Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Paranoid about security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
i11umina7i
n00b
n00b


Joined: 07 Jun 2017
Posts: 5
Location: /dev/valhalla

PostPosted: Wed Jun 07, 2017 12:27 pm    Post subject: Paranoid about security Reply with quote

I'm a Gentoo user and usually I'm security conscious about most things, although not an expert in the field but I believe I have much to learn.

Recently I have found out by accident that my home router has been compromised. The intruders used sophisticated scripts and tools to do various nefarious things that I don't have much idea about as there are no logs on the system. They bonded my network with their own, set up scripts to monitor my social media activities as well as installed custom CA certs along with custom iptables rules. The router is a cheap & insecure ISP supplied router that was vulnerable to remote code injection, that is how I assume they got their foot through the door.

I can go into much more details, I have all their tools and scripts that I can perhaps share if anyone is willing to help me learn more about them but that can be done later.

I had one question, is it normal for dnsmasq to listen on high ports such as like this:

Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      21471/dnsmasq       
tcp        0      0 127.0.0.1:54307         127.0.0.1:47454         TIME_WAIT   -                   
tcp        0      0 127.0.0.1:53324         127.0.0.1:37071         TIME_WAIT   -                   
udp        0      0 127.0.0.1:53            0.0.0.0:*                           21471/dnsmasq       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           27907/dhclient     
udp        0      0 0.0.0.0:33597           0.0.0.0:*                           21471/dnsmasq       
udp        0      0 0.0.0.0:9155            0.0.0.0:*                           27907/dhclient     


What I'm interested in knowing is whether my current Gentoo system is compromised and what are the steps I can take to find out more about that.

I wanted to convert my Gentoo to a hardened Gentoo profile but now I'm considering making a fresh hardened Gentoo install. What do you guys think?

I'm also willing to share the CA Cert that was planted but I want your opinion / feedback first.
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 783
Location: usually offline

PostPosted: Wed Jun 07, 2017 12:50 pm    Post subject: Re: Paranoid about security Reply with quote

from what i understand, i see your dnsmasq is listening only on port 53 which is the iana standard dns port.

i11umina7i wrote:
Recently I have found out by accident that my home router has been compromised.

how did you find out? perhaps i should check mine too.

i11umina7i wrote:
The router is a cheap & insecure ISP supplied router that was vulnerable to remote code injection, that is how I assume they got their foot through the door.

same here. isp supplied router.. no idea about configs, as they don't expose much to users.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7071

PostPosted: Wed Jun 07, 2017 1:57 pm    Post subject: Re: Paranoid about security Reply with quote

i11umina7i wrote:
I wanted to convert my Gentoo to a hardened Gentoo profile but now I'm considering making a fresh hardened Gentoo install. What do you guys think?

That you should do fresh, first because your system might be compromise, not something to reuse.
And second, because the migration is not as easy as changing profile.
Back to top
View user's profile Send private message
i11umina7i
n00b
n00b


Joined: 07 Jun 2017
Posts: 5
Location: /dev/valhalla

PostPosted: Wed Jun 07, 2017 2:29 pm    Post subject: Reply with quote

Thanks for the feedback guys.

Alright, one issue that I'm working on right now is figuring out how to get the files out of the router.

Utilities like ftp, scp, sftp, nc etc. have been removed from the system by the intruders. There is tftp and something called 'bftp' which I haven't used before but it seems to be a bit buggy and running into issues when trying to connect. I still have ssh and telnet access on the router.

So I have a few questions, and I think there's no better place to get answers from other than here :P

1) How can I go about acquiring the files from the router under such circumstances? It is a busybox system. I'm currently coding a python script that uses paramiko ssh module to connect over ssh, concatenate the files over stdout and write the data received locally. I think it might work but will have to see if it runs into issues over large binary files as I'm not sure if there are any memory related limitations in python. Last resort would be to open up the device and dump the data but that's a lot of work.

2) Is it possible to backdoor or modify ssh service on my router so that when I connect to it, it backdoors the host OS (gentoo box from which I'm connecting?). What about the cat utility, is it also possible to setup a file in a way so that when I concatenate the file over ssh it sends over special escapse sequences to my terminal that can be malicious?

