a few buttons to get to the right department, provided
> details to verify who I was / right account, and was able to talk to a
> human. I got lucky in that this particular person had some computer savvy,
> not the normal complete dunce, nor, sadly, someone who -really- knows what
> they're doing.
> >
> > Apparently there have been some DDNS attacks going on, via UPnP / SSDP
> bug, and D-Link routers, such as my DIR-857, are known to have the problem.
> >
> > Now why UPnP / SSDP would EVER be allowed to be exposed to the public
> internet, let alone hidden / no way to shut off from the interface is
> beyond me. Strike one for D-Link - off my shopping list they go.
> >
> > Going to support.dlink.com as told revealed nothing, but a search on
> 'rogers ssdp d-link' got me to SANS: Malware FAQ: Microsoft Windows UPnP
> vulnerabilities (search SSDP for relevant bits) - useless (not being
> Microsoft!, myself) but germane. More importantly it got me to
> http://support.dlink.ca/FAQView.aspx?f=sY5vcvfAuAV6bXgi%2F8WoVw%3D%3D [If
> you got a call from Rogers ...] - i.e. This is all 'real' - the original
> voice mail message wasn't spam.
> >
> > Follow the bouncing ball and you'll get to http://upnp-check.rapid7.com/
> where you can check whether you're affected. (Router exposing SSDP via UPnP
> and vulnerable to malformed packets.)
> >
> > So, just a heads up to everyone:
> >
> > Apparently some routers silently expose your internal SSDP (UPnP
> devices) interface - you may want to check with the rapid7 link and upgrade
> your firmware.
> >
> > Note also that you may experience as I did that the latest downloadable
> firmware is the version your router page is showing you you are already
> running. Diff showed binary differences comparing my current firmware
> against the just downloaded one (beta, no less!) - but no version number
> change. Post-update firmware date did show a change from something in 2013
> (IIRC), to this past summer.
> >
> > YMMV.
> >
> > P.S. If people didn't know, you can get a setting put on your Rogers
> account where when their scans show a problem, their scan log is
> automatically sent to your (additional) on file e-mail address. But you
> have to call and specifically request it. Without it, of course, you have
> no idea what nonsense they think they've found, so can't combat the 'have
> you run a virus check' hurdle you can't get them over. (What part of
> 'Linux' do you not understand, Rogers? <sigh>)
> >
> > - never mind I was supposed to have received a warning e-mail (didn't),
> nor ever seen a log, only that you definitely will never see one if you
> don't ask. [Asking the rep to have security send me a test e-mail to verify
> they can get through got me nowhere, but that's another story ...] I found
> this (additional) out in the past when a friend got hit, but they couldn't
> send the logs after the fact, being gone from their history - if you're
> going to get the logs, they have to know to save them at time of scan.
> >
> > GL&HF
> >
> >
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple,
> and wrong." -- H.L. Mencken
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20141210/e75e7a4b/attachment.htm>

More information about the kwlug-disc mailing list