Re: Router worm exploiting poor SNMP security.

[Ralph Moonen <ralph () TINK ORG>]

At 23:58 12-12-00 +0000, Lars Nygård wrote:
> - This little script takes a look at which snmp
> communities are stored in the router MIB and write
> this to a file.

There usually are no communities for other routers stored in the MIB of a 
router.

> - Next step is to look for other routers nearby by
> looking at my routing table, ospf neighbours etc.

OK

> - Then my script checks to see if any of the
> communities it found, are read/write on any nearby
> routers by sending a SNMP packet.

OK.

> - If a read/write community is found. It uploads the list
> of known communities

If they were in the the MIB........

> and itself

How?

> to the nearby router.
> Then execute the script on that router.

No environement suitable to script exec on routers usually.

> -Then my script leave a text file saying "I was here"
> and deletes itself. (or potensially delete all files and
> schedules a boot at 1. january 2000, but that would
> be mean)

>:-)


> Two questions:
> Can anyone tell me any reason why this can't work?

See above.....

> I base this upon my knowledge of Nortel routers and
> BayRS. Is there any reason why simular procedure
> can't work with Cisco?

Yes, and it won't work on Bay/Nortel either, because you can't upload and 
execute real scripts to them AFAIK.

--Ralph



Oh, PS:
This was in an email. I found out it just resolves to www.angelfire.com, 
but nevertheless, someone went to QUITE some effort
to obfuscate his presence. (Check the DNS entries!!!!) Here is:

Try It Now!!  <a 
href="http://www.ab4.gobbles.mx%3D14%3D02%3D14%3D05%3D14.com%7Cnet.dce%3D02%3D05%3D14%3D%3D02%3D14%3D05%3D14%3D14.lllllllll.com:80/ab4/java355/index.html";>Click 
Here</a>
</pre>