So after years of using Wrt, it appears my router has been hacked by users from China maybe?
What made me start looking, is total loss of connection until reboot. Seem the router appears to be running out of memory, so I checked the logs and found the following, repeated over and over
Fri Oct 4 01:30:29 2019 daemon.warn dnsmasq[19995]: reducing DNS packet size for nameserver 2001:4860:4860::8844 to 1280
Fri Oct 4 01:30:31 2019 authpriv.info dropbear[11724]: Child connection from 61.177.172.158:32700
Fri Oct 4 01:30:37 2019 authpriv.info dropbear[11724]: Exit before auth: Exited normally
Fri Oct 4 01:31:00 2019 daemon.info odhcpd[992]: Using a RA lifetime of 1800 seconds on br-lan
Fri Oct 4 01:31:05 2019 authpriv.info dropbear[13048]: Child connection from 61.177.172.158:24563
Fri Oct 4 01:31:08 2019 daemon.info odhcpd[992]: Using a RA lifetime of 1800 seconds on br-lan
Fri Oct 4 01:31:14 2019 authpriv.info dropbear[13048]: Exit before auth: Exited normally
I though dropbear was not set to allow outside access by default, but was allowed. So I have since set dropbear to only be allowed from LAN, changed the root password, then reloaded 18.06.4 as a lark
After all this it still running through memory at a fast clip normally I have about 98MB available, now its about 23MB lower, how do I clean this mess up?
Which openwrt image are you using? I don't think SSH access from the Internet via the WAN interface has been allowed by default on the images I have tried.
OpenWrt 18.06.4 r7808-ef686b7292 / LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc) for WNDR-4300
I think it defaults to unspecified, as I dont remember changing it
Since my original post, I have re-installed 18.06.4, told it not to keep setting, changed to a new password on reboot, restored a setting backup from 2 months ago. and set dropbear to listen on LAN only, but I assume something is still getting in, as memory is dropping again
IIRC, dropbear does indeed default to unspecified interface, but the default firewall will not allow incoming connections unless you explicitly create a new traffic rule for ssh inbound on the wan zone.
I would highly recommend reflashing your router again (not keeping settings) and then manually reinstating your configuration. Do not restore a config if you have any reason to question the security or stability/performance of the previous state. By performing the steps manually, it will help ensure you don’t restore an obscure/forgotten setting that may be a consideration in your current situation. And the process of manually configuring everything will help you consider/scrutinize each change to ensure it meets your goals.
I also meant to ask - do you have any non-default packages installed? If so, such packages could potentially be responsible for the performance (memory) issues you’re experiencing. And although unlikely on a fresh install, a security flaw and/or misconfiguration of a package could make your system vulnerable to attack and/or have other performance implications.
Restoring after a suspected security incident might restore the security flaw or malware, even from an "old" back up, as the point in time where the flaw appeared may have been long before it was discovered. Reconstructing the device's configuration is a safer practice.
I didnt think dropbear was available by default to the outside world, so yes I had a weak 8 character password, but the real question is why is OpenWrt DEFAULTING to placing dropbear on the outside ports?
Will there be any issue if I just uninstall dropbear?
Heres what I have tried to get back to normal, but memory is still dropping shortly after reboot, and slowly after that.
Disconnected outside modem
Reloaded 18.06.4, and not kept settings
Ran reset defaults as soon as it finished booting
Entered a random complex 15 character password
Placed dropbear on "LAN" interface, changed the port #, disabled "Allow root logins by password"
reconnected modem
Should any hack still remain? It seems the memory loss does not occur until its reconnected to the outside world
As for non-default packages, installed a few from the package list months ago, but nothing new in past 2 months
AdBlockPlus, it been installed for about 2-4 months with no issues
Open VPN months ago for testing
Did not reinstall anything this time until I figure out what eating memory
Is there a memory leak in one of the firewalls? So it still protected, just spinning up extra instances to handle the connections?
Well, as far as I know it not a dual partition, but some thing is forcing it to run out of memory, normally it keeps about 98MB available, and when it runs out of memory it wont allow connections either way, except for pings by IP address, and yes I verified the SHA256 matched, at least the first/last 4,
So lleachii, with no changes from me for about 2 months, something changed in the past week to force it to run thru 98MB or so of memory every 18-24 hrs, if not hacked anybody got any better suggestions?
Guess what I was trying to ask, is should that have wiped it clean no mater what?
With those problems, that seems like a wise course of action. Along with not installing or configuring anything but minimal basics, then adding slowly and methodically over days or weeks.
If I recall correctly, the chinese ip cameras opened this backdoor on port 32700 to the outside world. I then exiled them behind a firewall with no internet access.
@gwtx
Did you change openwrt default firewall config?
If no, maybe more/something else was already compromised.
Can you try: sync; echo 1 > /proc/sys/vm/drop_caches (or 3 instead of 1)
in a terminal.
Does it free up ram?
The luci memory usage overview seems a bit confusing, at least for me.
htop always shows a higher reading for cached memory.
(Buffered = Cached? //edit its not)
Seems like, the luci memory overview page includes cached memory.
