Openwrt connecting to toknowall.com?

Is OpenWRT vulnerable to the toknowall.com malware? It seems so.
Device is an old WR1043ND with the good ol' OpenWRT Chaos Calmer.
After rebooting the router, and going into the "Connections" page, I get a connection to toknowall.com. So I added toknowall.com to the hosts file so it points to 0.0.0.0 just in case.
I tried reinstalling the original firmware and deleting settings, but the attempt to connect is still there. How does this get into the router? I have not enabled remote management, remote SSH or anything like that. Is it possible to disable and prevent this somehow? TIA

Start by flashing the latest openwrt (19.07.2 as of this writing). Chaos calmer is very old, obsolete, and has numerous documented and actively exploited security issues.

Do not keep settings when you upgrade. You can take a backup and use that as reference, but don’t restore that backup - just use it as reference as you recreate your settings.

2 Likes

Thank you, I just saw that on the Version History, how unfortunate :frowning:
I upgraded and no more "UNKNOWN" connections to toknowall.com so that's OK.
Now how can that VPNFilter stuff get into Chaos Calmer if it had all the "remote management" stuff disabled? I mean it could be from the WAN, or from the LAN?
Now, is it possible to change the root login name, easily? Thanks again.

I don't really know specifically how that happened -- presumably a misconfiguration, or just simply an exploitable security issue is responsible for the issue.

But that's why you should be up-to-date (which I am glad is the case now).

Possible, presumably. Worth it? No. What are you trying to achieve?

The connection you saw didn't have to do with VPNFilter malware.
But since you renamed in hosts file the 0.0.0.0 into toknowall[.]com the reverse DNS lookup made it look like this.

2 Likes

Absolutely logical, @trendy! Thank you

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.