http://efytimes.com/e1/fullnews.asp?edid=132220

I am not sure Cafe is the right place but since this is not a support thread I am posting it here.


Wednesday, March 05, 2014: A recent report by internet security research firm, Cymru has shockingly revealed that over 0.3 million small office and home routers (SOHOs) around the world have been compromised using man-in-the-middle attacks. The 'Growing Exploitation of Small Office Routers Creating Serious Risks' report clearly indicates that routers primarily in Europe and Asia have been compromised by what they term as SOHO pharming.


Specifically, a majority of these lie in countries like Vietnam, India, Italy and Thailand. The routers in the mentioned countries have been affected by changing their DNS settings from their ISP’s default to two UK IP addresses (5.45.75.11 and 5.45.75.36). Routers were affected in two ways. In one, a malicious code was used to target those routers which had their GUI's accessible from the internet. Secondly, the other target routers were those that were vulnerable to ROM-O attacks, with a majority that ran ZyXEL’s ZynOS falling under the category.

The research team has however still not detected any evidence to suggest the two IP addresses were being used for malicious activities. Meanwhile, Cymru has advised users to check the DNS settings on their routers to make sure that they match the ISP’s DNS.

Saurabh Singh, EFYTIMES News Network

set your DNS servers on your computer to say google or open dns

set your DNS servers on your computer to say google or open dns

+1

I guess allowing access to router's configuration interface from the WAN side can cause more serious issues besides just the DNS.

+1 to being careful. This can include changing your router's password to something other than the default.

and if it is open on the wan i suggest using the output of this command

cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-256}
that will keep a attacker busy for a while

Why would any SOHO want to set their router configuration to be accessible from the WAN side? What circumstances would create such a necessity that it outweighs the risk?

Why would any SOHO want to set their router configuration to be accessible from the WAN side? What circumstances would create such a necessity that it outweighs the risk?

I don't know about benefits, but mostly it happens due to lack of awareness. Almost all the routers this days are plug and play, while that is good, people actually never bother to dive deep and try to learn functions of it and ride on default settings, including passwords.

Having said that, I'm one of those people, I use small router within main router and sometimes get too complacent about security. The only thing I do is blocking all inbound from Gufw.

So, don't allow remote access of your router; problem solved.

I like how it says "0.3 million" instead of "300,000". Makes it sound like more.

That is old news. I guess some people never got the message. People have been told to disable WAN remote access for years.