[Malvern] Fw: [mlvrnfreecycle] OFFERED: D-Link wireless router
(malvern link)
Richard Forster
rick at forster.uklinux.net
Wed Jul 4 18:50:16 BST 2007
Google for netgear and 5190 and you will find out all about what netgear
did to their routers. As the open port is deliberately there it cannot
be a virus.
Let me repeat that. You do not have a virus on your router.
It seems like you can however explicitly block all those open ports
within the firewall. You can also close the program which uses these
open ports but you need to do it each time you reboot the router.
Or you can just use decent security on your PCs and not care what your
router is doing. Your PC can firewall itself better than your router can.
> Is WiFi any more vulnerable than wired ? Probably less so - the baddie
> has to be within local range.
Wrong.
WiFi is far more vulnerable than wired. It is like putting all your
local traffic (ie your home network) through a hub that you let ANYONE
walk up to and connect whatever computer they want to. The baddie has to
be within WiFi range (ie perhaps 100 feet or so) rather than actually be
in reach of the hub (ie arms length or so) in the wired case.
>
> I have a Netgear Firewall/router here which I took out of service
> because it appeared to have an
> illegal port (5190) open. That could have been MBomber.
It is not Mbomber. It is not a virus. The port is open because Netgear
wanted to leave it open to run a program. That decision of theirs isn't
necessarily without security risks but it IS NOT A VIRUS.
In any case, having a port open on a router says NOTHING about whether
it has a virus. An open port means the device is ready to accept
connections from your computers. Why would your computers know to send
data to it (rather than send data through it, note the difference) on
that port? Read those last two sentences again. They wouldn't unless
they were also compromised. But what would be the point of that? If your
PCs are compromised why not just get them to connect straight out to the
baddies server which collects all your data and passwords etc.
If your PC isn't sending data to the router on that port then having
that port open achieves nothing for this hypothetical virus.
>
> The device still works, but I replaced it with a later version because I
> could not trust it.
If I was to write something that would compromise a popular model of
router out there then I wouldn't leave a port open. Instead I would get
the router to silently redirect some traffic to my servers instead of
the real ones. The apparent behaviour of the router could be
indistinguishable from what you 'should' expect to see. In other words
it would have a virus but not have any suspicious open ports.
Consequences of this scenario (and defences) are left as an exercise for
the reader. No really, go for it!
Rick
More information about the Malvern
mailing list