Just a month since I wrote the first piece on this and there are more domestic router breaches.
- "The Moon" worm on Linksys routers - The worm works by injecting vulnerable devices with a URL-encoded shell script that carries out the same seek-and-hijack behavior. The exploit may also change some routers' domain name system server to 220.127.116.11 or 18.104.22.168, which are IP addresses used by Google's DNS service. Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024. It seems that most E-series Linsys routers are vulnerable.
- ASUS routers expose shared USB drives over the public internet - The exploits against Asus routers has been known about by Asus for a year and they have yet to correct it in old and current models.
Do I really need to remind you NOT to use manufacturer firmware in your router when DD-WRT, Tomato and others are available?