Malware /jffs/updater script.

[bennor]

Sorry for the dumb question but how would I know if I have this malware? I'm using AiProtect and Diversion. Am I affected?
View attachment 50502

From an earlier posts (here) it appears using SSH, the "ls" command, might not show the directory/file(s), but WinSCP may.

I saw it using htop when the script was running, and I was able to access it manually using winscp directly to /jffs/* directory. I couldn't see it in ssh as @ColinTaylor pointed out it highjacks the ./profile so that file appears invisible using "ls" per terminal session. I also saw it when using the cru -l command to investigate the crontab.

 

[ColinTaylor]

Sorry for the dumb question but how would I know if I have this malware? I'm using AiProtect and Diversion. Am I affected?
View attachment 50502

That won't help if you're infected. See post #50 for why.

You need to run the following command first. Then you can use ls, cat and ps.

unalias -a

cat ~/.profile
cru l | grep updater
ls -l /tmp/updateservice
ls -l /jffs/updater /jffs/p32
nvram show | grep "/jffs/updater"

 

[Swistheater]

Sorry for the dumb question but how would I know if I have this malware? I'm using AiProtect and Diversion. Am I affected?
View attachment 50502

No, you will know you are infected when you no longer see the colors on executable file names and directory names while using ls command.

 

[Rob Q]

From an earlier posts (here) it appears using SSH, the "ls" command, might not show the directory/file(s), but WinSCP may.

I'm good!
"ls -a" seems to show the hidden files.

 

[heysoundude]

You would have possibly seen a file called "updater" under your /jffs folder... looks like you're clean.

I need to look up how to read linux datecoding - in my /jffs/wgetlst, I've mention of an IPRoyal a number of wgets/dirty upgrades ago. I'm supposing there are still some vestiges of whatever it wget-ted whenever it was, but for now it looks like I'm "clean" as well

 

[Viktor Jaep]

I need to look up how to read linux datecoding - in my /jffs/wgetlst, I've mention of an IPRoyal a number of wgets/dirty upgrades ago. I'm supposing there are still some vestiges of whatever it wget-ted whenever it was, but for now it looks like I'm "clean" as well

That's kind of alarming? I checked mine, as well as the asd.log and not seeing anything out of the usual...

 

[Swistheater]

That's kind of alarming? I checked mine, as well asthe asd.log and not seeing anything out of the usual...

No alarming issues here as of yet!

 

[maxbraketorque]

That won't help if you're infected. See post #50 for why.

You need to run the following command first. Then you can use ls, cat and ps.

unalias -a

cat ~/.profile
cru l | grep updater
ls -l /tmp/updateservice
ls -l /jffs/updater /jffs/p32
nvram show | grep "/jffs/updater"

Are your second set of commands each a different method for detecting the exploit? Do all require running the unalias command prior?

 

[ColinTaylor]

Are your second set of commands each a different method for detecting the exploit? Do all require running the unalias command prior?

You only need to run the unalias -a command once per terminal session before you enter one or more of the following commands.

Each command looks for a different set of changes made by the script in post #1. So for example, ls -l /jffs/updater may not return anything (other than an error) because asd has already removed it. However, cru l | grep updater may still have an entry present indicating that you were infected at some time.

 

[ColDen]

You only need to run the unalias -a command once per terminal session before you enter one or more of the following commands.

Each command looks for a different set of changes made by the script in post #1. So for example, ls -l /jffs/updater may not return anything (other than an error) because asd has already removed it. However, cru l | grep updater may still have an entry present indicating that you were infected at some time.

Accordingly, does this test results is indicating that I was infected at some time?

 

[Swistheater]

You only need to run the unalias -a command once per terminal session before you enter one or more of the following commands.

Each command looks for a different set of changes made by the script in post #1. So for example, ls -l /jffs/updater may not return anything (other than an error) because asd has already removed it. However, cru l | grep updater may still have an entry present indicating that you were infected at some time.

