Hi, all. Hopefully I'm asking this in the right place. It's 2am and I am desperate for answers.
Tl;dr: Am I correct in assuming that whoever flashed openwrt to my router might have also added something else that might hang on through several resets and a re-flash to stock firmware? Context is below.
So... I had a small internet outage a few hours ago and thought nothing of it. Went to get on my tablet and noticed my wifi was down despite having internet connectivity via wire on my desktop. Did some sleuthing, discovered that I couldn't log in to my router's management gui... Reset it a few times, same thing. Checked for wifi and found a new said called "openwrt"
Lo and behold, it would seem that someone who is not me installed openwrt on my router and attempted to hide it. This was confirmed by using putty to ssh into "root@192.168.1.1" and seeing the big banner for Openwrt.
I figured out how to re-flash my router's original firmware, and am seemingly back in full control, but I'm not familiar with openwrt. I don't know but what openwrt made it possible for there to be software running on my router that might still be there even after I flashed the stock firmware back.
You don't tell which router you have, but I think you've got a 'dual-boot' router. That has 2 separate firmware installations. Main goal is to protect against failed updates (powerfail during update, or something like that). The toggle between firmwares is flipped as last action, so an interrupted update won't brick the router.
As extra protection the box will detect a failed boot, and switch to the other firmware. The power failure triggers this, and so you box switches between stock and OpenWrt.
Is this a 2nd hand router, or did you ever try to install OpenWrt yourself?
Hm. The wiki does not mention that router to be dual boot. Yet it is possible. It has 16MiB flash memory, and I just checked a firmware update is (after unzipping) 7.1MB. So that fits twice, and then you keep some room for a shared bootloader. But for a dual boot box I'd expect 64+MiB.
If it boots in OpenWrt again, you can check it by executing cat /proc/mtd in an ssh prompt. That shows the flash partitions. If you can recognize 2 kernels or rootfs's, it's dual boot.
Why? If it still works, why replace it? If the firmware is aging you can install OpenWrt.
BTW, you reflashed it from OpenWrt to stock. If it is a dual boot router, OpenWrt might still be there, as the idea is that you always flash the currently not active flash half. So you should flash stock once again to get for sure both slots filled with stock firmware.
Are you sure that this actually is your router?
When you did "ssh root@192.168.1.1" could you actually log in with your old password?
Did you need a password at all?
Does the wifi/ssh connection go away if you unplug your router?
Would it be possible to select which firmware to boot with a wired connection and something like Putty at boot-up? In other words, what might be a good way to get it to boot into OpenWrt again, assuming it's still on there somehow?
I do not recall the specific version the router was running prior to this... incident, however upon figuring out how to access OpenWrt via putty, I saw that it said "openwrt snapshot r14284-d75e753063" under the banner. I tried to find version info at the time, but I didn't go too far because I thought I might still be under attack and was just trying to re-gain control ASAP.
I'm wondering about doing that, rather than buying a new router to eliminate any doubt of hijack.
100% certain. My other networks were gone after a factory reset, and once I flashed the stock firmware back on, the OpenWrt network disappeared. It's because of that "openwrt" network that I discovered this issue in the first place.
I didn't think to find a way in with Putty until after I'd done a few resets (by holding the reset button on the router), but once I did get in with Putty, there was no password. It asked me to set one, which I did, but that's about all I could do at the time. I read a bit of the OpenWrt documentation for initial setup, but none of the commands I tried worked. Granted, I only tried a few such as "opkg" and "configure interface wan", both of which were met with "unrecognized command". I also recall it having the word "ash" in some of the error messages...?
Also, thank you to all of you for the quick replies and information provided so far. I didn't expect this many replies so quickly.
I flashed OpenWrt myself now, so that I could be sure to get access to the SSH CLI. I did this and this is what I see.
I'm not entirely sure what I'm looking at, but it looks like there's only one kernel and rootfs... if that's the case, I should be free of any potentially unwanted software running in the background, right?
