More on asd...

[original-birdman]

About two years ago I was having problems with my Entware installation on an RT-AC86U.
Files on the Entware distribution that started with "cr" (either case) were disappearing at 07:39 or 13:39.
This stopped gcc working....

I eventually tracked it down to asd.

1654907969[remove_file_in_dir]Delete harmful file,/tmp/opt/lib/gcc/aarch64-openwrt-linux-gnu/7.4.0/crt1.o
1654907969[blockfile] /tmp/opt/lib/gcc/aarch64-openwrt-linux-gnu/7.4.0/crt1.o is binary.

Turns out it as also removing this, but I've only just noticed that in the log file I kept:

1654907972[remove_file_in_dir]Delete harmful directory,/tmp/opt/include/boost/regex/pending
1654907972[blockfile] dump unicode_iterator.hpp.

Odd that files are being tested by name, as that it hardly a marker for harmfullness.

I reported this to Asus, but heard nothing at all in response. But some time later it did stop happening.

I've now got an RT-BE92U and that has a similar problem, in that files are disappearing.

It now seems to be deleting all files/directories containing "zone", "link" or "pending" in their name. As well as deleting those starting with "cr" again.

Now, I know from the close thread https://www.snbforums.com/threads/what-is-asd-process.76242/ that this is an Asus issue, but what is teh best eway about getting this nonsense to stop?
Why is anything deleting entries by name rather than by content?
And why do I not have the option to switch this off?

 

[original-birdman]

Oh yes, I forgot to add that at some point in the last 18 months the asd log has become encode. (previously it was just text).

It now looks like this:

TyRRlXW0QfotcN1FQ2XE3UvrmhVLLollaDL/zlWwqpr5AuoMReOLWREWiV7+QbooP0hg+6ZbTcfxnByWvdrHcw==
WCHoOGh2k4rcnGa4sGfTa+qsb4+0VmyNTL+N7y3ZTNvsauTLcm7BR7ZdWU7lLhshD4pCmxkVyKS5ENpVhl27Dg==
i4qRkyUZIwfZwBX7glL2m6TY47VPnUoRWcuXKO1aVYo4+FDeFdDIzUKLuow4r6c9NLki+UUYp7rO4ECacWzeZQ==
WJATAhtZJuiXkPCHShLVwhW5UGYOVSDyWIu9jo1OdOVNgqPn/MfM5pYLZPWvJTm+IE/0/jrAaOe/V+JcVLpLRg==
MvbYeQIF7AnwFM+QquD+NuIIUina8GPpSGKl4ps7B9K/iZZ/K8ddKVvSRYg3lB81/7oS1lGyb4NYivDQ/zMQkKxoBLlsDM0HaqSaMPY3+cY=
cMDJOddGkphkXpoYKHvDwR8Ey2sXitlIe84oK2OoPntsRbLL384FzFLe78SggQEg4dRj8Fx73ogp+ijMh5yeFQ==
loI1ScB4m9ZWFNFvkRhbNx8Ey2sXitlIe84oK2OoPnvjWU7tVZUxm6Bzdl5jsr6/6Fyn7fSzmuHIcsHrEfMj2g==
lmXIjATT5pqnYMuBd8FMoh8Ey2sXitlIe84oK2OoPnuqPcyvCBzUpJ4PsoalONUsKqrLitiQfC9+VoNhRYQ9sQ==
muEwTbw2fBHgS/nM1OZClh8Ey2sXitlIe84oK2OoPnvR9uX+Cq3Rj4LL+s1JZYP8I9sAkSvdgsRgqCVX0vQ6RA==
CCgIgISWTAtOWwEOwbW4bHsejcplyREXsIkXkGD9uoHYnNpAdf27gC27svglVprH
eKgrum1B91/NjmnUSt6qTdNJCNYOxuSW0JprpnB/V6p8Qqx/NR9feiEYgerrqzRetG6IVBQn074a7eiaFlVC8w==
....

The config files under /jffs/asd/ are similar.
So no idea what it is actually doing at all.

 

[original-birdman]

More that I forgot.
The original problem with the RT-AC86U was on stock Asus firmware, but I now use Merlin, as Asus stopped allowing you to get Entware mounted at boot time.

 

[ColinTaylor]

Why is anything deleting entries by name rather than by content?

Ask Asus.

And why do I not have the option to switch this off?

Government insistence that home router manufacturers protect their devices from malware (e.g. being taken over as botnets using zero-day exploits).

 

[original-birdman]

Government instance that home router manufacturers protect their devices from malware (e.g. being taken over as botnets using zero-day exploits).

Which it isn't doing.
If anyone were putting files onto my system all they would have to do is not use names that match those sub-strings. Which is complete daft as a security mechanism.

