RT-AC3200 384.13_10 exploited - runtime.log / upgrade.sh / chkupdate.sh attack

  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.

vibroverbus

Regular Contributor
Just FYI in case this "is going around".

Same as here: http://www.snbforums.com/threads/list-of-legitimate-processes-on-router.65694/post-609286
And here: https://mattyb.co.za/index.php/2020/08/12/routers-are-secure-right-asus-lyra-hacked/

Some notables:
  • I haven't found a name for this exploit - the Lyra post above covers most of the details but to recap...
    • NVRAM jffs2_exec runs a malicious replacement of /jffs/scripts/openvpn-event
    • That script copies a malicious "/jffs/runtime.log" to /tmp/upgrade.sh and that runs in background
    • runtime.log aka upgrade.sh wgets binary files from Southeast Asian ip address which it then saves as chkupdate.sh which then runs in background
  • In addition a local script of mine - aka /jffs/scripts/notactualnameofthisscript.sh - was replaced with exact same openvpn-event script and given a bogus November 2019 timestamp. This script is called by other scripts as a utility so even if I just deleted the NVRAM entry or the openvpn-event code, it would still be able to install
  • Reset button was deactivated, rebooting with reset button in would not clear the configuration.
  • Had been running Ai Protection, found it turned off when infected
  • SSH and Web were not enabled for remote
  • Running Skynet. Skynet TOTALLY caught it and had been posting warnings in the logs, I just had been lazy and hadn't scanned logs in ages.
  • I caught this by router overload. There were hundreds of "dos2unix" processes running that could not be killed. dos2unix on my system is an alias to Entware busybox, possibly the Entware installation was compromised as one of the core methods of implementing malicious code? I would have liked to do some MD5 checksums on the busybox that was on the compromised system vs legit entware busybox of same version however I didn't have time to go that deep into it as I was rushing to delete everything and start over. I did save some files out including the iptables which at a quick glance seem to have a lot of suspcious entries but I'm not an iptables guru so its painful for me to decipher what is meaningful there. Might look later.
  • I am assuming from all the processes that this was some kind of botnet deployment, who knows, bitcoin or porn server or Russian-US-election hacking, who knows what.
  • Infected for at least a month - from some file timestamps and log entries ( I can see where my local script stopped working as it must have been replaced) I am fairly sure it goes back to about mid-August. Exploit was almost surely in place all that time but unclear how much it was 'activated' aka not running processes all the time. I do have nightly reboots, these had been working until about a week ago however system had not been rebooted in a week. Perhaps they did not 'activate' me until a week ago.
Router was clean reflashed and reconfig'd, new username/pw/SSH-key, AiProtect and Skynet back on... All looking fine again but I'll keep a closer eye on things for now....
 

Adamm

Part of the Furniture
This strain has been around for quite some time now, the main method of infection is having the WebUI/SSH exposed to WAN. So as always, make sure to keep these disabled.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top