Remember to update your Modem filmware!

dezzo69

Arch-Supremacy Member
Joined
Aug 23, 2005
Messages
19,211
Reaction score
3,490
Just to share with the community:

Out of the blue I was getting russian pop-ups and ads while surfing normally.

f2yStrr.jpg


ZXMKFkq.jpg


this is the 2nd time this has happened. The last time was around September and I asked about it here:

http://forums.hardwarezone.com.sg/a...y-centre-297/finrussia-ru-pop-up-4861812.html

I dug around for info and to my horror Avast prompted me that my modem settings is extremely vulnerable to being hacked and advised me to update my filmware. I found that odd because I remembered updating the filmware before but apparently there is a very recent update.

Things seem to be okay now and will be monitoring if it stays this way.

Cheers
 

dezzo69

Arch-Supremacy Member
Joined
Aug 23, 2005
Messages
19,211
Reaction score
3,490
tp-link td-w8901G a very old modem.

filmware vers is now V3_140512
 

hlots123

Supremacy Member
Joined
Apr 5, 2006
Messages
5,213
Reaction score
11
background info abt rom-0 vulnerability...

https://blog.avast.com/2014/11/13/n...the-latest-firmware-or-replace-it-completely/
PIOTRBANIA.COM :: Hacking and patching TP-LINK TD-W8901G router
How I saved your a** from the ZynOS (rom-0) attack !! ( Full disclosure ) | Root@Nasro
Attackers alter DNS configurations remotely, compromise 300K routers - SC Magazine

The attack is made possible due to default SOHO settings that are vulnerable to password guessing, as well as brute force log-on attempts because the graphical user interface was accessible from the internet, according to the report, which adds that compromise via Cross-Site Request Forgery may also be possible.

“A considerable number of the remotely accessible devices also appeared vulnerable to the “ROM-0” vulnerability published in early January,” according to the report. “This vulnerability in ZyXEL's ZynOS allows attackers to download the router's configuration file from the unauthenticated GUI URL http://[IP address]/rom-0.”

Me: Is the page password protected ?
Me: No !!! I tired to access that page on a different IP and it didn’t require a passowrd !
Ok, enough questions haha ..

Now, when I activated TamperData and clicked “ROMFILE SAVE” I’ve found out that the rom-0 file is located on “IP/rom-0″ and the directory isn’t password protected or anything.
...
When you upload and submit the rom-0 file there, the php page replies back with the configuration in clear text ( INCLUDING THE PASSWORD ) .
...
Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and inused IP address on your network
 

hlots123

Supremacy Member
Joined
Apr 5, 2006
Messages
5,213
Reaction score
11
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top