Was my router owned?

[Thagor]

I find stuff like this in my log looks to me like i got owned. Am I right in my perception?

Mar  3 10:57:59 dropbear[807]: Child connection from 91.135.254.35:42806
Mar  3 10:58:08 dropbear[807]: Password auth succeeded for 'admin' from 91.135.254.35:42806
Mar  3 10:58:16 dropbear[807]: User admin executing '/sbin/ifconfig'
Mar  3 10:58:20 dropbear[807]: User admin executing 'cat /proc/meminfo'
[...]
Mar  3 11:00:01 dropbear[872]: User admin executing '1>/dev/null 2>/dev/null /sbin/iptables -L -n && echo 1 || echo 0'
Mar  3 11:00:05 dropbear[872]: User admin executing '(python -V 2>/dev/null && echo python && python -V) || (/usr/local/bin/python -V 2>/dev/null && echo /usr/local/bin/python && /usr/local/bin/python -V)'
Mar  3 11:00:07 dropbear[872]: Exit (admin): Exited normally

 

[System Error Message]

seems like it, did you bother to change your password?

 

[Thagor]

I did I just noticed the intrusion will see if it helps as a bandage, but I will wipe it first thing in the morning.

 

[ColinTaylor]

Did you have "Web Access from WAN" enabled? That appears to be how they're initially getting access to the router.

What firmware version are you using?

 

[skeal]

Change your user ID as well using the word admin is weak.



Edit: What are your ssh settings make sure set to lan only not both lan and wan.

 

[redhat27]

That IP is from Azerbaijan (from ipinfo.io):
{
"ip": "91.135.254.35",
"hostname": "No Hostname",
"city": "Xudat",
"region": "Xacmaz",
"country": "AZ",
"loc": "41.6281,48.6828",
"org": "AS34170 Aztelekom"
}

You can block access from unwanted countries using ipsets. I am curious though, how is dropbear logging the commands executed? Is that a newer dropbear feature?

 

[skeal]

Location is easy to spoof he or she could be living right next to you and you would get similar results. The only experience I have with dropbear is it handles ssh child connections or telnet sessions and you see it in your log.

 

[redhat27]

Location is easy to spoof he or she could be living right next to you and you would get similar results

No argument there , although if a user is interactively typing commands (which I'm not too sure s/he is: the timestamps seem to indicate those commands are not batched) chances are he is probably in that region (and blocking that country would still block the cracker)

My sshd doesn't log commands (Or I do not know how to have it log the commands) I'm on an older mips router

 

[pete y testing]

python -V 2>/dev/null && echo python && python -V) || (/usr/local/bin/python -V 2>/dev/null && echo /usr/local/bin/python && /usr/local/bin/python -V

interesting that line above calls for the installation of virtualbox which i assume then opens a backdoor

makes it easy for them when you leave the front door open and on default

but I will wipe it first thing in the morning.

prob have to do a full fw emergency restore to ensure its gone , eg make the power light flash on startup and tftp into it

 

[ColinTaylor]

@Thagor @skeal @Shounak De @pete y testing

I suggest that you read through the main thread for this problem here. It should answer all of your questions.

 

[pete y testing]

the OP has not mentioned anything about remote access being enabled , he has however left his user name and password at default

it maybe the case remote access was enabled and they got in that way , however it may also be someone knocked on the front door and just found it unlocked and walked in

this may be two separate issues and should not be bundled into the same thread unless we specifically know remote access was enabled

 

[ColinTaylor]

this may be two separate issues and should not be bundled into the same thread unless we specifically know remote access was enabled

The syslog he posted is exactly the same as reported in the other thread, so it's pretty certain it's the same attack.

P.S. He never said he left the password at the default.

 

[swetoast]

stop having your routers exposed, its as simple as that...

 

[eddiez]

This hack creates a 'hidden' entry into your device. So you'd better do a clear NVRAM and a firmware reflash. Or try removing it manually...it will be listed when you list the running processes and your firewall entries. But it's easier to do reflash and clear NVRAM. Also, do not reload a saved config! More info is on this board already.

Oh, and close WAN access all together.

 

[sfx2000]

Common issue - and there are other threads related to this very item.

Key thing - don't expose services - always a good chance they'll be targeted...

 

[pete y testing]

P.S. He never said he left the password at the default.

seems like it, did you bother to change your password?

I did I just noticed the intrusion will see if it helps as a bandage

think thats exactly what he said !

 

[Thagor]

no I did not use the default password. I used a randomly generated 8 symbol password. One that I thought was secure. anyway changing the password to a new one did in deed put a bandage on. And ssh is no longer exposed to the wan. But there are still attempts.

Mar  4 04:46:37 dropbear[29942]: Bad password attempt for 'admin' from 27.72.233.207:39365
Mar  4 04:46:40 dropbear[29942]: Exit before auth (user 'admin', 1 fails): Exited normally
Mar  4 05:54:30 dropbear[1347]: Bad password attempt for 'admin' from 188.72.166.216:44423
Mar  4 05:54:36 dropbear[1347]: Exit before auth (user 'admin', 1 fails): Exited normally

 

[swetoast]

something is still exposed and i really recommend a firmware reset and clearing nvram in short a total reboot, hope you learned something from this experiance btw pick a longer password 6 chars is short

 

[Thagor]

something is still exposed and i really recommend a firmware reset and clearing nvram in short a total reboot, hope you learned something from this experiance btw pick a longer password 6 chars is short

yeah I will it is 8 I miss typed

 

[swetoast]

still short