Malicious access, only 1 attempt

[matthew_eli]

Hi guys, I don't know if this is the right place to post this experience, but I'm running the latest stable Merlin firmware (380.64) and yesterday, during the new year eve, I discovered someone managed to access to my router, both with SSH and webUI. Here are the involved lines on syslog:

http://pastebin.com/4HiewCTT

...

http://pastebin.com/736znapW

(I can't even post the log code here...)


Both addresses are from Palestinian territory, I'm from Italy; the main strange thing is they have no troubles in finding this password: they made it at their first attempt! This was my password strength:

Length: 13
Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)
Entropy: 58.5 bits
Charset Size: 68 characters

Now I canged it and I forbid access from WAN for both SSH and webUI. My main concern now is if these guys used an exploit to gain the access to my router; what can I do for securing the router more? I already use an IPSET protection based on firewall scripts.

From what I checked, in webUI they only changed minor setting on SSH administration page, by disabling it and changing the port. Is there any possibility to trace what they did? I also checked my jffs partition, but I haven't found anything in there.

Please, help me!

 

[tomsk]

looks automated.... is this a known exploit?

 

[martinr]

You could follow thelonelycoder's advice to someone in a similar case to set up your router again from scratch:

http://www.snbforums.com/threads/wh...can-login-my-router-easily.36564/#post-298710

 

[matthew_eli]

I saw the other thread: it's a strange coincidence there have been 2 cases in only 2 days, or not?

 

[ColinTaylor]

Check your LAN clients for malware. If they got your router password on the first attempt that might indicate that they got it by infecting your PC.

EDIT: If you had previously been accessing your router from an external location (i.e. friends house, cyber café) perhaps they had been infected with malware or had a key logger installed.

 

[RMerlin]

To be safe, I would reflash the firmware, do a factory default reset, wipe the JFFS2 partition content, and restore a config backup if you have one.

The fact that it took a look at python makes me believe this might not be targeting routers specifically (who almost never have python installed) but Linux servers in general, but just to be safe I'd still wipe that firmware & nvram.

 

[pattiri]

These are exactly same with the logs that I saw last week on my router, only IP address is different. This is becoming weird. Maybe we need to call Sherlock Holmes

 

[sfx2000]

To be safe, I would reflash the firmware, do a factory default reset, wipe the JFFS2 partition content, and restore a config backup if you have one.

The fact that it took a look at python makes me believe this might not be targeting routers specifically (who almost never have python installed) but Linux servers in general, but just to be safe I'd still wipe that firmware & nvram.

If one looks at the libs and paths - it does seem to be targeted towards embedded devices...

Probably should look at accounts and also at dropbear specifically... I'm not thinking this is a dropbear issue, but it does need to be looked it.

I've seen a big uptick in SSH hits in the past week or so on my firewall..

 

[Wutikorn]

do a factory default reset, wipe the JFFS2 partition content,

Doesn't factory default reset wipes out JFFS partition?

 

[thelonelycoder]

Doesn't factory default reset wipes out JFFS partition?

No, you have to set it first, then reboot.

 

[RMerlin]

Doesn't factory default reset wipes out JFFS partition?

Only on stock firmware (if they haven't changed it again).

 

[sfx2000]

Only on stock firmware (if they haven't changed it again).

Seems to be a problem... my educated guess is that it's factory, and not the forks...

http://www.snbforums.com/threads/security-reminder-to-stay-secure.36607/

sfx