What's new

Question about Trend Micro Signature "update failed"

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

wget: --timeout: Invalid time period '3O'

Bad news - your router got infected by malware.

That particular malware was setting the timeout to 3O (letter O), to prevent updates from working properly.

Do a complete factory default reset, wipe out the JFFS partition, and reconfigure everything manually. And make sure you don't open webui access to your WAN.
 
Hi Merlin,
OK, I get most of this reset to factory defaults, manually set all of my fixed ip's but don't get
what you mean about webui access can you explain please.
I only use chrome to access router
 
Hi Merlin,
OK, I get most of this reset to factory defaults, manually set all of my fixed ip's but don't get
what you mean about webui access can you explain please.
I only use chrome to access router

On the System tab there is an option to allow your router's web interface to be accessible over the Internet. Make sure you don't enable that, because it's the primary vector through which routers get compromised.
 
On the System tab there is an option to allow your router's web interface to be accessible over the Internet. Make sure you don't enable that, because it's the primary vector through which routers get compromised.

Looking at the Asus I don't see a Systems Tab is it under another tab?
 
  • Like
Reactions: a5m
Under: Administration - System

Here is what I see, can you advise,
upload_2020-6-21_14-7-0.png
 
  • Like
Reactions: a5m
Thanks guys!

Think I have recovered. Not sure when or how that Web Access from Wan got turned on but it's Off now and TrendMicro has updated correctly.

Now I have to enter my fixed IP addresses.

Thanks Again!
 
Thanks guys!

Think I have recovered. Not sure when or how that Web Access from Wan got turned on but it's Off now and TrendMicro has updated correctly.

Now I have to enter my fixed IP addresses.

Thanks Again!
You should consider installing the Skynet firewall enhancement which will block known malware IPs. It’s in addition to any AiProtection features. Highly recommended. Plus it has “secure mode” to ensure https and ssh are not open to WAN.

https://www.snbforums.com/threads/release-skynet-router-firewall-security-enhancements.16798/
 
I just discovered that I too suffer from the "apps_wget_timeout=3O" issue.
My signatures were not updating and I could not check for newer versions of Merlin.
I sadly had WAN access enabled, but with a thoroughly arbitrary username/password which I couldn't imagine anyone ever cracking...

Is this specific malware issue well known or is it speculation that this is the result of malware?
I googled it and only found two instances (both on snbforums).

Anyhow, I suppose that I am factory resetting everything. sigh...
 
Is this specific malware issue well known or is it speculation that this is the result of malware?

It is not publicly documented, but I know about it and how it operates. The apps_wget_timeout change is one of the easiest way to locate it.

Don't forget to also wipe your JFFS partition when you do. This malware also inserts itself into a user script.

I sadly had WAN access enabled, but with a thoroughly arbitrary username/password which I couldn't imagine anyone ever cracking..

The router's httpd has a history of security issues allowing to bypass authentication. While Asus resolved a lot of these over the years, there is no guarantee that they are all fixed by now. So even if the issue used for this malware to install itself has been resolved, they may still be more security holes waiting.
 
It is not publicly documented, but I know about it and how it operates. The apps_wget_timeout change is one of the easiest way to locate it.

Don't forget to also wipe your JFFS partition when you do. This malware also inserts itself into a user script.



The router's httpd has a history of security issues allowing to bypass authentication. While Asus resolved a lot of these over the years, there is no guarantee that they are all fixed by now. So even if the issue used for this malware to install itself has been resolved, they may still be more security holes waiting.
@Adamm This would be a good security check for Skynet.
 
It is not publicly documented, but I know about it and how it operates. The apps_wget_timeout change is one of the easiest way to locate it.

Don't forget to also wipe your JFFS partition when you do. This malware also inserts itself into a user script.



The router's httpd has a history of security issues allowing to bypass authentication. While Asus resolved a lot of these over the years, there is no guarantee that they are all fixed by now. So even if the issue used for this malware to install itself has been resolved, they may still be more security holes waiting.
@Adamm This would be a good security check for Skynet.

I wasn't aware a new variant of malware was in the wild. In any case I've added the IOC to Skynet's security checks.
 
I wasn't aware a new variant of malware was in the wild. In any case I've added the IOC to Skynet's security checks.
How I see @Adamm when he reads about the new malware...:D
iu
 
Hi Adamm,
I am interested in installing Skynet but am a novice with unix usage can you please put together a install and usage post?
I have looked at your thread but want to make sure I get it right.

Thanks
 
i wonder if an email notification system would be useful, in addition to writing to syslog?

Check_Security() is run every hour during the save process along with startup/firewall restarts, if someone misses 24 warnings per day for a prolonged period of time I think they have bigger issues :p
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top