AC3200 w 384.13_10 2.384 w Diversion-Entware stops after a few minutes

[TrueGret]

Greetings -

First, thanks and kudos to all the developers that have worked on this project. I think it is amazing and makes since to halt unwanted ads before it gets to our devices. I will be more than happy to donate to the cause (reminds me a bit of the old days of Shareware).

I need a little nudge and help please.
I had followed the great step-by-step (I am pretty certain) instructions of getting Diversion installed on my
RT-AC3200
Merlin 384.13_10
Entware via amtm
32GB thumb-drive in USB-2
1TB WD Passport in USB-3

Diversion seems to run for a short time after a router reboot. Maybe 10 minutes or less. After the reboot, I go to sites I know have a lot of ads (not hard to find), and there is a placeholder for an image (I'll install pixelserv-tls when I get diversion to stay running). After a short period the images return. When I SSH via PuTTY, and perform
my_creds@FamilyShare:/tmp/home/root# diversion help
-sh: diversion: not found

I am sure I am doing something wrong .... any assistance or expertise would be greatly appreciated. Thank you in advance.

 

[thelonelycoder]

Greetings -

First, thanks and kudos to all the developers that have worked on this project. I think it is amazing and makes since to halt unwanted ads before it gets to our devices. I will be more than happy to donate to the cause (reminds me a bit of the old days of Shareware).

I need a little nudge and help please.
I had followed the great step-by-step (I am pretty certain) instructions of getting Diversion installed on my
RT-AC3200
Merlin 384.13_10
Entware via amtm
32GB thumb-drive in USB-2
1TB WD Passport in USB-3

Diversion seems to run for a short time after a router reboot. Maybe 10 minutes or less. After the reboot, I go to sites I know have a lot of ads (not hard to find), and there is a placeholder for an image (I'll install pixelserv-tls when I get diversion to stay running). After a short period the images return. When I SSH via PuTTY, and perform
my_creds@FamilyShare:/tmp/home/root# diversion help
-sh: diversion: not found

I am sure I am doing something wrong .... any assistance or expertise would be greatly appreciated. Thank you in advance.

Reboot the router again and then keep the routers WebUI SysLog open. Watch for USB or Diversion errors.
Also, Diversion 5.x does not use pixelserv-tls anymore.

 

[thelonelycoder]

Open amtm and check for updates and install them if there are any.
I have an important amtm update out, read about it it on https://diversion.ch/

 

[TrueGret]

All the updates are applied (as far as I know - I performed the "u", not not "forced").
Thank you for the rapid response. Nothing stood out in the log (USB or Diversion errors). I do have a question regarding the jobs and their timing. Does this look correct?

00 2 * * Mon /bin/sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
20 5 * * * /bin/sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#
* * * * * /jffs/updater #updater#

After the router had been running for about an hour+, I attempted to install WebUI stats and earned this:
uiDivStats installation not possible,
Diversion is not installed

I'll

 

[TrueGret]

Reboot the router again and then keep the routers WebUI SysLog open. Watch for USB or Diversion errors.
Also, Diversion 5.x does not use pixelserv-tls anymore.

Thank you for the rapid responses.
All the updates are applied (as far as I know - I performed the "u", not not "forced").
BTW - I assume by WebUI you are speaking of the ASUS interface when connecting via a browser?

This is the cron-jobs config- do they look correct?
00 2 * * Mon /bin/sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
20 5 * * * /bin/sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#
* * * * * /jffs/updater #updater#


I don't know the proper etiquette on forums (post the log text or attach the log), so I'll start with a log snippet around the "Exiting due to fatal error message" (below). I have attached the log as well (I don't think there is anything secret or private - let me know best practices, please).

Jan 19 02:03:17 kernel: tun: Universal TUN/TAP device driver, 1.6
Jan 19 02:03:17 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jan 19 02:03:19 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Jan 19 02:03:19 kernel: device tun21 entered promiscuous mode
Jan 19 02:03:19 dhcp_client: bound 192.168.12.4 via 192.168.12.1 during 86400 seconds.
Jan 19 02:03:23 ovpn-server1[1882]: Multiple --up scripts defined. The previously configured script is overridden.
Jan 19 02:03:23 ovpn-server1[1882]: OpenVPN 2.4.9 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 28 2020
Jan 19 02:03:23 ovpn-server1[1882]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.08
Jan 19 02:03:23 ovpn-server1[1883]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 19 02:03:23 ovpn-server1[1883]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Jan 19 02:03:23 ovpn-server1[1883]: Diffie-Hellman initialized with 2048 bit key
Jan 19 02:03:23 ovpn-server1[1883]: TUN/TAP device tun21 opened
Jan 19 02:03:23 ovpn-server1[1883]: TUN/TAP TX queue length set to 1000
Jan 19 02:03:23 ovpn-server1[1883]: /usr/sbin/ip link set dev tun21 up mtu 1500
Jan 19 02:03:23 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Jan 19 02:03:23 ovpn-server1[1883]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Jan 19 02:03:23 ovpn-server1[1883]: /bin/sh /jffs/updater tun21 1500 1622 10.8.0.1 255.255.255.0 init
Jan 19 02:03:35 ovpn-server1[1883]: WARNING: Failed running command (--up/--down): external program exited with error status: 2
Jan 19 02:03:35 ovpn-server1[1883]: Exiting due to fatal error
Jan 19 02:04:02 rc_service: service 2056:notify_rc restart_vpnserver1
Jan 19 02:04:02 custom_script: Running /jffs/scripts/service-event (args: restart vpnserver1)
Jan 19 02:04:06 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Jan 19 02:04:06 kernel: device tun21 entered promiscuous mode
Jan 19 02:04:07 ovpn-server1[2316]: Multiple --up scripts defined. The previously configured script is overridden.
Jan 19 02:04:07 ovpn-server1[2316]: OpenVPN 2.4.9 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 28 2020
Jan 19 02:04:07 ovpn-server1[2316]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.08
Jan 19 02:04:07 ovpn-server1[2317]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 19 02:04:07 ovpn-server1[2317]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Jan 19 02:04:07 ovpn-server1[2317]: Diffie-Hellman initialized with 2048 bit key
Jan 19 02:04:07 ovpn-server1[2317]: TUN/TAP device tun21 opened
Jan 19 02:04:07 ovpn-server1[2317]: TUN/TAP TX queue length set to 1000
Jan 19 02:04:07 ovpn-server1[2317]: /usr/sbin/ip link set dev tun21 up mtu 1500
Jan 19 02:04:07 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Jan 19 02:04:07 ovpn-server1[2317]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Jan 19 02:04:07 ovpn-server1[2317]: /bin/sh /jffs/updater tun21 1500 1622 10.8.0.1 255.255.255.0 init
Jan 19 02:04:07 ovpn-server1[2317]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Jan 19 02:04:07 ovpn-server1[2317]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jan 19 02:04:07 ovpn-server1[2317]: setsockopt(IPV6_V6ONLY=0)
Jan 19 02:04:07 ovpn-server1[2317]: UDPv6 link local (bound): [AF_INET6][undef]:31194
Jan 19 02:04:07 ovpn-server1[2317]: UDPv6 link remote: [AF_UNSPEC]
Jan 19 02:04:07 ovpn-server1[2317]: MULTI: multi_init called, r=256 v=256
Jan 19 02:04:07 ovpn-server1[2317]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Jan 19 02:04:07 ovpn-server1[2317]: Initialization Sequence Completed
Jan 19 02:17:17 acsd: selected channel spec: 0xe29b (157/80)
Jan 19 02:17:17 acsd: Adjusted channel spec: 0xe29b (157/80)
Jan 19 02:17:17 acsd: selected channel spec: 0xe29b (157/80)
Jan 19 02:32:18 acsd: selected channel spec: 0xe29b (157/80)
Jan 19 02:32:18 acsd: Adjusted channel spec: 0xe29b (157/80)
Jan 19 02:32:18 acsd: selected channel spec: 0xe29b (157/80)
Jan 19 02:32:37 asusware: re-mount partition /dev/sdb1...
Jan 19 02:32:37 disk_monitor: re-mount partition
Jan 19 02:32:37 kernel: tntfs info (device sdb1, pid 4603): ntfs_fill_super(): fail_safe is enabled
Jan 19 02:32:37 kernel: tntfs info (device sdb1, pid 4603): load_system_files(): NTFS volume name 'FamilyShare', version 3.1 (cluster_size 4096, PAGE_CACHE_SIZE 4096).
Jan 19 02:32:38 syslog: USB ntfs fs at /dev/sdb1 mounted on /tmp/mnt/FamilyShare
Jan 19 02:32:38 usb: USB ntfs fs at /dev/sdb1 mounted on /tmp/mnt/FamilyShare.
Jan 19 02:32:38 asusware: done.
Jan 19 02:32:38 disk_monitor: done
Jan 19 02:32:43 custom_script: Running /jffs/scripts/post-mount (args: /tmp/mnt/FamilyShare)
Jan 19 02:32:43 Entware: (Notice) /tmp/mnt/FamilyShare does not contain Entware, skipping device
Jan 19 02:32:43 rc_service: hotplug 575:notify_rc restart_nasapps
Jan 19 02:32:43 custom_script: Running /jffs/scripts/service-event (args: restart nasapps)
Jan 19 02:32:44 iTunes: daemon is stopped
Jan 19 02:32:44 FTP_Server: daemon is stopped
Jan 19 02:32:44 Samba_Server: smb daemon is stopped

