Multiple successful root password logins in syslog

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 142

PostPosted: Wed Nov 16, 2022 8:50    Post subject: Multiple successful root password logins in syslog Reply with quote
From external IP addresses (why remote login was enabled remains a mystery).

I am spooked, remote login should not have been enabled. How do I rectify this?

_________________
Google is Spyware
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Nov 16, 2022 9:10    Post subject: Reply with quote
Remote login is off by default on almost all routers (some exotic ones which are not in the public repo excepted).

it can be found on Administration/Management page under Remote Access

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Thu Nov 17, 2022 7:12; edited 1 time in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Nov 16, 2022 14:55    Post subject: Re: Multiple successful root password logins in syslog Reply with quote
Fried Chicken wrote:
From external IP addresses (why remote login was enabled remains a mystery).

I am spooked, remote login should not have been enabled. How do I rectify this?



router model / firmware number ??? missing as always...???
when there are complains...posts must start with it..!!

i've found this on my R7800 (50841) and i can confirm my remote https via GUI was not turned on...hmmm

nvram show | grep remote_mgt
size: 52656 bytes (78416 left)
remote_mgt_ssh=1
remote_mgt_telnet=0
remote_mgt_https=1

than i did..

nvram set remote_mgt_https=0
nvram commit
reboot


good find..Razz

P.S. depends from router model/firmware you can try :

lsof -i -P -n

and this will show if anything strange connected comes out...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 142

PostPosted: Wed Nov 16, 2022 16:29    Post subject: Reply with quote
dd-wrt x86

firmware DD-WRT v3.0-r48865 std (05/13/22)

idk why remote access was enabled

_________________
Google is Spyware
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Wed Nov 16, 2022 16:33    Post subject: Reply with quote
nvram show | grep remote_

remote_mgt_ssh=0
remote_mgt_telnet=0
remote_mgt_https=0
remote_ip_any=1
remote_ip=0.0.0.0 0
remote_management=0

These are the defaults.
Maybe, wipe the drive?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Nov 16, 2022 16:35    Post subject: Reply with quote
yep it was odd to me too, i usually have only ssh (key cyphered) as a remote mng...

48865 is too old and has lots of security holes and missing updated binaries..better move to the most recent 50841..than reset and manually rebuild settings... Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Wed Nov 16, 2022 16:39    Post subject: Reply with quote
If you enable remote management, ssh and https are enabled by default.
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 142

PostPosted: Wed Nov 16, 2022 17:34    Post subject: Reply with quote
I don't recall ever enabling remote management, that's what scares me.

Then there's the successful root logins from several different IP Addresses showing up in syslog

_________________
Google is Spyware
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Nov 16, 2022 17:38    Post subject: Reply with quote
My defaults:
Code:
root@R7800:~# nvram show | grep remote
size: 33402 bytes (97670 left)
remote_mgt_ssh=0
remote_mgt_telnet=0
remote_mgt_https=0
remote_ip_any=1
remote_ip=0.0.0.0 0
remote_management=0
root@R7800:~#
So everything is looking as it should at my end, this router has been reset to defaults recently and rebuild manually and remote management was never enabled as this is the internet connected router
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 142

PostPosted: Thu Nov 17, 2022 4:25    Post subject: Reply with quote
FUCK

I think someone installed a bitcoin miner or something. How the FUCK did this happen...

_________________
Google is Spyware
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 142

PostPosted: Thu Nov 17, 2022 5:01    Post subject: Reply with quote
Just did a nvram erase && reboot
then did a firmware upgrade

Remote access is enabled by default (which intuitively it has to be for someone managing dd-wrt remotely)

I am still concerned, someone with root access could have done anything. This is properly fucked, I really fucked up here. Does the firmware upgrade effectively erase everything on there?

I am not a linux/unix guru, and I don't even know how/where software would be installed. I'm thinking of wiping the drive completely then re-installing dd-wrt the hard way manually. How does the registration/serialization of dd-wrt for printer and usb support work?

_________________
Google is Spyware
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Nov 17, 2022 7:33    Post subject: Reply with quote
Firmware upgrade erases everything it is like reinstalling windows on your PC.

For the record you have the order wrong you have to reset to defaults *after* the upgrade

I just reinstalled an R7000 and after a reset all remote management was off as it is supposed to be Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Thu Nov 17, 2022 13:10    Post subject: Reply with quote
You should consider doing the update with the machine unaware of any network, whatsoever. Also, you overwrite the entire drive when you flash x86. Furthermore, if you have problems resetting to defaults, etc., you have to wipe the drive (write zeros):

https://wiki.dd-wrt.com/wiki/index.php/X86

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 142

PostPosted: Thu Nov 17, 2022 16:44    Post subject: Reply with quote
dale_gribble39 wrote:
You should consider doing the update with the machine unaware of any network, whatsoever. Also, you overwrite the entire drive when you flash x86. Furthermore, if you have problems resetting to defaults, etc., you have to wipe the drive (write zeros):

https://wiki.dd-wrt.com/wiki/index.php/X86


This is what I plan on eventually doing. I just forgot how I did it the first time.

_________________
Google is Spyware
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Fri Nov 18, 2022 8:09    Post subject: Reply with quote
blkt wrote:
Maybe, wipe the drive?
Without knowing how passwords were compromised secure erase any local computers or at very least run scans.
I would backup everything, start over then scan images later offline or maybe sandbox or VM such as VirtualBox.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum