5

We have a customer who is running an office CCTV system which he accesses from home. The system runs on an embedded Linux box behind a NAT firewall forwarding to ports 8080 for web browser access and 37777 for proprietary software access.

All this has suddenly stopped working and a little investigation shows that TCP SYN packets sent to his IP address (on either port) are getting immediately terminated with RST packets containing the message "Go away, we're not home". Googling this message gets a lot of stuff about the Storm Botnet which apparently does exactly this.

So the question is, how on earth can the Storm Botnet hijack an embedded Linux box. Or am I missing something else entirely?

nik
  • 7,100
  • 2
  • 25
  • 30
MikeJ-UK
  • 201
  • 1
  • 4
  • Interesting, the only instance of a linux botnet i had heard till recently was about psyb0t. – nik Jun 09 '09 at 17:21
  • here is a reference: http://www.eweek.com/c/a/Security/The-First-Linux-Botnet-626424/ – nik Jun 09 '09 at 17:23

2 Answers2

3

This NAT firewall -- what hardware and software is it? It's not necessarily the Linux box that would've been hijacked.

chaos
  • 7,483
  • 4
  • 34
  • 49
  • Agreed... It'd be worth bypassing the NAT and checking the embedded system directly if possible. I'd also check with the CCTV vendor to see if they have any updates that might need to be installed or applied, – gharper Jun 09 '09 at 16:40
  • The firewall is a typical combined ADSL/router/firewall. It is flash upgradable so is theoretically 'hackable'. Looks like a detailed forensic examination is on. :( – MikeJ-UK Jun 10 '09 at 08:06
0

I have answered this in case anyone else is unfortunate enough to tread this way in future.

I asked if maybe I was missing something else entirely. It turns out that I was. The problem was in our own router and had three apparent symptoms.

  • Blocked all ICMP traffic from reaching the public internet
  • Actively refused all TCP connections to any address on the public internet on ports not in the range [20, 21, 25, 80, 110] with a sarcastic message.
  • Rebooted when any attempt was made to view the system log.

Although this looks like a firmware exploit, it is not consistent with the symptoms of psyb0t.

The router in question was a (rather old) 2Wire Intelligent Gateway 1800 and has been replaced!

MikeJ-UK
  • 201
  • 1
  • 4