If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.
03-28-2009 03:55 PM - edited 03-28-2009 03:58 PM
However, I would still recommend:
#1 Changing the default password, if you have not.
#2 If UPnP exist in the router, turning that off.
#3 Making sure remote access to the router is turned off.
You can use any port checking site, to see if any port is open from the outside.
If there any ports open from the outside does not mean bad news right away, because it depend(s) if you are forwarding any ports.
What you really want is, only the ports that you forwarded open from the net.
Gibson Research "Shields UP" is a good site for checking your ports. Stealth status is best. The ports are better off not showing at all. Closed status will still show something is there. Also turning off responses to ICMP Ping requests in you router is not a bad idea. I have also found the Ident Port 113 responds in many routers, and the way I handle this is designate one private IP on my network as a deadend. Do not use the deadend IP address for anything on your private network. Also pick an IP that is not in your DHCP distribution list. Forward that port to the deadend and when scaned it will not respond.
"Version 17 of the malware contains “shellcode for 30 different linksys models, and 10 netgear models, as well as several kinds of cable and dsl modems (15 different shellcodes)” as well as a list of “6000 usernames and 13000 passwords” which is used for bruteforcing Telnet and SSH logins that are open to the LAN and sometimes even on the WAN side of those routers."
Read more: "psyb0t - A stealthy router-based botnet discovered [Updated] | IRC-Junkie.org - IRC News" - http://www.irc-junkie.org/2009-03-22/psyb0t-a-stealthy-router-based-botnet-discovered/#ixzz0BByn8pYZ
If you are using a router that is vunerable and a weak password that is easily hacked via the brute force attack that is used you should easily be able to determine if you are infected. Since port 80 gets blocked by the bot you will lose basic HTTP connectivity through your router. You would then need to do a factory reset of your router to get it back into it's default configuration (this clears the malware from the router) and assign a more robust password.
I would then send a complaint to Verizon.