Backdoor on D-Link routers
A German researcher scanned some D-Link nmap devices and discovered open port 23 \ tcp ( telnet ).
Starting Nmap 6.01 ( nmap.org ) at 2013-04-30 13:42 CEST
Nmap scan report for 192.168.178.133
Host is up (0.0067s latency) .
PORT STATE SERVICE VERSION
23 / tcp open telnet D-Link 524, DIR-300, or WBR-1310 WAP telnetd
MAC Address: 1C: BD: B9: A7: 7F: 74 (D-link International PTE Limited)
Service Info: Device : WAP
Nmap scan report for 192.168.178.144
Host is up (0.0068s latency).
PORT STATE SERVICE VERSION
23 / tcp open telnet D-Link 524, DIR-300, or WBR-1310 WAP telnetd
MAC Address: 00: 26: 5A: 38: 7D: 77 (D-Link)
Service Info: Device: WAP
Nmap scan report for 192.168.178.222
Host is up (0.0031s latency).
PORT STATE SERVICE VERSION
23 / tcp open telnet D-Link 524, DIR-300, or WBR-1310 WAP telnetd
MAC Address: 34: 08: 04: DB: 6D: FE (D-Link)
Service Info: Device: WAP
Porsle this researcher looked into the config file and found
#! / bin / sh
image_sign = `cat / etc / config / image_sign`
TELNETD =` rgdb -g / sys / telnetd`
if ["$ TELNETD" = "true "]; then
echo "Start telnetd ..."> / dev / console
if [-f "/ usr / sbin / login"]; then
lf = `rgdb -i -g / runtime / layout / lanif`
telnetd -l" / usr / sbin / login "-u Alphanetworks: $ image_sign -i $ lf &
else
telnetd &
fi
fi
root @ bt: ~ / firmware / DIR300-extracted # cat rootfs / etc / config / image_sign
wrgg19_c_dlwbr_dir300
Those. the password depends on the firmware version in the device. What does this password give root privileges for the device (see the picture below):

Having received the root password, you can also
# cat var / etc / httpasswd
admin: admin
or so:

I must say that this researcher is not the first time picking D-Link equipment and informing the manufacturer about bugs . However, D-Link is somehow not always in a hurry to close them. Or even declares that there will be no fix, because in their opinion, this is not a problem in their equipment, but in the browsers and users of their devices themselves.
A source