Re: ckcool?

[Mike Shaw <mshaw () wwisp com>]

What I've seen plenty of is extremely poor password policy.  This is a 
general rule of all cable/dsl modems.

It's possible and highly likely that the password was:
a) blank
b) "password", "pass123", part of the mac address host name, etc.
c) shared on some other cracked system

The other thing is that most of the cable/dsl modems out there are very 
brute forcible via telnet and/or http using something like brutus 
(http://www.hoobie.net/brutus/).

It's possible that there is some sort of exploit against the box (snmp? 
Poor html interface security?), but many many cable/dsl modems out there 
are just poorly set up.

-Mike


While on the subject.
At 08:45 AM 2/19/2002 -0600, Bob Maccione wrote:
> I have a friend that got hacked running linux.  Luckly it's an inmature
> enough hack that the mess left behind told me what happened.  In this case a
> user was created called 'ckcool' and then a rootkit was thrown down.  I'm
> going to get the disk from him to see what all was done but one thing
> puzzled me.  It seems that the password on the Linksys firewall/router was
> also changed.
>
> Has anyone seen/heard of any vulnerabilities in the Linksys Cable/DSL
> router/firewalls?
>
> thanks
> bob
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com