 

[thelonelycoder]

All the updates are applied (as far as I know - I performed the "u", not not "forced").
Thank you for the rapid response. Nothing stood out in the log (USB or Diversion errors). I do have a question regarding the jobs and their timing. Does this look correct?

00 2 * * Mon /bin/sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
20 5 * * * /bin/sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#
* * * * * /jffs/updater #updater#

After the router had been running for about an hour+, I attempted to install WebUI stats and earned this:
uiDivStats installation not possible,
Diversion is not installed

I'll

You stopped mid sentence.
What is that updater, looks iffy to me, runs every minute.
The Diversion cron jobs look right.

 

[thelonelycoder]

asusware: re-mount partition /dev/sdb1...

Yeah, you have something strange going on. This is outside of Merlin or amtm region.
Be a good sport and start from scratch with your router.

Set format /jffs partition in the WebUI, reboot router, then update firmware to latest version.
Then after format your usb device with amtm fd.
Then install scripts only using what amtm offers.

 

[thelonelycoder]

Oh, you are using the latest available FW for your router.
Do everything above and instead of updating firmware, do a reset to factory defaults.

 

[ColinTaylor]

@TrueGret Your router is infected with known malware (/jffs/updater). Perform a hard reset (which also erases the contents of /jffs) and manually setup your router again.

[Wireless Router] ASUS router Hard Factory Reset - Method 1 | Official Support | ASUS Global

 

[TrueGret]

You stopped mid sentence.
What is that updater, looks iffy to me, runs every minute.
The Diversion cron jobs look right.

My bad .... ignore that one ( "I'll ...." ).
Don't know what the updater is but looks like /jffs/updater #updater# is in the diversion (jffs) area (based on diversion.ch release notes).

 

[TrueGret]

@TrueGret Your router is infected with known malware (/jffs/updater). Perform a hard reset (which also erases the contents of /jffs) and manually setup your router again.

[Wireless Router] ASUS router Hard Factory Reset - Method 1 | Official Support | ASUS Global

Thanks .... will do.

 

[thelonelycoder]

Don't know what the updater is but looks like /jffs/updater #updater# is in the diversion (jffs) area (based on diversion.ch release notes

Every script somehow is linked, referenced or runs off of /jffs. And so does Diversion.
It is 100% not related to any of my scripts. Might be malware, might be goodware - I would get rid of it with what I suggested.

 

[TrueGret]

I get it .... as I work more with it, I am getting a better understanding of what is what here. I'm not a Linux guy, although followed Leo LaPorte before The Screen Savers days), but am forced to learn more about jffs, and the router landscape.

I'll update this thread when I recover. Thanks again, guys.

 

[SomeWhereOverTheRainBow]

You stopped mid sentence.
What is that updater, looks iffy to me, runs every minute.
The Diversion cron jobs look right.

looks like his jffs has been hacked/malwared. * * * * * /jffs/updater #updater#

Malware /jffs/updater script.

What is this random /jffs/updater script? #!/bin/sh if ls /jffs/p32 then exit fi cru a updater "* * * * * /jffs/updater" nvram set vpn_server1_custom='up "/bin/sh /jffs/updater" script-security 3' if nvram get vpn_server1_state | grep 2 then echo "" else nvram set...

www.snbforums.com

 

[TrueGret]

Thanks for the info ... the credentials changed (from "admin") on day one when I bought the router a few years ago.

