Alcatel ASDL modems possibly under attack - firmware changed by parties unknow

Andrea Costantino is reporting that there seems to be an attack in progress against all Alcatel ASDL modem/router users. Using the EXPERT mode vulnerability and the Shimomura's challenge/response EXPERT mode password calculator, someone has upgraded the firmware of all Alcatel modem in Italy and maybe elsewhere.

It seems that a particular version is being installed by someone on the Alcatel after a portscan to detect it. I've recorded a large portscan against port 21 (the one used to upgrade the new version) to ALL my public IP, and all IPs of my ISP. It seems that the intruder scanned with a SYN/FIN portscan to detect the Alcatel and after he/she put the new firmware version.

I don't know what the hell the new version does, but sometimes during the upgrade the configuration is lost, so many people blame their ISP or the telco company for service interruptions, but in truth their ADSL is running flawlessy, while the modem has became unconfigured. I suspect that the new version has some kind of backdoors, since the EXPERT mode is disabled in telnet (while the debugging stuff still works with the same challenge/response schema), but the normal user is allowed to do ftp get (while it wasn't allowed to before, thanks Luca), and some features seems to appear (the debugging stuff I reported before, td menus).....

From: Andrea Costantino

Hi world of coder,

My modem was upgraded apparently during the period between the 0:00 and
the 4:00 CET of the 3rd of August without loosing any configuration, so
I would't notice anything without a direct check using "software version"
on console or telnet access.

The offending version was:
KHDSAA3.264 with md5 6771623a99d774953d6469ba6f2ccacb

How to downgrade?
First of all, obtain a clean version, with or without Shimonmura's patch
(as you wish). I can't send it on a mailing list for copyright reasons
(really sorry!!!!!!),

The two official versions I saw BEFORE the attack were (trained by their
md5sums):

ae93eedcc6bee9d3c24ba6d0f809784e KHDSAA.134
or
5582c3922a2faae789674b6e0ced7e78 KHDSAA.132

Then put it by ftp on your modem. Just remember to put it (in binary mode,
issue bin command first of all) in the dl directory and exec "quote site gc"
just before the put command.
Now telnet or grab put your favourite console cable (if you have the Pro
version, of course) to your modem, then login (if needed..) and issue

=> software setpassive file = KHDSAA.13x

(put your own version, sub the x with 2 or 4 or whatever..)

=> software switch

the modem reboots
reconnect as fast as you can if you are connected by telnet..

=> software version
just to check if it's running the right version (check the active one!)

=> software deletepassive
delete the 264 one before the modem detects it and reboot with this (it
thinks that the 264 is newer, so it tries to run the latest one..).
if you are unable to delete the new one, try the more powerful console
access if you've a Pro version.

If you apply the patches, remember to disable EVERYTHING (apart from
telnet/ftp access, otherwise you won't be able to download any newer
release). No EXPERT access, no TFTP, no VPI 15 AAL5 TFTP/SNMP access =
less troubles in future.

Remember also that many other backdoors can still exist, since many people
running patched versions get their modem upgraded without notice..

Many thanks to Luca "Bluca" Berra and Michele "BaNzO" Zamboni for their
unvaluable help while thinking and patching everything!

Many "thanks" even to Alcatel people for providing backdoor'd sw and
avoiding public distribution of patches. I hope this incident will
convince them to be more "open" to coder/hacker community, since security
through obscurity is NOT a good way of life, as Windows teach.

Otherwise I wish them to live the hell of many many people calling them to
ask for patches.. :)

Baciamo le mani,
k0

SNP.