These are just some of the things that I can think of at the moment. The attackers seemed quite skilled at what they seem to be doing. After I get the scripts (roughly 50-60 bash scripts), I'll post here to get some feedback on what they might be related to :P
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1696

PostPosted: Wed Jun 07, 2017 3:48 pm    Post subject: Reply with quote

Well, if it has busybox; you may want to see if busy box has it's own copy of ftpput (to put a file to an ftp server) or wget. Wget would be useful in allowing you to download a file to the router (allowing you to retrieve say something else so you can easily download the files).

Note: I am not an expert with busybox, just going by it's documentation.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43225
Location: 56N 3W

PostPosted: Wed Jun 07, 2017 7:53 pm    Post subject: Reply with quote

i11umina7i,

Ask busybox what it can do for you. Log into the router and give the
Code:
busybox
command.
Busybox will respond with the commands that it was built with. You might have ftpd and/or httpd.

bind mount root with -o ro somewhere, then serve somewhere with ftpd/httpd, so you can get things via ftp/http.

Busybox also has mount. Maybe it supports nfs mounts?
I would be reluctant to share a piece of my HDD over nfs with a compromised system but would be OK sharing a USB stick that way.
Set up an nfs share on your PC. Sacrifice a USB stick.
Mount the share on the router.
Use it like it was a local filesystem.

bind mount root with -o ro somewhere, then use cp from somewhere to the nfs mount point.

-- edit --
Code:
busybox mount -t nfs -o ro 192.168.100.55:/mnt/mediatomb /mnt/cdrom
works here.
That's busybox nfs mounting my media collection, which is on a system at 192.168.100.55.
You won't need the -o ro.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
i11umina7i
n00b
n00b


Joined: 07 Jun 2017
Posts: 5
Location: /dev/valhalla

PostPosted: Thu Jun 08, 2017 7:27 am    Post subject: Reply with quote

Thanks @NeddySeagoon

It looks like the whole thing is a read-only filesystem. Before the hacking I remember the filesystem was writable, or atleast part of it.

Code:

# busybox
BusyBox v1.00 (2015.09.07-07:21+0000) multi-call binary

Usage: busybox [function] [arguments]...
   or: [function] [arguments]...

   BusyBox is a multi-call binary that combines many common Unix
   utilities into a single executable.  Most people will create a
   link to busybox for each function they wish to use, and BusyBox
   will act like whatever it was invoked as.

Currently defined functions:
   [, addgroup, adduser, adslstat, arp, ash, awk, basename,
   brasinfo, busybox, cat, chmod, cp, crond, cut, date, dd,
   delgroup, deluser, dirname, dmesg, echo, env, expr, false,
   free, ftpget, ftpput, getty, grep, head, hostname, ifconfig,
   igmp, init, insmod, ipcs, kill, killall, klogd, ln, login,
   ls, maceui, mdev, mkdir, more, mount, mv, netstat, nslookup,
   nslookup6, passwd, pidof, ping, ping6, pppstat, ps, pwd,
   reboot, rm, rmdir, rmmod, route, run-parts, sed, sh, sleep,
   sysctl, syslogd, tail, taskset, test, tftp, top, traceroute,
   traceroute6, true, udhcpc, udhcpd, umount, uname, uptime,
   usleep, wc, wget, wlan, yes

# mount
/dev/mtdblock7 on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
ramfs on /tmp type ramfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)

# busybox mount -t nfs 192.168.1.34:/export/nfs /
mount: Mounting 192.168.1.34:/export/nfs on / failed: No such device

# busybox mount -t nfs 192.168.1.34:/export/nfs /usr/
mount: Mounting 192.168.1.34:/export/nfs on /usr failed: No such device


As for attempting to mount over nfs, its not working. I don't have much experience with nfs, I followed the instructions on gentoo wiki and it is possible that I did something wrong. May be you can give me some suggestions.

I have a feeling the whole system was engineered with custom binaries to prevent tampering or data transfer out of the system.

