Question about Trend Micro Signature "update failed"

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

RMerlin

Asuswrt-Merlin dev
wget: --timeout: Invalid time period '3O'

Bad news - your router got infected by malware.

That particular malware was setting the timeout to 3O (letter O), to prevent updates from working properly.

Do a complete factory default reset, wipe out the JFFS partition, and reconfigure everything manually. And make sure you don't open webui access to your WAN.
 

Wayne Hutchinson

Occasional Visitor
Hi Merlin,
OK, I get most of this reset to factory defaults, manually set all of my fixed ip's but don't get
what you mean about webui access can you explain please.
I only use chrome to access router
 

RMerlin

Asuswrt-Merlin dev
Hi Merlin,
OK, I get most of this reset to factory defaults, manually set all of my fixed ip's but don't get
what you mean about webui access can you explain please.
I only use chrome to access router

On the System tab there is an option to allow your router's web interface to be accessible over the Internet. Make sure you don't enable that, because it's the primary vector through which routers get compromised.
 

Wayne Hutchinson

Occasional Visitor
On the System tab there is an option to allow your router's web interface to be accessible over the Internet. Make sure you don't enable that, because it's the primary vector through which routers get compromised.

Looking at the Asus I don't see a Systems Tab is it under another tab?
 

Wayne Hutchinson

Occasional Visitor
Under: Administration - System

Here is what I see, can you advise,
upload_2020-6-21_14-7-0.png
 

Wayne Hutchinson

Occasional Visitor
Thanks guys!

Think I have recovered. Not sure when or how that Web Access from Wan got turned on but it's Off now and TrendMicro has updated correctly.

Now I have to enter my fixed IP addresses.

Thanks Again!
 

dave14305

Part of the Furniture
Thanks guys!

Think I have recovered. Not sure when or how that Web Access from Wan got turned on but it's Off now and TrendMicro has updated correctly.

Now I have to enter my fixed IP addresses.

Thanks Again!
You should consider installing the Skynet firewall enhancement which will block known malware IPs. It’s in addition to any AiProtection features. Highly recommended. Plus it has “secure mode” to ensure https and ssh are not open to WAN.

https://www.snbforums.com/threads/release-skynet-router-firewall-security-enhancements.16798/
 

DeepWoods

Occasional Visitor
I just discovered that I too suffer from the "apps_wget_timeout=3O" issue.
My signatures were not updating and I could not check for newer versions of Merlin.
I sadly had WAN access enabled, but with a thoroughly arbitrary username/password which I couldn't imagine anyone ever cracking...

Is this specific malware issue well known or is it speculation that this is the result of malware?
I googled it and only found two instances (both on snbforums).

Anyhow, I suppose that I am factory resetting everything. sigh...
 

RMerlin

Asuswrt-Merlin dev
Is this specific malware issue well known or is it speculation that this is the result of malware?

It is not publicly documented, but I know about it and how it operates. The apps_wget_timeout change is one of the easiest way to locate it.

Don't forget to also wipe your JFFS partition when you do. This malware also inserts itself into a user script.

I sadly had WAN access enabled, but with a thoroughly arbitrary username/password which I couldn't imagine anyone ever cracking..

The router's httpd has a history of security issues allowing to bypass authentication. While Asus resolved a lot of these over the years, there is no guarantee that they are all fixed by now. So even if the issue used for this malware to install itself has been resolved, they may still be more security holes waiting.
 

dave14305

Part of the Furniture
It is not publicly documented, but I know about it and how it operates. The apps_wget_timeout change is one of the easiest way to locate it.

Don't forget to also wipe your JFFS partition when you do. This malware also inserts itself into a user script.



The router's httpd has a history of security issues allowing to bypass authentication. While Asus resolved a lot of these over the years, there is no guarantee that they are all fixed by now. So even if the issue used for this malware to install itself has been resolved, they may still be more security holes waiting.
@Adamm This would be a good security check for Skynet.
 

Adamm

Part of the Furniture
It is not publicly documented, but I know about it and how it operates. The apps_wget_timeout change is one of the easiest way to locate it.

Don't forget to also wipe your JFFS partition when you do. This malware also inserts itself into a user script.



The router's httpd has a history of security issues allowing to bypass authentication. While Asus resolved a lot of these over the years, there is no guarantee that they are all fixed by now. So even if the issue used for this malware to install itself has been resolved, they may still be more security holes waiting.
@Adamm This would be a good security check for Skynet.

I wasn't aware a new variant of malware was in the wild. In any case I've added the IOC to Skynet's security checks.
 

QuikSilver

Very Senior Member
I wasn't aware a new variant of malware was in the wild. In any case I've added the IOC to Skynet's security checks.
How I see @Adamm when he reads about the new malware...:D
 

Wayne Hutchinson

Occasional Visitor
Hi Adamm,
I am interested in installing Skynet but am a novice with unix usage can you please put together a install and usage post?
I have looked at your thread but want to make sure I get it right.

Thanks
 

QuikSilver

Very Senior Member

Adamm

Part of the Furniture
i wonder if an email notification system would be useful, in addition to writing to syslog?

Check_Security() is run every hour during the save process along with startup/firewall restarts, if someone misses 24 warnings per day for a prolonged period of time I think they have bigger issues :p
 

Jack Yaz

Part of the Furniture
Check_Security() is run every hour during the save process along with startup/firewall restarts, if someone misses 24 warnings per day for a prolonged period of time I think they have bigger issues :p
these people disable secure mode and enable wan access. i think they'll miss syslog tbh.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top