thecheapseats
Senior Member
Merlin's instructions had it right... yep... goofy gui... no wonder those things get hammered...
Did you WAN IP change during the reboot? It may take the bad guys a little time to find you again...Ideas?
[$] /jffs/scripts/firewall banmalware
============================================
[i] Custom Filter Detected: https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
[i] Downloading filter.list | [1s]
[i] Refreshing Whitelists | [11s]
[i] Consolidating Blacklist | curl: no URL specified!
curl: try 'curl --help' for more information
[0s]
[*] List Content Error Detected - Stopping Banmalware
Update blacklist fails from within menu with a curl error. I actually uninstalled / re-installed Skynet attempting to solve and no luck.
Any pointers?
(v7.2.2)
Code:[$] /jffs/scripts/firewall banmalware ============================================ [i] Custom Filter Detected: https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts [i] Downloading filter.list | [1s] [i] Refreshing Whitelists | [11s] [i] Consolidating Blacklist | curl: no URL specified! curl: try 'curl --help' for more information [0s] [*] List Content Error Detected - Stopping Banmalware
Just installed Skynet and see the following in log file...
Sep 15 14:16:37 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Sep 15 14:16:37 Skynet: [!] Warning! Router Malware Detected (chkupdate.sh) - Investigate Immediately!
I'm pretty sure the chkupdate.sh is for one of the scripts I have installed, so how do I whitelist these entries ?
Just installed Skynet and see the following in log file...
Sep 15 14:16:37 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Sep 15 14:16:37 Skynet: [!] Warning! Router Malware Detected (chkupdate.sh) - Investigate Immediately!
I'm pretty sure the chkupdate.sh is for one of the scripts I have installed, so how do I whitelist these entries ?
if [ -f "/jffs/chkupdate.sh" ] || [ -f "/tmp/update" ] || [ -f "/tmp/.update.log" ] || [ -f "/jffs/runtime.log" ] || grep -qF "upgrade.sh" "/jffs/scripts/openvpn-event" 2>/dev/null; then
logger -st Skynet "[!] Warning! Router Malware Detected (chkupdate.sh) - Investigate Immediately!"
badtoast@router:/tmp/home/root# free
total used free shared buffers cached
Mem: 440368 404576 35792 568 11984 78060
-/+ buffers/cache: 314532 125836
Swap: 2097148 16496 2080652
Sep 15 13:51:54 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=193.27.229.47 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=52803 PROTO=TCP SPT=53984 DPT=3441 SEQ=93946467 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:52:02 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=27.0.48.227 DST=[X.X.X.X] LEN=44 TOS=0x00 PREC=0x20 TTL=43 ID=17077 PROTO=TCP SPT=55372 DPT=23 SEQ=1262829905 ACK=0 WINDOW=51804 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
Sep 15 13:52:07 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.129.33.22 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=53890 PROTO=TCP SPT=59777 DPT=19005 SEQ=1466882542 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:52:31 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=195.54.161.123 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=27092 PROTO=TCP SPT=56036 DPT=8757 SEQ=613026480 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:52:43 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=35.228.243.135 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=230 ID=52632 PROTO=TCP SPT=49155 DPT=3253 SEQ=931364988 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:52:56 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=80.82.77.245 DST=[X.X.X.X] LEN=57 TOS=0x00 PREC=0x20 TTL=242 ID=54321 PROTO=UDP SPT=51987 DPT=8057 LEN=37 MARK=0x8000000
Sep 15 13:53:00 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.129.33.13 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=56417 PROTO=TCP SPT=51778 DPT=8706 SEQ=1899806514 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:53:33 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=195.54.167.89 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=16767 PROTO=TCP SPT=55173 DPT=40705 SEQ=314023727 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:53:37 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=185.176.27.30 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=20360 PROTO=TCP SPT=51963 DPT=12783 SEQ=3170910006 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:53:42 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.155.205.34 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=237 ID=19592 PROTO=TCP SPT=57293 DPT=6874 SEQ=3321173763 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:54:00 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.129.33.21 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=28154 PROTO=TCP SPT=59773 DPT=39708 SEQ=22788023 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:54:27 