1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan/Virus on WRT54G v3.1??

Discussion in 'Cisco/Linksys Wireless Routers' started by nuzzr79, Dec 19, 2005.

  1. nuzzr79

    nuzzr79 Network Guru Member

    I have a LanSpy 2.0 software installed on my server to monitor connected devices on my LAN. In my suprise this software detects my WRT54G as to have an open UDP port 3127, which is also known as trojan W32.MyDoom by LanSpy. :eek:

    I am sure I have closed all unecessary ports on WRT54G firewal setup (at least that's what I did through web admin console).

    This creates few question for all of you guru outthere:
    1. Is it possible to have a virus/trojan on WRT54G?
    2. Is this port 3127 open by default? If it is, what is this port used for?
    3. Is there anyway to close this port from Admin Web Console (or any other methods available)?
    4. If in fact the router is infected with MyDoom, how can I clean the it?

    thanks in advance.
     
  2. nuzzr79

    nuzzr79 Network Guru Member

    anyone can help me on this?

    I just need to make sure my router is safe from external threats.
     
  3. NateHoy

    NateHoy Network Guru Member

    It's POSSIBLE. It's a Linux based device, and someone could, in theory, have broken into it and installed the spyware. But exceptionally doubtful. Specifically, W32.MyDoom - W32 stands for Windows 32-bit, eg. something that cannot run in Linux. The port MAY be open for another service that has nothing to do with MyDoom, or more likely you have an infected PC somewhere that is keeping the port open.

    You can "close" port 3127 by using port forwarding to forward it to an IP address that does not exist.

    If you've scanned all of your internal PCs and they've come up clean - and if you have wireless on and unsecured, or secured using WEP, MAC address filtering, or another easy-to-break security method, it's possible that someone else is on your network via wireless and THEY have the spyware installed.

    However, a factory reset followed by a firmware flash (followed by you keying in your settings manually) will most certainly wipe anything clean, if you're really worried about your router being compromised. That's the router equivalent of reformatting and reinstalling.
     
  4. nuzzr79

    nuzzr79 Network Guru Member

    Thanks NateHoy...

    All PCs are cleaned from w32.doom & have that port closed.
    Btw, I'm using WPA shared-key for security setup...which I think is secured enough for the moment.

    I will try your advise of port forwarding on the router & let you know how it goes. :thumb:
     
  5. nuzzr79

    nuzzr79 Network Guru Member

    My WRT54G public IP is blocked by CBL. What should I do?

    Now I found that my WRT54G is having another problem.... :(

    The router's public IP address is listed on CBL website (http://cbl.abuseat.org/) due to the Sober.X virus spreading detection from my LAN going through SMTP port 25. Now my users cannot send email from their outlook clients.

    I'm trying to get my router delist, but have to make sure it's not going to be listed again. How do I set my WRT54G NAT settings & the LAN behind it to be free from sober threats without compromising users accessibility to send email through ISP's SMTP server?

    What are the things we can do in WRT54G to set its NAT capability? Do we need 3rd party firmware to do this...or factory firmware is good enough?
     

Share This Page