For example, busybox tends to act in a weird way which I can't explain:

Code:

# busybox ls -la /dev/ | grep mtdb
Command "busybox ls -la /dev/ | grep mtdb" is forbidden!
# busybox ls -la /dev/ | grep mt 
brw-rw-r--    1 0        0         31,   0 mtd
crw-rw-r--    1 0        0         90,   0 mtd0
crw-rw-r--    1 0        0         90,   2 mtd1
crw-rw-r--    1 0        0         90,  20 mtd10
crw-rw-r--    1 0        0         90,  22 mtd11
crw-rw-r--    1 0        0         90,   4 mtd2
crw-rw-r--    1 0        0         90,   6 mtd3
crw-rw-r--    1 0        0         90,   8 mtd4
crw-rw-r--    1 0        0         90,  10 mtd5
crw-rw-r--    1 0        0         90,  12 mtd6
crw-rw-r--    1 0        0         90,  14 mtd7
crw-rw-r--    1 0        0         90,  16 mtd8
crw-rw-r--    1 0        0         90,  18 mtd9
brw-rw-r--    1 0        0         31,   0 mtdblock0
brw-rw-r--    1 0        0         31,   1 mtdblock1
brw-rw-r--    1 0        0         31,  10 mtdblock10
brw-rw-r--    1 0        0         31,  11 mtdblock11
brw-rw-r--    1 0        0         31,   2 mtdblock2
brw-rw-r--    1 0        0         31,   3 mtdblock3
brw-rw-r--    1 0        0         31,   4 mtdblock4
brw-rw-r--    1 0        0         31,   5 mtdblock5
brw-rw-r--    1 0        0         31,   6 mtdblock6
brw-rw-r--    1 0        0         31,   7 mtdblock7
brw-rw-r--    1 0        0         31,   8 mtdblock8
brw-rw-r--    1 0        0         31,   9 mtdblock9
crw-rw-r--    1 0        0        250,   0 mtr0
# busybox ls -la /dev/ | grep mtd
Command "busybox ls -la /dev/ | grep mtd" is forbidden!
# busybox ls -la /dev/ | grep mtdbl
Command "busybox ls -la /dev/ | grep mtdbl" is forbidden!


Here are some other interesting stuff, let me know if there's anything unsual or I should know about. I don't have much experience with busybox.

Code:

# ls -la /dev/
drwxrwxr-x    5 0        0             820 .
drwxrwxr-x   12 0        0             207 ..
crw-rw-r--    1 0        0        240,   0 ac0
crw-rw-r--    1 0        0        230,   0 acl0
crw-rw-r--    1 0        0          4,  64 console
crw-rw-r--    1 0        0         10, 123 gpio
crw-rw-r--    1 0        0        220,   0 hwnat0
crw-rw-r--    1 0        0         10, 151 led
lrwxrwxrwx    1 0        0              12 log -> /var/log/log
brw-rw-r--    1 0        0         31,   0 mtd
crw-rw-r--    1 0        0         90,   0 mtd0
crw-rw-r--    1 0        0         90,   2 mtd1
crw-rw-r--    1 0        0         90,  20 mtd10
crw-rw-r--    1 0        0         90,  22 mtd11
crw-rw-r--    1 0        0         90,   4 mtd2
crw-rw-r--    1 0        0         90,   6 mtd3
crw-rw-r--    1 0        0         90,   8 mtd4
crw-rw-r--    1 0        0         90,  10 mtd5
crw-rw-r--    1 0        0         90,  12 mtd6
crw-rw-r--    1 0        0         90,  14 mtd7
crw-rw-r--    1 0        0         90,  16 mtd8
crw-rw-r--    1 0        0         90,  18 mtd9
brw-rw-r--    1 0        0         31,   0 mtdblock0
brw-rw-r--    1 0        0         31,   1 mtdblock1
brw-rw-r--    1 0        0         31,  10 mtdblock10
brw-rw-r--    1 0        0         31,  11 mtdblock11
brw-rw-r--    1 0        0         31,   2 mtdblock2
brw-rw-r--    1 0        0         31,   3 mtdblock3
brw-rw-r--    1 0        0         31,   4 mtdblock4
brw-rw-r--    1 0        0         31,   5 mtdblock5
brw-rw-r--    1 0        0         31,   6 mtdblock6
brw-rw-r--    1 0        0         31,   7 mtdblock7
brw-rw-r--    1 0        0         31,   8 mtdblock8
brw-rw-r--    1 0        0         31,   9 mtdblock9
crw-rw-r--    1 0        0        250,   0 mtr0
crw-rw-r--    1 0        0          1,   3 null
crw-rw-r--    1 0        0        200,   0 pmap
crw-rw-r--    1 0        0        108,   0 ppp
crw-rw-r--    1 0        0          5,   2 ptmx
drwxr-xr-x    2 0        0               0 pts
crw-rw-r--    1 0        0          2,   0 ptyp0
crw-rw-r--    1 0        0          2,   1 ptyp1
crw-rw-r--    1 0        0          2,   2 ptyp2
crw-rw-r--    1 0        0        111,   2 qostype
brw-rw-r--    1 0        0          8,   0 sda
brw-rw-r--    1 0        0          8,   1 sda1
brw-rw-r--    1 0        0          8,   2 sda2
brw-rw-r--    1 0        0          8,  16 sdb
brw-rw-r--    1 0        0          8,  17 sdb1
brw-rw-r--    1 0        0          8,  18 sdb2
drwxrwxr-x    2 0        0               3 shm
crw-rw-r--    1 0        0          5,   0 tty
crw-rw-r--    1 0        0          4,   0 tty0
crw-rw-r--    1 0        0          4,  64 ttyS0
crw-rw-r--    1 0        0          3,   0 ttyp0
crw-rw-r--    1 0        0          3,   1 ttyp1
crw-rw-r--    1 0        0          3,   2 ttyp2
crw-rw-r--    1 0        0          1,   9 urandom
drwxrwxr-x    2 0        0               3 usb
crw-rw-r--    1 0        0         10, 130 watchdog
crw-rw-r--    1 0        0        201,   0 wlanlanisolate
crw-rw-r--    1 0        0          1,   5 zero