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.129.33.24 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=21006 PROTO=TCP SPT=42441 DPT=22828 SEQ=3479259763 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:54:36 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=185.176.27.34 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=58635 PROTO=TCP SPT=51066 DPT=12781 SEQ=2915145143 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:54:42 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.155.205.34 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=49323 PROTO=TCP SPT=57293 DPT=6162 SEQ=1793497576 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:54:45 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=74.120.14.21 DST=[X.X.X.X] LEN=44 TOS=0x00 PREC=0x20 TTL=39 ID=59973 PROTO=TCP SPT=12230 DPT=22 SEQ=2136615641 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
Sep 15 13:54:57 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=192.35.169.41 DST=[X.X.X.X] LEN=44 TOS=0x00 PREC=0x20 TTL=37 ID=39657 PROTO=TCP SPT=54961 DPT=8016 SEQ=50018778 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
Sep 15 13:54:59 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=192.241.227.113 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=246 ID=54321 PROTO=TCP SPT=54766 DPT=7777 SEQ=815438772 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:55:03 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.129.33.6 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=18858 PROTO=TCP SPT=42260 DPT=13460 SEQ=3211148399 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:55:16 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=185.176.27.26 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=2504 PROTO=TCP SPT=50044 DPT=12698 SEQ=20674819 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:55:20 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.129.33.156 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=60650 PROTO=TCP SPT=49366 DPT=3441 SEQ=1938071754 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:55:27 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=162.142.125.73 DST=[X.X.X.X] LEN=44 TOS=0x00 PREC=0x20 TTL=40 ID=59513 PROTO=TCP SPT=52465 DPT=5005 SEQ=3078015121 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
Sep 15 13:56:01 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=162.144.150.118 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=231 ID=22242 PROTO=TCP SPT=52780 DPT=24202 SEQ=848644409 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:56:06 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.129.33.43 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=37592 PROTO=TCP SPT=45927 DPT=11580 SEQ=2718957237 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:56:17 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=185.176.27.26 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=1946 PROTO=TCP SPT=50044 DPT=12699 SEQ=4205934416 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Sep 15 13:56:18 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=04:92:26:82:2b:00:e8:65:49:b9:98:22:08:00 SRC=45.129.33.13 DST=[X.X.X.X] LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=21792 PROTO=TCP SPT=51778 DPT=8770 SEQ=4194055731 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Trying to understand if this is normal. After installing Skynet, I noticed my CPU usage is quite busy
RAM usage has gone way up
My system log is just full of this:
You are not dreaming. I've seen similar on my AC86U @ 384.19. There are huge gaps in the logs and I know these a*((* are still pounding the router since I rebooted it at 06:00.. yet nada. Something is up with either 384.19 a/o these entware updates.Thanks Dave. Nope, same WAN IP.
...
Sep 15 06:13:19 crond[1266]: time disparity of 1244468 minutes detected
Sep 15 06:15:22 dropbear[5990]: Child connection from 192.168.111.77:58434
Sep 15 06:15:23 dropbear[5990]: Password auth succeeded for 'redacted' from 192.888.222.333:111222333
Sep 15 07:17:01 kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
... NOTHING until 11:45.. NO WAY..
Sep 15 11:45:00 Diversion: found 2 new YouTube hosts, total is 1471 (counter at 27 of 30)
Sep 15 11:48:55 rc_service: httpds 1271:notify_rc restart_wrs;restart_firewall
Sep 15 11:48:55 custom_script: Running /jffs/scripts/service-event (args: restart wrs)
Sep 15 11:48:55 kernel: IDPfw: Exit IDPfw
Sep 15 11:48:55 kernel: mod epilog takes 0 jiffies
Sep 15 11:48:55 kernel: IDPfw: Exit IDPfw
Sep 15 11:48:56 kernel: Exit chrdev /dev/idpfw with major 191
Sep 15 11:48:56 kernel: Exit chrdev /dev/detector with major 190
Sep 15 11:48:56 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
Sep 15 11:48:56 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Sep 15 11:48:56 custom_script: Running /jffs/scripts/nat-start
Sep 15 11:48:56 ntpMerlin: Sleeping for 5s to allow firewall/nat startup to be completed...
