Since we have cases where we have both, Wget + uclient-fetch at the same time on a single IP: When would one use Wget, when uclient-fetch?
Wget is trivial, (presumably) everybody knows it, but uclient-fetch? Would an occasional user use it?
I'd assume that even those who do know about uclient-fetch mostly use its wget personality (but that doesn't affect the reported user agent, which would be "uclient-fetch" in either case), scripts which may use advanced features of either of the possible implementations (busybox wget, uclient-fetch, GNU wget with and without SSL support) are probably the only reason why one would use uclient-fetch directly.
The only reason for using both alternatively from a single script would be the case of ressources being fetched over http, vs https (yes, it doesn't really make sense, but think uclient-fetch without libustream-ssl and wget-ssl) or for using some of the advanced GNU wget specific features.
I doubt all those IP addresses are static: those network names belong to ISPs in Spain that serve home customers, and fixed addresses are only handled (and paid) under demand. Some providers have separate network names for clients with an static address, and I am not seeing those names here.
I think we should take the geolocation info with a grain of salt.
This is interesting: if somebody made a mass installation of the rogue software (as it looks to me), the base system where that software was installed is not homogeneous...
Those cities in Romania do not have a name that sounds Spanish at all, I would discard someone miss-typed the name in the database.
Spanish networks are mostly connected to France, Switzerland, Germany, ... but not Romania.
Could a device be manufactured in Romania and be sold exclusively in Spain? I doubt that, have never seen it.
However, there are many Romanian migrants working in Spain, that travel frequently back home... if I had to make a bet, I would say somebody bought a device in Spain and then took it home.
I suggest you try to find forums with users from those areas and ask there if there are any routers or router-like hardware that are only used in that area. Maybe something localized for the Basque language?
I was refering to the Romanian IP adresses, not the ones from Spain.
Sounds sensible to me.
Another possible clue: many (most?) of the downloads come from Bilbao or very close to Bilbao. Could this point to a local shop there?
The single IP in Castro Urdiales that downloaded 60GB might be worth investigating.
Close to Bilbao and by far the biggest downloader ever.
Hi, Spanish user here!
As far as I know, no ISP provides an OpenWrt/LEDE router neither they give out the TL-WR1043ND router.
The issue seems to be specific with Euskadi, a very specific region of Spain, this could be related to local ISPs like Euskaltel or others that provide WiMaX coverage. This smaller ISPs tend to be less professional.
Some information about the local context: Here in Spain, most of users use FIBER, not DLS or other kinds of connections. The ISP provides a ONT (or GPON in english, the device that converts fiber to ethernet) and a router. This router is commonly restricted to user privileges and its not possible to update it manually. Some users (lets say 5%) replace their router for another to extend the coverage or speed .Firmware updates and config changes are issued by the ISP. Also, the same routers are spread in clients all across the country for the same ISP. Its not possible to have a specific router for some region if its not by having a regional ISP that just operates in that specific region.
I'm out of clues about the origin of this issue, but if I had to guess I would say It could be an ongoin router hack that is testing the speed of the infected machines (maybe routers) by downloading an innocent looking file.
There is no community as large as the numbers seen here that could be recommending some kind of script to download that file. I'd would discard that possibility.
I suggest you to try to follow individual IP addresses, do they download the file one single time or retry multiple times?, how many?.
Looking at the " Timely pattern: Minutes" chart its obvious that its a single actor, these patterns are not random.
OPTION 1:
- Good intended ISP is performing speedtests or has deployed wrongly an update to routers that makes these requests.
OPTION 2:
- Bad intended actor is trying his brand new botnet.
To try to tackle the issue I would try to delete that specific file and reupload it with another name, and replace instead the original URL with a warning in english and spanish and an email address just to see if someone reaches you.
1 Like
I'd suggest against fancy tricks here, as there is a high risk that users might flash (mtd write) these text files otherwise (depending on the installed OEM u-boot revision, the earlier devices don't support push-button tftp recovery). The tl-wr1043ndv1 images can be safely removed from ar71xx alltogether, as it's supported just fine in ath79.
1 Like
According to information above, those who do not check hashsums will suffer anyway:
Moreover we can use redirect to another file name to indicate the issue in a more obvious way.
Users: refers to genuine users downloading an image to flash. They should be protected from accidentally bricking a device.
Genuine users will see redirect to another page.
Or you could just remove or rename it for a day or two and see what happens. Maybe they'll notice and spam someone else with their requests instead.
- One IP (the biggest overall downloader) is blocked since several days. No change in behaviour, 1043nd file is still being requested from this IP, although all he gets is 403.
- We had changed the filname slightly for approx 24h, no reaction, no change in download behaviour.
1 Like
Is it worth following through by contacting the isp to make inquires on your behalf
Basque user here.
We were with euskaltel. now we are with Telefonica/Movistar. Both don't use OpenWRT in their routers. However, guifi.net people does use TP-LINK devices, usually at members home. We do, even if we are gone from guifi.net years ago. See http://guifi.net/ca/node/17718/view/map
But, we are pretty confident that it doesn't come from our devices, because we compile our own openwrt image, and we don't have any 1043 
That guifi.net thing in Euskal Herria has been a complete mess and last year appeared a new "operator" called Izarkom from the people that made the mess. It could be worth to ask them, but of course I'm not saying they are the bad guys.
2 Likes
I have now City data for all IPs and with this, I was able to create the following graphic, showing the download counts geographically:
And here a bit more detailed view with annotations:
Heatmap visualisation:
1 Like