1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately

Discussion in 'Asuswrt-Merlin' started by SynoDyne, Jun 30, 2020 at 6:19 PM.

  1. SynoDyne

    SynoDyne New Around Here

    Joined:
    Jun 3, 2020
    Messages:
    7
    ASUS RT-AC88U running Merlin 384.18

    I've been getting the following warning every hour on the hour.

    I couldnt find anything useful on the internet. The only thing I came across was the 2018 router exploit called VPNFilter Malware. Which shouldnt apply in this case as most firmware since then has been patched. So this is either a false-possitve or router is compromised (HOPE NOT!). Anyone have any suggestions or ideas?

    Jun 29 23:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 00:01:09 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 01:00:12 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 02:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 03:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 04:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 05:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 06:00:15 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 07:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 08:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 09:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 10:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 11:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
    Jun 30 12:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
     
    Last edited: Jun 30, 2020 at 6:25 PM
  2. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    3,816
    @Adamm
     
  3. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    3,348
    Location:
    USA
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,076
    Location:
    UK
  5. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    3,348
    Location:
    USA
    Great that it now exposes the issue, but it just leads to a dead-end about what to do about it since the malware doesn’t even have a name (as far as we know). The best course of action will be to reset to factory defaults, reflash the firmware and secure the WAN perimeter.
     
    Jack Yaz likes this.
  6. Marin

    Marin Very Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    966
    I wish sometimes that there was a way for one of the installed scripts to notify users via email on what to do when this happens. I am thinking specifically of those who are not always able to interpret system logs when troubleshooting the router or get to them in a timely manner to take swift action. It would also be nice if such alert system would be maintained in a way that new alerts could be added to it from time to time as new malwares were discovered. I think AiProtection has an email feature but I have never been able to tell if it can be used of this purpose or if it works well for that matter.


    Sent from my iPhone using Tapatalk
     
    Jack Yaz likes this.
  7. SynoDyne

    SynoDyne New Around Here

    Joined:
    Jun 3, 2020
    Messages:
    7
    Reading through some of the links you all were kind enough to post it seems the purpose of the malware is to prevent AiProtect updates. I'm assuming no one knows the full extent and purpose of this malware?

    What a nice thing to come to after coming off of a 72h on-call rotation at work. I dont think I have the energy or mental capacity to go through factory reset and reconfiguration tonight.

    If anyone wants any specific captures or log from the router for forensics let me know before I nuke it tomorrow morning.
     
    Last edited: Jun 30, 2020 at 7:26 PM
  8. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    3,348
    Location:
    USA
    I think it would be useful to run iptables-save to see if this malware opened any unexpected firewall ports. On the Administration / System tab, make sure HTTP and SSH are open to the LAN only.

    The "good" news is that it doesn't mean this just happened. It just means that Skynet was only recently updated to detect this problem. So you've probably been living with it for a while (check when your Trend signatures last updated on the Firmware page).
     
  9. SynoDyne

    SynoDyne New Around Here

    Joined:
    Jun 3, 2020
    Messages:
    7
    Not sure how long I may have been living with this "thing".

    I always had SSH / HTTPS enabled for 'LAN Only' and WAN access disabled. I attached info requested. I only removed my ISP IP form the log.
     

    Attached Files:

    Marin and dave14305 like this.
  10. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    3,348
    Location:
    USA
    Since we don't really know what this thing is or was, it's still safest to wipe the router. I didn't see anything too unusual. Just make sure all your port forwards are what you expect them to be.
     
  11. Marin

    Marin Very Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    966
    Also may want to consider changing the port numbers for both HTTP and HTTPS to different numbers other than the usual 80 and 8443 that have higher potential for being scanned by malicious bots. You could try different combinations like 31256 and 56345, for example.

    And you could do the same with the SSH port number too.


    Sent from my iPhone using Tapatalk
     
  12. SynoDyne

    SynoDyne New Around Here

    Joined:
    Jun 3, 2020
    Messages:
    7
    Thanks for checking!

    Yup, all port forwards are accounted for. Will definitely do a hard-reset, reflash firmware, format USB and reconfigure from scratch. It will take a while but better safe than sorry considering how little we know about this threat.
     
  13. SynoDyne

    SynoDyne New Around Here

    Joined:
    Jun 3, 2020
    Messages:
    7
    I can do that, though they are LAN-Only accessible ports.
     
  14. Marin

    Marin Very Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    966
    Yes, that is true but an extra layer of security doesn’t hurt especially if you happen to enable WAN access by mistake.


    Sent from my iPhone using Tapatalk
     
  15. Adamm

    Adamm Part of the Furniture

    Joined:
    Mar 26, 2013
    Messages:
    2,881
    As dave mentioned, there isn't much we know about this strain of malware beyond an IOC to detect it. The best coarse of action is to wipe everything and start fresh (and don't expose anything to WAN!).

    On the bright side, its good to see this feature actually come in handy for someone, hopefully others who were unknowingly compromised will also take notice.
     
    taffeys, L&LD, jsbeddow and 1 other person like this.