What's new

OpenVPN custom configuration changing on it's own

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Scott Stewart

New Around Here
Hello - quick question for the experts.

I am running a standard openVPN server on the RT-AX86U.

I noticed recently that the custom configuration section has 2 lines of code that were not there when I first started the server. In about a 16 day period, at some point these 2 lines of code were added. I am wondering if maybe someone is hacking into my system to add these, or maybe there were programmatically added by the server?

Can anyone answer this question and maybe let me know if I should be worried by this code and what this code actually is doing??

The code in question is....
up "/bin/sh /jffs/etc/profile"
script-security 3

Thanks so much.
 
We've seen this reported on more than one occasion. It's believed to be malware.

Factory reset your router, update it to the latest firmware and manually configure it. Do not enable Web Access from WAN (Administration - System).
Probably a good idea to scan your PCs for malware as well.
 
Last edited:
Web access is already disabled, and I never had it enabled. Is the malware on the router itself or is it on my PC??

Would it be better for me to use Merlin firmware instead or is that affected by this as well?
 
Web access is already disabled, and I never had it enabled. Is the malware on the router itself or is it on my PC??
As far as I'm aware nobody has been able to identify where this change is coming from. Like you, others have said that they hadn't enabled remote web (or other) access so one can only conclude that it's coming from the LAN side. For example, perhaps you had the router GUI open while also browsing to a malicious web site.

The malware itself has (apparently) been neutered by the firmware so it's not actually effective. But that still doesn't identify the source of the infection.
 
Last edited:
I ran malware scans on the pc and nothing found. I also telnet into the router and removed the /jffs/etc directory. As far as resetting to factory default I hate to do that since I already have tons of options already set and don't feel like doing this all over again manualy. Also a side note - I noticed this happened on my old router as well (Asus RT-AC86U) - this is why I upgraded to the new router. So it seems it affects the router, even after a factory reset.

Any idea what these commands are actually trying to do?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top