We have a customer who is running an office CCTV system which he accesses from home. The system runs on an embedded Linux box behind a NAT firewall forwarding to ports 8080 for web browser access and 37777 for proprietary software access.
All this has suddenly stopped working and a little investigation shows that TCP SYN packets sent to his IP address (on either port) are getting immediately terminated with RST packets containing the message "Go away, we're not home". Googling this message gets a lot of stuff about the Storm Botnet which apparently does exactly this.
So the question is, how on earth can the Storm Botnet hijack an embedded Linux box. Or am I missing something else entirely?
This NAT firewall -- what hardware and software is it? It's not necessarily the Linux box that would've been hijacked.
I have answered this in case anyone else is unfortunate enough to tread this way in future.
I asked if maybe I was missing something else entirely. It turns out that I was. The problem was in our own router and had three apparent symptoms.
Although this looks like a firmware exploit, it is not consistent with the symptoms of psyb0t.
The router in question was a (rather old) 2Wire Intelligent Gateway 1800 and has been replaced!