Has anyone actually confirmed that the asd definition is able to detect this malware? When I had to hard reset the malware was very much active in my setup with no visible indications of intervention from asd. I am pretty much ready and willing to submit a corrupt saved copy of jffs to asus if will help them develope a security definition which will prevent this issue from happening to other users.

 

[ColinTaylor]

Accordingly, does this test results is indicating that I was infected at some time?
View attachment 50523

No. It means that there are no traces of it on your router.

 

[ColinTaylor]

Has anyone actually confirmed that the asd definition is able to detect this malware?

I deliberately created copies of /tmp/updateservice and /jffs/updater and asd successfully detected and deleted them. However it look quite a few hours because I think asd only scans once a day. If you killall asd you can force it to restart and scan immediately.

When I had to hard reset the malware was very much active in my setup with no visible indications of intervention from asd. I am pretty much ready and willing to submit a corrupt saved copy of jffs to asus if will help them develope a security definition which will prevent this issue from happening to other users.

I think it would be a good idea to send what you have to Asus. It certainly wouldn't hurt.

 

[ColDen]

No. It means that there are no traces of it on your router.

Thanks...

 

[Jonnny]

Both VPNs are only as secure as you configure them to be.

Password login disabled with requirement for private key is more secure so you're good there (as long as you generate a good key). I believe some SSH daemons can be configured for both private key and password but I don't believe that combo is supported here, believe it is one or the other. If nothing has changed, merlin default enables brute force protection on SSH so that also helps a lot, even with password login (but still recommend key login).

Usually SSH connection (Public Key + Private Key), if you know the username (If the username is not entered correctly, the connection is disconnected), you can try many times to input the passphrase of Private Key (if defined of course).

Thanks.

 

[ATLga]

Has anyone actually confirmed that the asd definition is able to detect this malware? When I had to hard reset the malware was very much active in my setup with no visible indications of intervention from asd. I am pretty much ready and willing to submit a corrupt saved copy of jffs to asus if will help them develope a security definition which will prevent this issue from happening to other users.

Week later and wondering if you reported this to anyone (Asus, TrendMicro, etc), and what you heard if anything.

 

[Swistheater]

Week later and wondering if you reported this to anyone (Asus, TrendMicro, etc), and what you heard if anything.

I contacted Asus customer support. They told me that my router was out of warranty period and were confused about the motives of me reporting the issue. They kept assuming I was trying to use an expired warranty. When I finally got someone who wanted to actually listen, they said they would escalate it to the next teir department, and I haven't heard back from them since. I submitted a copy of jffs from the time of infection. Yes, I made a backup because the whole time I planned to report it to asus.

 

[ATLga]

I contacted Asus customer support. They told me that my router was out of warranty period and were confused about the motives of me reporting the issue. They kept assuming I was trying to use an expired warranty. When I finally got someone who wanted to actually listen, they said they would escalate it to the next teir department, and I haven't heard back from them since. I submitted a copy of jffs from the time of infection. Yes, I made a backup because the whole time I planned to report it to asus.

Thanks, hoping someone takes it seriously and looks into it.

 

[Swistheater]

I am so glad @ColinTaylor is around this forum. He gave the best advice in regards to dealing with the issue. A complete factory reset reconfigure took care of everything. While everyone else had great technical angle feedback, @ColinTaylor gave the best upfront initial advice. I hope others around this community take inspiration from him. I was completely humbled by his ability to get in there and give the best advice without soundboarding off of 20million different possibilities. He is straight and to the point. He has my utmost respect.

 

[Viktor Jaep]

I am so glad @ColinTaylor is around this forum. He gave the best advice in regards to dealing with the issue. A complete factory reset reconfigure took care of everything. While everyone else had great technical angle feedback, @ColinTaylor gave the best upfront initial advice. I hope others around this community take inspiration from him. I was completely humbled by his ability to get in there and give the best advice without soundboarding off of 20million different possibilities. He is straight and to the point. He has my utmost respect.

Agreed... @ColinTaylor's feedback and expertise is invaluable in these forums. We appreciate him immensely!