March 25, 2008 (Computerworld) Suspicious port scanning that's been tracked back to D-Link Inc. routers may mean a worm or bot is on the loose and infiltrating the popular brand's devices using a three-year-old vulnerability, security researchers at Symantec Corp. said today. According to Friedrichs, the attacks against the D-Link routers begin with hackers scanning TCP port 23 for an active SNMP (Simple Network Management Protocol) service, a flaw that first showed up in D-Link router firmware in 2005. "It looks like they're exploiting the SNMP vulnerability to reset and reconfigure the administrative password on the routers," said Friedrichs, perhaps to conduct "drive-by pharming" attacks that change a router's settings so its users are unknowingly directed to bogus or malicious Web sites instead of the real URLs. "Having port 23 open on the Internet-facing side is a bad idea in general," said Petko Petkov" In general, remote snmp is used primarily in large commercial networks with muliple office geographically dispersed and allow SLA monitoring and remote router management. Home users NEVER need Internet access to port 23.