# ls -la
drwxrwxr-x   12 0        0             207 .
drwxrwxr-x   12 0        0             207 ..
drwxrwxr-x    2 0        0             533 bin
drwxrwxrwx    4 0        0              82 boaroot
drwxrwxr-x    5 0        0             820 dev
lrwxrwxrwx    1 0        0               8 etc -> /tmp/etc
drwxrwxr-x    3 0        0            1143 lib
lrwxrwxrwx    1 0        0              11 linuxrc -> bin/busybox
drwxrwxrwx   84 0        0               0 proc
drwxrwxr-x    2 0        0             248 sbin
drwxrwxr-x    2 0        0               3 sys
drwxrwxrwx    5 0        0               0 tmp
drwxrwxr-x    4 0        0             124 userfs
drwxrwxr-x    6 0        0              63 usr
lrwxrwxrwx    1 0        0               8 var -> /tmp/var


# ls -ls userfs/bin/
  10 -rwxrwxr-x    1 0        0           10276 CAdecoder
  14 -rwxrwxr-x    1 0        0           14552 ated
  29 -rwxrwxr-x    1 0        0           29932 autoFwUpgrade
  63 -rwxrwxr-x    1 0        0           64632 bftpd
 144 -rwxrwxr-x    1 0        0          147948 boa
 900 -rwxrwxr-x    1 0        0          921220 cfg_manager
 172 -rwxrwxr-x    1 0        0          175936 dhcp6c
 158 -rwxrwxr-x    1 0        0          161424 dhcp6s
  54 -rwxrwxr-x    1 0        0           54844 dhcrelay
 109 -rwxrwxr-x    1 0        0          111736 dnsmasq
  54 -rwxrwxr-x    1 0        0           55380 ecmh
 126 -rwxrwxr-x    1 0        0          128764 ethcmd
  88 -rwxrwxr-x    1 0        0           89776 ez-ipupdate
  32 -rwxrwxr-x    1 0        0           32628 hw_nat
  76 -rwxrwxr-x    1 0        0           77424 igmpproxy
  55 -rwxrwxr-x    1 0        0           56608 inadyn
  12 -rwxrwxr-x    1 0        0           12200 inetd
  21 -rwxrwxr-x    1 0        0           21800 iwpriv
  21 -rwxrwxr-x    1 0        0           21544 md5
  15 -rwxrwxr-x    1 0        0           15356 mtd
  37 -rwxrwxr-x    1 0        0           37620 ntpclient
  32 -rwxrwxr-x    1 0        0           32308 pppoe-relay
  94 -rwxrwxr-x    1 0        0           96668 radvd
 102 -rwxrwxr-x    1 0        0          104540 ripd
  71 -rwxrwxr-x    1 0        0           72540 rt2860apd
 646 -rwxrwxr-x    1 0        0          661808 snmpd
   7 -rwxrwxr-x    1 0        0            7108 tcapi
  25 -rwxrwxr-x    1 0        0           25180 tftpd
1972 -rwxrwxr-x    1 0        0         2019456 tr69
  11 -rwxrwxrwx    1 0        0           10828 vconfig
 100 -rwxrwxr-x    1 0        0          102508 zebra

