Joined: 11 Apr 2010 Posts: 311 Location: San Francisco Bay Area
Posted: Sat May 26, 2018 0:59 Post subject: VPNFilter Malware Attacks on Consumer Routers
Slashdot reports that the FBI has posted an advisory regarding state sponsored VPNFilter malware attacks on consumer routers - https://www.ic3.gov/media/2018/180525.aspx
Still not much info on specific vulnerabilities it exploited, just curious if DD-WRT ever got infected by it, specially because they identified some infected routers as R7000, R6400 and R8000, which is very common among DD-WRT users
To be safe, I just checked my /etc/cron.d and found nothing suspicious, but that was expected since I just had to erase nvram to recover from a bricked state.
Maybe people that haven't erased nvram in a while could check their /etc/cron.d and post the findings?
To be safe, I just checked my /etc/cron.d and found nothing suspicious, but that was expected since I just had to erase nvram to recover from a bricked state.
Maybe people that haven't erased nvram in a while could check their /etc/cron.d and post the findings?
Sorry for the noobish question but after telnet or ssh on the router how to check the /etc/cron.d . Linux commands doesnt seem to work here. Any help plz? I cant figure out how to check this directory. What are the respectively commands for ls / sudo / nano editor inside the ddwrt ?
Sorry for the noobish question but after telnet or ssh on the router how to check the /etc/cron.d . Linux commands doesnt seem to work here. Any help plz? I cant figure out how to check this directory. What are the respectively commands for ls / sudo / nano editor inside the ddwrt ?
Typical Unix/Linux commands: cd. ls, cat, piping through more:
cd /etc/cron.d
ls -A
cat *filename* | more
DD-WRT doesn't use sudo and you're already logged in as root anyway, right?
Mine just contains a link to /sbin/check_ps which AFAICT is part of DD-WRT and not a foreign command, so I guess I'm good. I'm investigation whether I should flash a newer version than the v3.0 build 31924 I have on my Linksys E1200 rev.2 which is on the list of known-affected devices. I changed the admin user name too, and just changed the password to something stronger which won't hurt in the meantime, as long as I don't forget what I changed them to.
Sorry for the noobish question but after telnet or ssh on the router how to check the /etc/cron.d . Linux commands doesnt seem to work here. Any help plz? I cant figure out how to check this directory. What are the respectively commands for ls / sudo / nano editor inside the ddwrt ?
Typical Unix/Linux commands: cd. ls, cat, piping through more:
cd /etc/cron.d
ls -A
cat *filename* | more
DD-WRT doesn't use sudo and you're already logged in as root anyway, right?
Mine just contains a link to /sbin/check_ps which AFAICT is part of DD-WRT and not a foreign command, so I guess I'm good. I'm investigation whether I should flash a newer version than the v3.0 build 31924 I have on my Linksys E1200 rev.2 which is on the list of known-affected devices. I changed the admin user name too, and just changed the password to something stronger which won't hurt in the meantime, as long as I don't forget what I changed them to.
Perfect ! You are right . Didnt know the shell was based on Busybox. I'm good too . At least if that kind of malware isnt more stealthy and residues in some other dark part of my router xD but i refuse flashing and configuring all from he beginning.
So what exactly needs to be done to remove the malware if I was infected? I assume I would need to clear the nvram, would a 30/30/30 reset do that? Then right away flash a new build on there?
Yikes! My router has been acting really unreliably recently. I have a double-nat for security. One is a Motorola cable modem/router, and one is a R6900 (Costco's version of the R7000, with DD-WRT R7000 edition.
Are there any other potential hiding places for malware other than the cron folder?
So what exactly needs to be done to remove the malware if I was infected? I assume I would need to clear the nvram, would a 30/30/30 reset do that? Then right away flash a new build on there?
No, it's been made very clear 30/30/30 is obsolete and can only damage your router at this point. You would want to do "nvram erase" from SSH shell or just do it from the web UI.
I changed the admin user name too, and just changed the password to something stronger which won't hurt in the meantime, as long as I don't forget what I changed them to.