What's new

Was my router owned?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thagor

Occasional Visitor
I find stuff like this in my log looks to me like i got owned. Am I right in my perception?
Code:
Mar  3 10:57:59 dropbear[807]: Child connection from 91.135.254.35:42806
Mar  3 10:58:08 dropbear[807]: Password auth succeeded for 'admin' from 91.135.254.35:42806
Mar  3 10:58:16 dropbear[807]: User admin executing '/sbin/ifconfig'
Mar  3 10:58:20 dropbear[807]: User admin executing 'cat /proc/meminfo'
[...]
Mar  3 11:00:01 dropbear[872]: User admin executing '1>/dev/null 2>/dev/null /sbin/iptables -L -n && echo 1 || echo 0'
Mar  3 11:00:05 dropbear[872]: User admin executing '(python -V 2>/dev/null && echo python && python -V) || (/usr/local/bin/python -V 2>/dev/null && echo /usr/local/bin/python && /usr/local/bin/python -V)'
Mar  3 11:00:07 dropbear[872]: Exit (admin): Exited normally
 
I did I just noticed the intrusion will see if it helps as a bandage, but I will wipe it first thing in the morning.
 
Did you have "Web Access from WAN" enabled? That appears to be how they're initially getting access to the router.

What firmware version are you using?
 
Change your user ID as well using the word admin is weak.



Edit: What are your ssh settings make sure set to lan only not both lan and wan.
 
That IP is from Azerbaijan (from ipinfo.io):
{
"ip": "91.135.254.35",
"hostname": "No Hostname",
"city": "Xudat",
"region": "Xacmaz",
"country": "AZ",
"loc": "41.6281,48.6828",
"org": "AS34170 Aztelekom"
}

You can block access from unwanted countries using ipsets. I am curious though, how is dropbear logging the commands executed? Is that a newer dropbear feature?
 
Location is easy to spoof he or she could be living right next to you and you would get similar results. The only experience I have with dropbear is it handles ssh child connections or telnet sessions and you see it in your log.
 
Location is easy to spoof he or she could be living right next to you and you would get similar results
No argument there :cool:, although if a user is interactively typing commands (which I'm not too sure s/he is: the timestamps seem to indicate those commands are not batched) chances are he is probably in that region (and blocking that country would still block the cracker)

My sshd doesn't log commands :( (Or I do not know how to have it log the commands) I'm on an older mips router
 
python -V 2>/dev/null && echo python && python -V) || (/usr/local/bin/python -V 2>/dev/null && echo /usr/local/bin/python && /usr/local/bin/python -V


interesting that line above calls for the installation of virtualbox which i assume then opens a backdoor

makes it easy for them when you leave the front door open and on default

but I will wipe it first thing in the morning.

prob have to do a full fw emergency restore to ensure its gone , eg make the power light flash on startup and tftp into it
 
the OP has not mentioned anything about remote access being enabled , he has however left his user name and password at default

it maybe the case remote access was enabled and they got in that way , however it may also be someone knocked on the front door and just found it unlocked and walked in

this may be two separate issues and should not be bundled into the same thread unless we specifically know remote access was enabled
 
this may be two separate issues and should not be bundled into the same thread unless we specifically know remote access was enabled
The syslog he posted is exactly the same as reported in the other thread, so it's pretty certain it's the same attack.

P.S. He never said he left the password at the default.
 
Last edited:
This hack creates a 'hidden' entry into your device. So you'd better do a clear NVRAM and a firmware reflash. Or try removing it manually...it will be listed when you list the running processes and your firewall entries. But it's easier to do reflash and clear NVRAM. Also, do not reload a saved config! More info is on this board already.

Oh, and close WAN access all together.
 
Common issue - and there are other threads related to this very item.

Key thing - don't expose services - always a good chance they'll be targeted...
 
no I did not use the default password. I used a randomly generated 8 symbol password. One that I thought was secure. anyway changing the password to a new one did in deed put a bandage on. And ssh is no longer exposed to the wan. But there are still attempts.
Code:
Mar  4 04:46:37 dropbear[29942]: Bad password attempt for 'admin' from 27.72.233.207:39365
Mar  4 04:46:40 dropbear[29942]: Exit before auth (user 'admin', 1 fails): Exited normally
Mar  4 05:54:30 dropbear[1347]: Bad password attempt for 'admin' from 188.72.166.216:44423
Mar  4 05:54:36 dropbear[1347]: Exit before auth (user 'admin', 1 fails): Exited normally
 
something is still exposed and i really recommend a firmware reset and clearing nvram in short a total reboot, hope you learned something from this experiance btw pick a longer password 6 chars is short
 
something is still exposed and i really recommend a firmware reset and clearing nvram in short a total reboot, hope you learned something from this experiance btw pick a longer password 6 chars is short

yeah I will it is 8 I miss typed
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top