Xmlset roodkcableoj28840ybtide


 * xmlset_roodkcableoj28840ybtide is a known backdoor on some Alpha Networks
 * (originally D-Link's R&D + manufacturing division, they spun off in 2003) manufactured products.


 * It is enough to change browser’s user agent string to “xmlset_roodkcableoj28840ybtide” (no quotes),
 * to access the web interface without any authentication and view/change the device settings.
 * If you read this string backwards you will get: edit by 048820 joel backdoor.


 * More information is available on /dev/ttyS0 (Reverse Engineering a D-Link Backdoor).

Affected devices
Affected devices would all seem to be using Realtek RTL86xx SoCs.

Confirmed

 * D-Link DIR-100 rev A - first noted affected device on Craig's post
 * D-Link TM-G5240 (FW ver: v4.0.0b29) - tested by M86

Possibly (via Shodan search for the thttpd build used)

 * D-Link DIR-120 rev A1
 * D-Link DI-624S rev B1
 * D-Link DI-524UP
 * D-Link DI-604S
 * D-Link DI-604UP
 * D-Link DI-604+
 * Planex BRL-04R (likely)
 * Planex BRL-04UR (likely)
 * Planex BRL-04CW
 * Planex BRL-04CW-U (likely)

Discussion

 * Reverse Engineering a D-Link Backdoor - /dev/ttys0 on Reddit (/r/netsec)
 * On Hacker News