 

[ColinTaylor]

I've tried creating /tmp/opt/include/boost/regex/pending on my router and asd leaves it alone. Creating /jffs/pending, asd deletes it immediately.

 

[original-birdman]

Hmmmm....
How do you mount your /tmp/opt?
I bind mount mine:

rm -f /tmp/opt || exit
mkdir /tmp/opt || exit
chmod 755 /tmp/mnt/Entware # Just in case...
mount -o bind /tmp/mnt/Entware /opt

Do you just set a symlink?

 

[ColinTaylor]

I have the following lines in my /jffs/scripts/post-mount script:

if [ -d "$1/entware" ]; then
  ln -nsf $1/entware /tmp/opt
fi

# ls -l /tmp/opt
lrwxrwxrwx    1 admin    root            25 Apr  3 12:55 /tmp/opt -> /tmp/mnt/TOSHIBA1/entware

I think if you install Entware using the router's amtm utility it does roughly the same thing.

 

[original-birdman]

Mine dates back to stock Asus days...I may change it to see what happens.

But first I have to see what the pattern for removals is. As I noted in the first post, they seem to be deleted on a daily schedule, not "instantly".

I notice them as they are marked as deleted in my daily backup mail report.

 

[XIII]

Mine dates back to stock Asus days...I may change it to see what happens.

But first I have to see what the pattern for removals is. As I noted in the first post, they seem to be deleted on a daily schedule, not "instantly".

I notice them as they are marked as deleted in my daily backup mail report.

My router also regularly deletes the same file (a powerlevel10k script).

Additionally it regularly removes the executable bit from scripts that I wrote myself.

Did you find out how to read the new log format?

(It looks base64 encoded?)

 

[XIII]

(It looks base64 encoded?)

Still "garbage" after base64 decoding, so "No"?

 

[original-birdman]

It turns out that it doesn't just delete the file - it actually mv's it to /jffs/.asdbk/.

But at the moment I'm in a situation where:

• The main RT-BE92U has left them in place overnight.
• A secondary RT-BE92U is removing things as soon as they get put in place.
• A secondary RT-AC86U hasn't removed anything in ages.

Their Entware setup is identical.

Annoying and frustrating,

 

[original-birdman]

But at the moment I'm in a situation where:

• ...
• A secondary RT-BE92U is removing things as soon as they get put in place.
• ...

So I've just rebooted that one.
Now I can put the files back into place and they stay there (for the while, at least)!

Curiouser and curiouser.

 

[original-birdman]

I've now got a monitor running on 3 of the disappearing files on each of the systems.
I'll be mailed if any disappears (or is not there at boot time).

Wond'ring Aloud.....

 

[original-birdman]

So I put the monitoring in place and overnight...

Nothing happens.

 

[original-birdman]

Until this morning at 07:07, when all of the "zone", "link", "pending" and "^cr" files disappeared on my AIMesh master, but not on the other two routers. And one of those is also an RT-BE92U, so why did things remain on that system?

And now, if I try to restore the files, they are removed immediately by asd.

I'm at a loss to see any logic at all in what is happening. The actions appear to be completely random.

I'm switching to using symlinks instead of bind mounts to see whether that changes things.

 

[RMerlin]

Both the firmware and the device matter when reviewing asd's behaviour.

- Asuswrt-Merlin uses different asd signatures that are less restrictive than the signatures used by the stock firmware (some things are whitelisted so not to interfere with Asuswrt-Merlin)
- Very old devices may still be using asd V1
- Newer devices will be using asd V2 - that one will encrypt its log in addition to architectural improvements
- Very recent firmwares have now switched to V2.1 which should be far more CPU-efficient

The way V1, V2 and V2.1 works is different. I can't share any further details beside the fact that newer versions should be less CPU intensive.

 

[XIII]

Would be nice if users could whitelist additional files.

However, I’m not sure how to prevent malware from abusing that…

(Something with signing, hashes, etc. maybe?)

 

[original-birdman]

The way V1, V2 and V2.1 works is different. I can't share any further details beside the fact that newer versions should be less CPU intensive.

Fair enough...

What really gets me is the way that it behaves differently across two systems that are the same model, and with exactly the same files under Entware.
And it behaves differently from day to day on the same system.

Anyway, everything survived last night.

FYI: asd is consuming ~3% of 1 CPU on average on the 2 RT-BE92Us.
On the RT-AC86U it's ~1%.

 

[RMerlin]

However, I’m not sure how to prevent malware from abusing that…

That'd be the main issue. Since the router itself runs almost everything as root, you have no way to control things. If a user can modify a config, then so could malware.