# ls -l tmp/
-rwxrwxrwx    1 0        0             664 CPE_Status
-rwxrwxrwx    1 0        0               0 CurrentServiceType
-rwxrwxrwx    1 0        0             484 CurrentServiceType_All
-rwxrwxrwx    1 0        0               0 LastServiceType
-rwxrwxrwx    1 0        0               2 WirelessSchedule
-rw-r--r--    1 0        0              23 adsl_stats
-rwxrwxrwx    1 0        0               0 adsllockfd
--w---xr-T    1 0        0               0 atmlockfd
-rwxrwxrwx    1 0        0               2 authresult
-rwxrwxrwx    1 0        0             112 boa-temp
-rw-r--r--    1 0        0            3440 cur_ps
-rwxrwxrwx    1 0        0           36573 customer_defaultromfile
-rwxrwxrwx    1 0        0           46721 customer_runningromfile
drwxrwxrwx    2 0        0               0 cwmp
prwxrwxrwx    1 0        0               0 email4logfifo
drwxrwxrwx   46 0        0               0 etc
prw-r--r--    1 0        0               0 faultmgmtfifo
-rwxrwxrwx    1 0        0               0 ip6dfrt.info
-rwxrwxrwx    1 0        0             251 ip_neigh
-rwxrwxrwx    1 0        0               0 ipaddr_mapping.sh
-rwxrwxrwx    1 0        0             107 ipaddr_mapping0.sh
-rw-r--r--    1 0        0              15 lcp
-rwxrwxrwx    1 0        0              83 md5.txt
-rwxrwxrwx    1 0        0               9 newDirection.txt
---S--xr-T    1 0        0               0 portbindlockfd
-rwxrwxrwx    1 0        0              23 pppsid-nas8_0
-rwxrwxrwx    1 0        0               6 pppuptime-ppp80
-rwxrwxrwx    1 0        0               0 qoslockfd
-rwxrwxrwx    1 0        0              33 rt_device
prwxrwxrwx    1 0        0               0 sigtoudhcpdfifo
-rwxrwxrwx    1 0        0               0 snmpd.tmp
-rwxrwxrwx    1 0        0               0 syslockfd
srwxrwxrwx    1 0        0               0 tcapi_sock
drwxrwxrwx    6 0        0               0 var
-rwxrwxrwx    1 0        0             376 wlanNeighborChannel
-rwxrwxrwx    1 0        0             494 wlanNeighborSSID
-rwxrwxrwx    1 0        0             556 wlanNeighborSignalStrength
-rwxrwxrwx    1 0        0              59 wlaninterferechannel
-rwSr-sr-T    1 0        0               0 wlanlockfd
-rwxrwxrwx    1 0        0              37 wlanutilizedchannel

