Just answered your question here.Can someone please explain WHY after a factory reset and installing the latest FW, I can't use my prior save config file??
The last Airport Extreme is VxWorks based.
The Airport Extreme AC is NetBSD based, just like the 802.11n models
The difficult bit would be filtering out the parts that are constantly changing as part of the router's normal operation. But doing a check on the ROM/CFE parts should be do-able. You wouldn't even need to create a snapshot you could just compare the current and previous checksums.I think a file-system/nvram snapshot might be a wonderful trigger for everything.
The difficult bit would be filtering out the parts that are constantly changing as part of the router's normal operation. But doing a check on the ROM/CFE parts should be do-able. You wouldn't even need to create a snapshot you could just compare the current and previous checksums.
# cat NVRAM_monitor.sh
#!/bin/sh
oldlist=/tmp/nvram.old
newlist=/tmp/nvram.new
difflist=/tmp/nvram.diff
nvram show 2>/dev/null | grep -v "login_timestamp" | sort > $oldlist
while sleep 300
do
nvram show 2>/dev/null | grep -v "login_timestamp" | sort > $newlist
diff $oldlist $newlist > $difflist
if [ $? -ne 0 ]; then
cat $difflist | grep -v "\--- " | grep -v "+++ " | grep -E "^\+|^-" | logger -t NVRAM_monitor
fi
mv $newlist $oldlist
done
# cat MTD_check.sh
#!/bin/sh
oldlist=/tmp/mtdlist.old
newlist=/tmp/mtdlist.new
difflist=/tmp/mtdlist.diff
echo "These are the initial checksums:" > $oldlist # Create a dummy file the first time through
while sleep 1800 # This is very CPU intensive so don't run it too often
do
cat /proc/mtd | tail -n +2 | tr -d ":" | while read dev size erasesize name
do
echo $name $(md5sum /dev/$dev) >> $newlist
done
diff $oldlist $newlist > $difflist
if [ $? -ne 0 ]; then
cat $difflist | grep -v "\--- " | grep -v "+++ " | grep -E "^\+|^-" | logger -t MTD_check
fi
mv $newlist $oldlist
done
Edited 2018-06-09@23:52 for minor cosmetic changes.
@FreshJR Here's a couple of "ugly" scripts that I've been playing around with. They need to be run in background and they log their messages in syslog. They may not work properly on hardware/firmware combinations different from mine!
This one looks for changes to NVRAM variables (even if they haven't been committed yet).
Code:# cat NVRAM_monitor.sh #!/bin/sh oldlist=/tmp/nvram.old newlist=/tmp/nvram.new difflist=/tmp/nvram.diff nvram show 2>/dev/null | grep -v "login_timestamp" | sort > $oldlist while sleep 300 do nvram show 2>/dev/null | grep -v "login_timestamp" | sort > $newlist diff $oldlist $newlist > $difflist if [ $? -ne 0 ]; then cat $difflist | grep -v "\--- " | grep -v "+++ " | grep -E "^\+|^-" | logger -t NVRAM_monitor fi mv $newlist $oldlist done
This one checks for any changes anywhere in the flash memory, so that includes the CFE and operating system. Expect to see frequent hits on mtd1 (NVRAM) and mtd4 (JFFS). The md5sum will eat up all your CPU cycles so don't run it too frequently.
Code:# cat MTD_check.sh #!/bin/sh oldlist=/tmp/mtdlist.old newlist=/tmp/mtdlist.new difflist=/tmp/mtdlist.diff echo "These are the initial checksums:" > $oldlist # Create a dummy file the first time through while sleep 1800 # This is very CPU intensive so don't run it too often do cat /proc/mtd | tail -n +2 | tr -d ":" | while read dev size erasesize name do echo $name $(md5sum /dev/$dev) >> $newlist done diff $oldlist $newlist > $difflist if [ $? -ne 0 ]; then cat $difflist | grep -v "\--- " | grep -v "+++ " | grep -E "^\+|^-" | logger -t MTD_check fi mv $newlist $oldlist done
Realistically while the idea has good intentions, putting it into practice shows many flaws.
For starters with the nvram, there's so many variables that constantly change, a user would be bombarded by alerts. Same goes for the filesystem, so many junk files like pid storage, everything in /proc and even the syslog would trigger it. There's just too many moving parts to monitor everything for changes.
That's exactly the same point I made in post #107, but having run those two scripts most of yesterday I was very surprised to see that the NVRAM rarely changed unless you were logged into the router. Very surprised.For starters with the nvram, there's so many variables that constantly change, a user would be bombarded by alerts.
Yes this is more problematic. I did create another script like the other that just monitored changes to the filesystem. For starters you wouldn't monitor everything, so not /proc. In fact my thinking was that the only writable part of the file structure is under /tmp so that's what you'd look at. The number for changes wouldn't be too bad if it weren't for the fact that the USB drives are also mounted there. And of course that's full of all sorts of user add-ons (entware, media, log files, etc.) so the number of changes is overwhelming. I could start filtering out my USB drives but then it would be difficult to make a script that was useful for anybody other than myself. (It would be a lot easier if there was a proper version of find built into the firmware )Same goes for the filesystem, so many junk files like pid storage, everything in /proc and even the syslog would trigger it. There's just too many moving parts to monitor everything for changes.
Realistically while the idea has good intentions, putting it into practice shows many flaws.
For starters with the nvram, there's so many variables that constantly change, a user would be bombarded by alerts. Same goes for the filesystem, so many junk files like pid storage, everything in /proc and even the syslog would trigger it. There's just too many moving parts to monitor everything for changes.
Unfortunately until there is more information available, there's not much that can be done mitigation wise. At this point I don't even think there's been a documented case on an Asus router to work from, only the general information of C&C IP's/URLs/5 files that appeared on other systems.
# cat /jffs/scripts/file_monitor.sh
#!/bin/sh
oldlist=/tmp/files.old
newlist=/tmp/files.new
difflist=/tmp/files.diff
# Be carefull, these are regular expressions not filenames
cat <<EOF >/tmp/files.whitelist
/tmp/mnt/
/tmp$
/tmp/syslog.log$
/tmp/syslog.log-1$
/tmp/files.old$
/tmp/files.new$
/tmp/files.diff$
/tmp/files.whitelist$
/tmp/nvram.old$
/tmp/nvram.new$
/tmp/nvram.diff$
EOF
find /tmp -exec ls -de {} \; | grep -vf /tmp/files.whitelist > $oldlist
while sleep 300
do
find /tmp -exec ls -de {} \; | grep -vf /tmp/files.whitelist > $newlist
diff $oldlist $newlist > $difflist
if [ $? -ne 0 ]; then
cat $difflist | grep -v "\--- " | grep -v "+++ " | grep -E "^\+|^-" | logger -t file_monitor
fi
mv $newlist $oldlist
done
Versione 3.0.0.4.382.506242018/06/0139.86 MBytes
WOW that is a lot of CVE's fixed in one go.
I wonder which ones were exposed just running DDNS/VPN and having everything else closed.
More practical approaches as used by some Linux servers:
1) Monitoring the list of running processes, and reporting any change
2) Monitoring MD5 hashes for some key filesystem components, such as Busybox, openvpn/openssl, etc...
3) Monitoring listening tcp/udp ports (these should change very little, unless restarting a service that uses a random port such as miniupnpd)
4) Monitoring iptables rules (these should change very little, unless using UPnP)
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
D | Android based banking malware “Snowblind” | General Network Security | 0 | |
D | News New Discord application malware | General Network Security | 0 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!