Talk talk customers ... hmm so 10 people were affected then ?

Are PN routers at risk  

@rongtw - they haven't been mentioned in the ISPReveiw story I read (I'll see if I can find it later), but that story did say routers withe default password were most at risk. AFAIK, PN routers all have an unique password.

http://www.ispreview.co.uk/index.php/2016/11/talktalk-isp-routers-potentially-vulnerable-new-mirai-w... - but that's thanks to Gel in another thread.

 it would appear that those routers have TR-064 open for command which they shouldn't

As linked in the above post

Am I not correct in thinking that over 90% of big business use Linux Systems ?

It's not a Linux vulnerability as such, it's a TR-064/TR-069 bug. It's just that most of the routers use a Linux kernel and will use a lot of common (GPL) code. Linux servers in general are not likely to have TR-064/TR-069 code in them 

---

@St3 wrote:

Talk talk customers ... hmm so 10 people were affected then ?

---

Are you sure they have that many customers, seems a high figure to me ?

---

@shutter wrote:

Report from BBC NEWS site...

 

customers using POST OFFICE and TALK TALK routers to access the internet, have been disable/hijacked cutting them off from the internet.

 

and it appears, that, despite many claims by the LINUX FRATERNITY on this forum, that LINUX is SAFER than WINDOWS from virus attack,.... it seems that these routers use a LINUX base

 

http://www.bbc.co.uk/news/technology-38167453

 

 

***************************************************************************************************************************************************

It involves the use of a modified form of the Mirai worm - a type of malware that is spread via hijacked computers, which causes damage to equipment powered by Linux-based operating systems.

 

***************************************************************************************************************************************************

 

 

---

"TalkTalk also confirmed that its D-Link DSL-3780 routers were affected but said only a small percentage of its customers used them."

I'm ex-TT and using the 3780 now with PN. My ability to access web sites went on a desperately slow motion Sunday, Monday and Tuesday - until I rebooted the router and everything else. I was on the verge of complaining about poor PN access when I rebooted. I wonder if there is a fix?

---

@harrym1byt wrote:

---

I wonder if there is a fix?

---

use another make of router ? ? ? 

As I understand it the worm scans for open ports, on TalkTalk' IP range it was TCP port 7547 which I believe is open for remote help from them.

Now if I am correct Plusnet also offer remote help for users of their provided modems, so the question is, are plusnet provided modems susceptible to a similar attack from a version of the Mira worm modified to scan for plusnet customers?

Personally I don't use plusnets modem but if I did I would like to know if a vulnerability exists, is there an open port used for remote help and which port they use. You could then check to see if that port is open and close it.

Further reading http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/ and http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/

It's not just about the open port and known password, it's that the open port is accepting TR-064 commands, which it's not supposed to, regardless of any password. And then there's a further flaw (the handling of the NTP server setting) used to make the router download and execute the malware.

It shouldn't take long for someone to set up an online checker for the TR-064 acceptance flaw if there isn't such a checker already.

The default password is usually the device's serial number. And there's a TR-064 command that doesn't need a password that can be used to read device info, which includes the serial number.