The WNDR3700v2 is not a dual-firmware device, there can only be a single firmware present at a time. Flashing any firmware (OEM or OpenWrt) completely replaces all of it, aside from the bootloader (u-boot && u-boot-env) and art (wifi calibration data, specific to your device and non-recoverable). While a potentially malicious bootloader has some potential to wreak havoc, its impact is limit after the handover to the kernel (especially on resource constrained devices like this), so I wouldn't worry too much about that.
The reason for your sudden surprise however remains a source of concern. OpenWrt doesn't install itself (even less a rather old snapshot, which might have been tampered with), while it feels a bit blunt and obvious for an outside attack (sticking to OpenWrt UI and not Netgear's), it's still a weird situation that warrants closer inspection.
That is my line of thinking. While strange, I think someone somehow got into my router via wifi and flashed a modified version of OpenWrt onto it, attempting to mimic my already-existing network. I'm assuming they figured that I probably wasn't very tech savvy and wouldn't notice. I'll admit that I probably wouldn't have if my 5ghz network had remained functional. I have to wonder if they scripted openwrt to try to mimic my network automatically, or if they mimicked it themselves as best as they could and did the recon to pull it off themselves.
At any rate, I'm going to be researching and testing Openwrt out now, since I was partially forced into it. I've wanted to install a custom firmware on this router for a long time, but was worried about bricking it and dealing with that potential headache. Since I've now flashed new firmware to the thing twice, I'm thinking I'll stick with it and see what it's like.
Either way, I'm doing everything I can to beef up my security so that it doesn't happen again.
The WNDR3700v2 is a solid device, with a reliable recovery method over tftp (always good to have) and which should work well with OpenWrt. It's a bit dated by now (802.11n compared to 802.11ac or ax), but if it meets your requirements, it should be fine.
Edit: Just make sure to use good passwords, both for the root password and your wireless (WPA2-PSK/ CCMP (AES)).
That's kind of strange for a malicious attack. In most cases they content themselves to install some remote-control thing to turn your device in a drone for their botnet swarm. (it's the electronic equivalent of using a stolen car to commit a crime, they use your stuff so they are not committing the crime with their stuff)
Doing this "let's reflash it with OpenWrt without bothering to hide it in any way" seems more like a form of "offensive security" or "relatively good-intentioned hacking"
and more recently with the large amounts of WD NAS drives that got wiped.
Where the full story seems that the first to exploit them were the more conventional "bad guys" that just installed the usual stuff to make them join a botnet without disrupting the NAS function (so the users were not aware), and then someone else came in and triggered a firmware reset to force the users to notice and probably change the devices.
A lot of users lost a their data, (encrypted disks for example were encrypted with keys that were erased by a firmware reset) so maybe it wasn't a 100% "good guy", but it did nuke a lot of devices that would have been used by other 100% bad guys otherwise. https://www.securityweek.com/zero-day-vulnerability-exploited-recent-attacks-wd-storage-devices
When I used to be a neighbors-wifi-pirate and the firmware totally sucked, I'd remote flash it with better so I could turn up the transmit mw and stuff and get myself a better free Internet.
But I'd spend time ensuring it would operate identical from the user side so they wouldn't investigate. Same WEP keys and SSID and what not. Sometimes just the latest factory firmware just so it would be less buggy. Also since most routers have a traffic gauge or some kind usually I would wait for nobody to be using it / 3am or something / then nobody really ever noticed.
Once there was WPA and then WPA2 essentially it takes too long to hack the key, and packet sniffing doesn't expose the same key all the time due to rotating keys. Back with WEP I could get into almost any router especially if I could just let my radio log packets for a few days. And then most people just leave the password as factory default for the web interface once you're on the network, and then you have flash access at least on models where a factory-image makes it through the web-flash file validations.
So are you running WEP instead of WPA2 and if so that's how they got in. If you have no encryption than of course they got in. If you never changed the password for the web interface then I'd say you definitely got remote flashed, could be a drive-by, could be a neighbor trying to enhance their signal. I had directional and amplified setups, indoors firing through walls towards targets, and did not have to be literally next door. My point is you'll probably never figure out who or how.