I noticed in the thread about jffs malware, and what the source of the hack might have been. It might be noteworthy the a few months ago, when my son was home for the summer from college, he (though a bit-torrent or some means I do not know about) downloaded a newly released movie. We received notification from our provider of this and it was a terms violation.

I started monitoring the daily web traffic levels (compared routed traffic to provider traffic), and for a few months (after our son returned to school) we were "exceeding our limit (2TB/month or something like this). There was about a 20GByte daily discrepancy. I then shutdown the router for a few days and noticed there was 20GBytes each day still showing up on the provider logs. I since switched providers.

I'm guessing during that movie download is likely/possibly when the hack occurred. Maybe?

I'm starting a fresh factory reset and installs.

 

[Viktor Jaep]

Thanks for the info ... the credentials changed (from "admin") on day one when I bought the router a few years ago.

I noticed in the thread about jffs malware, and what the source of the hack might have been. It might be noteworthy the a few months ago, when my son was home for the summer from college, he (though a bit-torrent or some means I do not know about) downloaded a newly released movie. We received notification from our provider of this and it was a terms violation.

I started monitoring the daily web traffic levels (compared routed traffic to provider traffic), and for a few months (after our son returned to school) we were "exceeding our limit (2TB/month or something like this). There was about a 20GByte daily discrepancy. I then shutdown the router for a few days and noticed there was 20GBytes each day still showing up on the provider logs. I since switched providers.

I'm guessing during that movie download is likely/possibly when the hack occurred. Maybe?

I'm starting a fresh factory reset and installs.

Could have been a router misconfiguration where certain ports were open to the wild open internet, and they breached your router through some vulnerability. Or, some malware slipped in onto one of your internal PCs, and did a sweep of your local network, found your router, and pushed malware directly onto your router through some other vulnerability, or perhaps a weak or cached password.

It helps making sure you are always on the latest firmware, that you have all ports closed facing the internet, that you have changed your router's username and password to something complex, and that you have updated OS/patches and Antimalware/virus programs running locally on your PCs.

 

[TrueGret]

Thanks Viktor - good advice.

I had switched to Win11 on one device (and sort of hate it), keep it current with updates.
Another pair of devices (mother-in-law and my wife's) are still on Win10 and "prefer I don't update" their devices. I am going to have to insist.

What is recommended best practices to purge "cached passwords"? Is it to change them occasionally?

cheers

 

[Viktor Jaep]

Thanks Viktor - good advice.

I had switched to Win11 on one device (and sort of hate it), keep it current with updates.
Another pair of devices (mother-in-law and my wife's) are still on Win10 and "prefer I don't update" their devices. I am going to have to insist.

What is recommended best practices to purge "cached passwords"? Is it to change them occasionally?

cheers

Once malware is running on your machine, you can't trust anything you type on your keyboard. Any password (or bank account, credit card number, you name it) you type could be intercepted, or it may have a go at your password storage/caches (typically encrypted but hackable) on your PC. You can't delete these - they are necessary parts of any OS. There's really no telling how, but they have many ways at getting to this info in order to breach your bank accounts or equipment. If you find any trace of malware on machines you were using, make sure you change your passwords for your most critical services from a clean PC... such as financial institutions, and keep these complex passwords locked away in a password vault.

 

[TrueGret]

Every script somehow is linked, referenced or runs off of /jffs. And so does Diversion.
It is 100% not related to any of my scripts. Might be malware, might be goodware - I would get rid of it with what I suggested.

I never suggested it was/is your script. It has been years since I dug into a Linux box (and I am a retired software/electronics engineer - started my career when an upgrade from a 10MB hard-drive to 20MB hard-drive (yes, MB). Every character and logs on this device (AC3200) is new to me, so I just ask that you be patient.

Update: I believe I have installed what I wanted, Entware and Diversion (see attached screenshot). I now know what the WebUI is.....
This time I added a 2GB (followed the recommendations) swap file when formatting the 32GB.

It still quits after a short period of time (20-30 minutes) after a reboot.

I checked the cron jobs and the one in question is now gone.
00 2 * * Fri /bin/sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
20 5 * * * /bin/sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#


I don't know what I am looking for in the logs. I did/do not see any errors or fatal messages near Diversion entries. I have to do the following after a reboot to use the SSH Diversion menus:
echo insecure >> $HOME/.curlrc

Any thoughts?
Again, thank you in advance ...