Trojan In Firmware?

[jpo]

Can anybody confirm what I'm seeing here, I purchased a used wrt600n on Ebay, I reloaded the firmware, configured it all and it seemed to be working OK. A couple days after I installed it I noticed a few settings that seemed to change by themselves. I changed them back and forgot about it. So today I tried using LanSpy to troubleshoot a browse problem on my network and this caught my attention when I scanned my router. So I reloaded my firmware again,but it did not go away, any ideas? Maybe this isn't what it seems, is this port actually disabled to stop mydoom?

 

[valentin]

I am not sure what exactly this info means - may be it is that the trojan os on your PC but has opened the port shown?

Another observation - this utility keeps crashing when I start in on my laptop, and try to scan my router.

Anyway, I do not think there are trojans able to infect linux OS. You router is sure to have linux.

As for the changing settings, not sure why, but I met such a thing before on another router. Do not remember well the case though, may be it was with those modem/routers provided by the telecom. Which exactly settings you have changed? If it is ports opened, it might be due to trojan. You may disable UPnP to not allow programs to dynamically open ports.
________
Grape ape pictures

 

[scotty]

I would wonder what traffic is being grabbed by that lanspy program? You say you're 'scanning your router' - but what are you scanning - all traffic going to your router?

I would highly doubt the router itself is infected with something. Perhaps it's picking up something from within your network or on your PC trying to send malicious traffic out the router... The router might be stopping incoming traffic, but consumer grade routers dont stop outgoing traffic (which is half the battle with trojans/viruses).

I'd be wondering exactly where that traffic is originating from.

 

[jpo]

I believe LanSpy scans computers and routers for open ports and other security vulnerabilities. From poking around on the internet it seems that running LanSpy from Win XP or Vista on a Linksys router gives you a false port 3127 reading,its a bug apparently. Does anyone know what the 'dummy user' \PIPE\samr is, I heard it is related to reading the SAM database in windows remotely,but I'm not sure. If its something that is supposed to be running on a WRT600N router,then I'll go ahead and put this router back on my system,but until I can confirm what this is, I'm a little leery of using it.

 

[valentin]

I would use instead Process Explorer and TCP Viewer, both freeware, to scan the PC and see what processes and ports are used, and NMAP to scan the router.

Given up using LanSpy - crashes every time.
As for the trojan - why do not use any freeware anti-virus program to scan the PC.

I have never heard of trojan able to infect Linux OS on a router. The routers are difficult target, first because of the OS, second, because they have so limited amount of memory (usually 2 or 4MB) that it is difficult to run any applications.
________
Yamaha libero (g5)

 

[jpo]

Anybody here have a wrt600n that has a configured USB HD on it, that is willing to run LanSpy on it and see if it has a dummy user named \PIPE\samr. This shows up on my system only when my USB HD is connected, could it be something required for sharing.

 

[jpo]

Also, you need to look under "open files" to see the dummy user.

 

[tipstir]

Lanspy

Lanspy is more of a network sniffer it's very powerful freeware program I've at work and people are always amazed where I am getting all this info. They had a problem where no one new who was accessing a rouge system. Lanspy did the trick to help me hunt down the user. In your case it's telling you who's or what has access to your router. Best thing to do it wipe out the firmware that's in the router now back to factory defaults.

 

[jpo]

I did, twice, and it came back, thats why I think it may be part of the OS, but I just wanted to confirm with someone else who has one.