Paranoid about security

[i11umina7i]

I'm a Gentoo user and usually I'm security conscious about most things, although not an expert in the field but I believe I have much to learn.

Recently I have found out by accident that my home router has been compromised. The intruders used sophisticated scripts and tools to do various nefarious things that I don't have much idea about as there are no logs on the system. They bonded my network with their own, set up scripts to monitor my social media activities as well as installed custom CA certs along with custom iptables rules. The router is a cheap & insecure ISP supplied router that was vulnerable to remote code injection, that is how I assume they got their foot through the door.

I can go into much more details, I have all their tools and scripts that I can perhaps share if anyone is willing to help me learn more about them but that can be done later.

I had one question, is it normal for dnsmasq to listen on high ports such as like this:

[josephg]

from what i understand, i see your dnsmasq is listening only on port 53 which is the iana standard dns port.

[krinn]

[i11umina7i]

Thanks for the feedback guys.

Alright, one issue that I'm working on right now is figuring out how to get the files out of the router.

Utilities like ftp, scp, sftp, nc etc. have been removed from the system by the intruders. There is tftp and something called 'bftp' which I haven't used before but it seems to be a bit buggy and running into issues when trying to connect. I still have ssh and telnet access on the router.

So I have a few questions, and I think there's no better place to get answers from other than here

1) How can I go about acquiring the files from the router under such circumstances? It is a busybox system. I'm currently coding a python script that uses paramiko ssh module to connect over ssh, concatenate the files over stdout and write the data received locally. I think it might work but will have to see if it runs into issues over large binary files as I'm not sure if there are any memory related limitations in python. Last resort would be to open up the device and dump the data but that's a lot of work.

2) Is it possible to backdoor or modify ssh service on my router so that when I connect to it, it backdoors the host OS (gentoo box from which I'm connecting?). What about the cat utility, is it also possible to setup a file in a way so that when I concatenate the file over ssh it sends over special escapse sequences to my terminal that can be malicious?

These are just some of the things that I can think of at the moment. The attackers seemed quite skilled at what they seem to be doing. After I get the scripts (roughly 50-60 bash scripts), I'll post here to get some feedback on what they might be related to

[ct85711]

Well, if it has busybox; you may want to see if busy box has it's own copy of ftpput (to put a file to an ftp server) or wget. Wget would be useful in allowing you to download a file to the router (allowing you to retrieve say something else so you can easily download the files).

Note: I am not an expert with busybox, just going by it's documentation.

[NeddySeagoon]

i11umina7i,

Ask busybox what it can do for you. Log into the router and give the

[i11umina7i]

Thanks @NeddySeagoon

It looks like the whole thing is a read-only filesystem. Before the hacking I remember the filesystem was writable, or atleast part of it.

[NeddySeagoon]

i11umina7i,

[i11umina7i]

Thanks @NeddySeagoon.

I have tried nfs, it works locally but when trying to make it work with the router it's not able to connect. I've cleared the iptables rule on the router as well as that on my machine but there could be some other filtering mechanism that is preventing connections other than ssh and telnet. I saw something related to ebtables on the router and searched for it online and from what I can understand it seems to be firewall for routing packets through bridges (could be wrong).

Anyway in the end I was able to clone the files over ssh using my custom python script. I'm not sure if posting the scripts and configs here would pose any security risk or have information that can be personally identfiable. Also it might not be appropriate for this forum, so I'll refrain from doing so. If you're curious and want to take a look at them or want to help me figure out what really happened feel free to pm me.

This incident was a huge wake up call for me, I always fantasized about getting hacked in really innovative ways but never thought that it could happen to me in real life.

The config files for the router (which sort of looks like kernel config in Gentoo) includes customized features for isps in other countries as well with option to enable social media monitoring features, etc. so I'm guessing that the attackers might not be a random hacker poking around for fun with that level of access.

[NeddySeagoon]

i11umina7i,

I'm not very familiar with router network appliances. I used Smoothwall for a long time.
I moved away from Smoothwall when I consolidated all my physical servers into one system divided into KVMs and Smoothwall would not install into a KVM.

If you are thinking of trying Smoothwall, its a network appliance, not a program. The installer wipes the system that its installed on.
Now, my router is a Gentoo Hardened based KVM, which my network provider can't get their head round at all.

Routers are generally set up for a wide market and ease of use. That means that they come preprogrammed with lots of settings, which the user chooses from a web interface. Thus lots of things that are no use to you is to be expected.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.