# ls -la usr/script/
drwxrwxr-x    2 0        0            1533 .
drwxrwxr-x    6 0        0              63 ..
-rwxrwxr-x    1 0        0             165 AppFilterStop.sh
-rwxrwxr-x    1 0        0             151 IPv6_Dos_stop.sh
-rwxrwxr-x    1 0        0             759 IPv6_Firewall_start.sh
-rwxrwxr-x    1 0        0             202 IPv6_Firewall_stop.sh
-rwxrwxr-x    1 0        0              32 RebootScript
-rwxrwxr-x    1 0        0             165 UrlFilterStop.sh
-rwxrwxr-x    1 0        0             527 acl_stop.sh
-rwxrwxr-x    1 0        0             990 before_tr069_download.sh
-rwxrwxr-x    1 0        0            1439 before_web_download.sh
-rwxrwxr-x    1 0        0            2075 before_web_download_remove_wifi.sh
-rwxrwxr-x    1 0        0             678 before_web_upgrade.sh
-rwxrwxr-x    1 0        0             186 br_conf.sh
-rwxrwxr-x    1 0        0            2123 ddns.sh
-rwxrwxr-x    1 0        0            4187 ddns_run.sh
-rwxrwxr-x    1 0        0             338 dhcp6c_script
-rwxrwxr-x    1 0        0            2958 dmz.sh
-rwxrwxr-x    1 0        0             231 dslite_start.sh
-rwxrwxr-x    1 0        0             168 ether_mac.sh
-rwxrwxr-x    1 0        0             331 filter_dos_forward_start.sh
-rwxrwxr-x    1 0        0             199 filter_dos_forward_stop.sh
-rwxrwxr-x    1 0        0            2549 filter_forward_start.sh
-rwxrwxr-x    1 0        0             615 filter_forward_stop.sh
-rwxrwxr-x    1 0        0             331 fw_dos_start.sh
-rwxrwxr-x    1 0        0             579 fw_dos_stop.sh
-rwxrwxr-x    1 0        0            1636 fw_high.sh
-rwxrwxr-x    1 0        0            2078 fw_high_obm.sh
-rwxrwxr-x    1 0        0            2430 fw_low.sh
-rwxrwxr-x    1 0        0            1681 fw_middle.sh
-rwxrwxr-x    1 0        0             185 fw_start.sh
-rwxrwxr-x    1 0        0             412 fw_stop.sh
-rwxrwxr-x    1 0        0              97 getnow.sh
-rwxrwxr-x    1 0        0            3347 ipaddr_mapping.sh
-rwxrwxr-x    1 0        0            4224 ipfilter.sh
-rwxrwxr-x    1 0        0             201 ipfilter_start.sh
-rwxrwxr-x    1 0        0             119 ipfilter_stop.sh
-rwxrwxr-x    1 0        0             161 ipmacfilter_stop.sh
-rwxrwxr-x    1 0        0              88 ipv6macfilter_stop.sh
-rwxrwxr-x    1 0        0            1534 kill_apps_modules_for_save_memory.sh
-rwxrwxr-x    1 0        0             329 lanAlias_start.sh
-rwxrwxr-x    1 0        0             132 lanAlias_stop.sh
-rwxrwxr-x    1 0        0            1206 nat_start.sh
-rwxrwxr-x    1 0        0            1121 nat_stop.sh
-rwxrwxr-x    1 0        0             118 ntpclient.sh
-rwxrwxr-x    1 0        0            4027 port4_start.sh
-rwxrwxr-x    1 0        0             955 port4_stop.sh
-rwxrwxr-x    1 0        0            8879 ppp_start.sh
-rwxrwxr-x    1 0        0              69 restart_boa.sh
-rwxrwxr-x    1 0        0             773 samba.sh
-rwxrwxr-x    1 0        0             334 samba_add_dir.sh
-rwxrwxr-x    1 0        0             102 settime.sh
-rwxrwxr-x    1 0        0            1779 spi_fw_start.sh
-rwxrwxr-x    1 0        0             146 spi_fw_stop.sh
-rwxrwxr-x    1 0        0             355 syslogd.sh
-rwxrwxr-x    1 0        0             397 tun6to4restart.sh
-rwxrwxr-x    1 0        0             236 tun6to4stop.sh
-rwxrwxr-x    1 0        0            1329 udhcpc.sh
-rwxrwxr-x    1 0        0            1114 udhcpc_nodef.sh
-rwxrwxr-x    1 0        0             152 upgrade_firmware.sh
-rwxrwxr-x    1 0        0            3216 urlfilter_start.sh
-rwxrwxr-x    1 0        0              45 urlfilter_stop.sh
-rwxrwxr-x    1 0        0           19175 vserver.sh
-rwxrwxr-x    1 0        0           19925 wan_start.sh
-rwxrwxr-x    1 0        0           16252 wan_start_ipv4.sh
-rwxrwxr-x    1 0        0           23623 wan_start_ipv6.sh
-rwxrwxr-x    1 0        0            5485 wan_stop.sh