Sep 15 11:48:56 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Sep 15 12:04:00 Diversion: found 1 new YouTube hosts, total is 1472 (counter at 14 of 30)
Sep 15 12:18:01 Diversion: found 1 new YouTube hosts, total is 1473 (counter at 12 of 30)
Sep 15 12:38:00 Diversion: found 2 new YouTube hosts, total is 1475 (counter at 15 of 30)
Sep 15 12:47:01 Diversion: found 1 new YouTube hosts, total is 1476 (counter at 8 of 30)
Sep 15 12:49:30 Skynet: [#] 312606 IPs (+0) -- 21906 Ranges Banned (+0) || 290 Inbound -- 0 Outbound Connections Blocked! [debug] [30s]
Sep 15 13:00:06 Skynet: [#] 312606 IPs (+0) -- 21906 Ranges Banned (+0) || 375 Inbound -- 0 Outbound Connections Blocked! [save] [6s]
Sep 15 14:00:06 Skynet: [#] 312606 IPs (+0) -- 21906 Ranges Banned (+0) || 713 Inbound -- 0 Outbound Connections Blocked! [save] [6s]
... And then no blocks until I log back in via the GUI and look at the logs? NO WAY..
Sep 15 14:00:11 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=4c:ed:fb:90:00:98:00:17:01:98:ef:13:08:00 SRC=195.54.161.122 DST=redacted LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=30965 PROTO=TCP SPT=56108 DPT=9231 SEQ=2671934643 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
...
An initial spike is to be expected but it should settle after a minute or so, if the CPU spike is prolonged then you can investigate with the top command.
Your list is in the wrong format, not only is it not a filter list (see the default list as an example), but it is also a domain list not an IP list which would be better suited for something like Diversion.
Adding onto Merlins post, the second warning should also be accurate (these are both IOC's of the same strand of malware);
Code:if [ -f "/jffs/chkupdate.sh" ] || [ -f "/tmp/update" ] || [ -f "/tmp/.update.log" ] || [ -f "/jffs/runtime.log" ] || grep -qF "upgrade.sh" "/jffs/scripts/openvpn-event" 2>/dev/null; then logger -st Skynet "[!] Warning! Router Malware Detected (chkupdate.sh) - Investigate Immediately!"
Most definitely time for a factory reset
Any idea how this happened, as I'm struggling to work out what happened.
Also, what does IOC mean?
Last 50 Manual Bans;
-------------- | -------------- | -------------- | ----------------------
| IP Address | | | AlienVault | | | Ban Reason | | | Associated Domains |
-------------- | -------------- | -------------- | ----------------------
104.105.46.25 | https://otx.alienvault.com/indicator/ip/104.105.46.25 | ManualBanD: dominos.com |
Skynet Version; (11/09/2020) (9aae16544adf0c1c4a20b67dfdba9e00)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
IP Address; (192.168.1.4)
FW Version; 384.15_0 (Feb 8 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/Router/skynet (11.4G / 14.3G Space Available)
312938 IPs (+0) -- 1784 Ranges Banned (+0) || 6 Inbound -- 0 Outbound Connections Blocked!
[i] Watching Syslog For Log Entries (ctrl +c) To Stop
tail: can't open '': No such file or directory
Diversion is better suited to blocking a website via hostname instead of trying to block individual IPs that can be affiliated with multiple websites (and a website can have multiple IPs).I installed amtm,skynet,diversion.
When i test skynet it doesn't seem to block a test site (only added to skynet).
It shows in the log that it's blocking but I can still access the site via browser and on my phone.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!