Menu
What's new
By:
Filters Better Search

Search results

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

  1. Swistheater

    Malware /jffs/updater script.

    Here is the asd.log from jffs and yes the asd.log was one of the things I copied. It looks like jibberish to me.
  2. Swistheater

    Malware /jffs/updater script.

    Well so far I am good. Nothing anomalous has taken place since I did the hard reset, I will just keep an eye out.
  3. Swistheater

    Malware /jffs/updater script.

    As much as I would like to believe this is the case, that went out the window today as I turned on several workstations that haven't been used in months. I updated the virus security definitions and ran security scans. Not a trace of infection on any. Ran virus checks on mobile devices as well...
  4. Swistheater

    Malware /jffs/updater script.

    It makes sense though, how else would someone know they could monetize off the source routers connection. Obviously, the person knew what they were doing. It is a highly target approach to achieving their goal.
  5. Swistheater

    Malware /jffs/updater script.

    It could possibly be ddns related, however one factor to consider is the wget log I posted shows that the first appearance happened right after a firmware update Check on the router was conducted. (9213)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O...
  6. Swistheater

    Malware /jffs/updater script.

    Hah, it most likely utilized an unknown security flaw present on the router because no devices were present on the network the day that script originated. I was out of town.
  7. Swistheater

    Malware /jffs/updater script.

    All I can say is the whole address changed including the range it resides in.
  8. Swistheater

    Malware /jffs/updater script.

    I spoofed my Mac address to force an IP update by the modem.
  9. Swistheater

    Malware /jffs/updater script.

    Do you think routers on John's fork could be impacted?
  10. Swistheater

    Malware /jffs/updater script.

    I saw it using htop when the script was running, and I was able to access it manually using winscp directly to /jffs/* directory. I couldn't see it in ssh as @ColinTaylor pointed out it highjacks the ./profile so that file appears invisible using "ls" per terminal session. I also saw it when...
  11. Swistheater

    Malware /jffs/updater script.

    UPNP "Secure" was enabled, Wan access completely disabled. I had skynet installed using skynets default lists. Diversion lite installed using the large blocklist. I just placed an order online for a new SSD. Should arrive tomorrow. I will manually reinstall the scripts in my signature one by one.
  12. Swistheater

    Malware /jffs/updater script.

    @ColinTaylor I literally had to manually copy any of custom jffs script contents because all the permissions in JFFS were messed up. Making it completely unfeasible for me to tar and restore by excluding the contents of the malware "/jffs/updater". if cat ~/.profile | grep "alias ls='f()" then...
  13. Swistheater

    Malware /jffs/updater script.

    I saved the log and a few other file contents in jffs before I wiped. I just wasn't really sure if it would provide any real details. @thelonelycoder is the mastermind on me providing the details from it. I am surprised he is the first person to say something. The fact that I did a hard reset...
  14. Swistheater

    Malware /jffs/updater script.

    (4925)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt (2425)/bin/sh /usr/sbin/webs_update.sh (1)watchdog (0)/sbin/init (5143)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt (2425)/bin/sh...
  15. Swistheater

    Malware /jffs/updater script.

    The weird thing is I noticed an issue where the router would go for spells where my internet services kept getting interrupted. My AiMESH nodes kept experiencing heavy interference from the CPU throttling taking place everytime the WGET command ran. I really noticed the anomalous behaviors once...
  16. Swistheater

    Malware /jffs/updater script.

    The scripts I had installed are listed in the signature except @Viktor Jaep script VPNMON-R2 which I have not used in a few months since I canceled my VPN services. No ports were open. Remote access disabled. AiProtect was turned on, I forgot to save its history before nuking the router. VPN...
  17. Swistheater

    Malware /jffs/updater script.

    I wish I was that skilled.
  18. Swistheater

    Malware /jffs/updater script.

    Crazy that it was like that. I saw wget going across htop. From seeing the htop, I was able to determine the scripts location in jffs.
  19. Swistheater

    Malware /jffs/updater script.

    First thing i noticed was abnormal CPU spikes. My CPU was thrashing and there was no network traffic taking place on my network that warrant the level of thrashing taking place.
  20. Swistheater

    Malware /jffs/updater script.

    actually it is may 2nd I read the wrong file but the date stamp is accurate.
Top