# ls -la /bin/
drwxrwxr-x    2 0        0             533 .
drwxrwxr-x   12 0        0             207 ..
lrwxrwxrwx    1 0        0               7 addgroup -> busybox
lrwxrwxrwx    1 0        0               7 adduser -> busybox
lrwxrwxrwx    1 0        0               7 ash -> busybox
-rwxr-xr-x    1 0        0          455112 busybox
lrwxrwxrwx    1 0        0               7 cat -> busybox
lrwxrwxrwx    1 0        0               7 chmod -> busybox
lrwxrwxrwx    1 0        0               7 cp -> busybox
lrwxrwxrwx    1 0        0               7 date -> busybox
lrwxrwxrwx    1 0        0               7 dd -> busybox
lrwxrwxrwx    1 0        0               7 delgroup -> busybox
lrwxrwxrwx    1 0        0               7 deluser -> busybox
lrwxrwxrwx    1 0        0               7 dmesg -> busybox
lrwxrwxrwx    1 0        0               7 echo -> busybox
lrwxrwxrwx    1 0        0               7 false -> busybox
lrwxrwxrwx    1 0        0               7 grep -> busybox
lrwxrwxrwx    1 0        0               7 hostname -> busybox
lrwxrwxrwx    1 0        0               7 kill -> busybox
lrwxrwxrwx    1 0        0               7 ln -> busybox
lrwxrwxrwx    1 0        0               7 login -> busybox
lrwxrwxrwx    1 0        0               7 ls -> busybox
lrwxrwxrwx    1 0        0               7 maceui -> busybox
lrwxrwxrwx    1 0        0               7 mkdir -> busybox
lrwxrwxrwx    1 0        0               7 more -> busybox
lrwxrwxrwx    1 0        0               7 mount -> busybox
lrwxrwxrwx    1 0        0               7 mv -> busybox
lrwxrwxrwx    1 0        0               7 netstat -> busybox
lrwxrwxrwx    1 0        0               7 pidof -> busybox
lrwxrwxrwx    1 0        0               7 ping -> busybox
lrwxrwxrwx    1 0        0               7 ping6 -> busybox
lrwxrwxrwx    1 0        0               7 ps -> busybox
lrwxrwxrwx    1 0        0               7 pwd -> busybox
lrwxrwxrwx    1 0        0               7 rm -> busybox
lrwxrwxrwx    1 0        0               7 rmdir -> busybox
lrwxrwxrwx    1 0        0               7 run-parts -> busybox
lrwxrwxrwx    1 0        0               7 sed -> busybox
lrwxrwxrwx    1 0        0               7 sh -> busybox
lrwxrwxrwx    1 0        0               7 sleep -> busybox
lrwxrwxrwx    1 0        0               7 true -> busybox
lrwxrwxrwx    1 0        0               7 umount -> busybox
lrwxrwxrwx    1 0        0               7 uname -> busybox
lrwxrwxrwx    1 0        0               7 usleep -> busybox

# ls -la lib/
drwxrwxr-x    3 0        0            1143 .
drwxrwxr-x   12 0        0             207 ..
-rwxrwxr-x    1 0        0           22532 ld-uClibc.so.0
-rwxrwxr-x    1 0        0          475444 libc.so.0
-rwxrwxr-x    1 0        0           11288 libcrypt.so.0
lrwxrwxrwx    1 0        0              14 libcrypto.so -> libcrypto.so.0
lrwxrwxrwx    1 0        0              18 libcrypto.so.0 -> libcrypto.so.0.9.7
-rwxrwxr-x    1 0        0         1065736 libcrypto.so.0.9.7
-rwxrwxr-x    1 0        0            9496 libdl.so.0
-rwxrwxr-x    1 0        0            5388 libebt_802_3.so
-rwxrwxr-x    1 0        0           11192 libebt_among.so
-rwxrwxr-x    1 0        0           10876 libebt_arp.so
-rwxrwxr-x    1 0        0            5144 libebt_arpreply.so
-rwxrwxr-x    1 0        0            4968 libebt_ftos.so
-rwxrwxr-x    1 0        0           19832 libebt_ip.so
-rwxrwxr-x    1 0        0           21788 libebt_ip6.so
-rwxrwxr-x    1 0        0            6512 libebt_limit.so
-rwxrwxr-x    1 0        0            6208 libebt_log.so
-rwxrwxr-x    1 0        0            5976 libebt_mark.so
-rwxrwxr-x    1 0        0            4244 libebt_mark_m.so
-rwxrwxr-x    1 0        0            7208 libebt_nat.so
-rwxrwxr-x    1 0        0            4556 libebt_pkttype.so
-rwxrwxr-x    1 0        0           10676 libebt_policer.so
-rwxrwxr-x    1 0        0            4020 libebt_redirect.so
-rwxrwxr-x    1 0        0            3276 libebt_standard.so
-rwxrwxr-x    1 0        0           10640 libebt_stp.so
-rwxrwxr-x    1 0        0            3488 libebt_tc.so
-rwxrwxr-x    1 0        0            6288 libebt_ulog.so
-rwxrwxr-x    1 0        0            8092 libebt_vlan.so
-rwxrwxr-x    1 0        0            2164 libebtable_broute.so
-rwxrwxr-x    1 0        0            2368 libebtable_filter.so
-rwxrwxr-x    1 0        0            2368 libebtable_nat.so
-rwxrwxr-x    1 0        0           84600 libebtc.so
-rwxrwxr-x    1 0        0          245840 libgcc_s.so.1
-rwxrwxr-x    1 0        0           29376 libiw.so.28
-rwxrwxr-x    1 0        0            9344 liblog.so
-rwxrwxr-x    1 0        0          107236 libm.so.0
-rwxrwxr-x    1 0        0          121064 libmatrixssl.so
lrwxrwxrwx    1 0        0              14 libmxml.so -> libmxml.so.1.4
lrwxrwxrwx    1 0        0              14 libmxml.so.1 -> libmxml.so.1.4
-rwxrwxr-x    1 0        0           30216 libmxml.so.1.4
-rwxrwxr-x    1 0        0            1712 libnsl.so.0
-rwxrwxr-x    1 0        0           10832 libpppoatm.so
-rwxrwxr-x    1 0        0           30156 libpppoe.so
-rwxrwxr-x    1 0        0           79464 libpthread.so.0
-rwxrwxr-x    1 0        0            1716 libresolv.so.0
-rwxrwxr-x    1 0        0            4652 librt.so.0
-rwxrwxr-x    1 0        0          208276 libssl.so.0.9.7
-rwxrwxr-x    1 0        0            7740 libtcapi.so
-rwxrwxr-x    1 0        0            7740 libtcapi.so.1
-rwxrwxr-x    1 0        0            7740 libtcapi.so.1.4
-rwxrwxr-x    1 0        0            4900 libutil.so.0
-rwxrwxr-x    1 0        0            8767 libvah.so
drwxrwxr-x    3 0        0             340 modules

# ls -la lib/modules/
drwxrwxr-x    3 0        0             340 .
drwxrwxr-x    3 0        0            1143 ..
drwxrwxr-x    3 0        0              29 2.6.36
-rwxrwxr-x    1 0        0            8392 dying_gasp.ko
-rw-rw-r--    1 0        0           85736 hw_nat.ko
-rwxrwxr-x    1 0        0            4684 igmpsnoop.ko
-rw-rw-r--    1 0        0            6644 module_sel.ko
-rw-rw-r--    1 0        0           60560 mt7510ptm.ko
-rw-rw-r--    1 0        0           79720 mt7510sar.ko
-rw-rw-r--    1 0        0          159632 qdma.ko
-rw-rw-r--    1 0        0          328648 raeth.ko
-rw-rw-r--    1 0        0         1845592 rt3593ap.ko
-rwxrwxr-x    1 0        0         3406580 tc3162_dmt.ko
-rw-rw-r--    1 0        0          163176 tccicmd.ko
-rw-rw-r--    1 0        0           38336 tcledctrl.ko
-rw-rw-r--    1 0        0            9788 tcportbind.ko
-rwxrwxr-x    1 0        0           21720 tcsmux.ko
-rw-rw-r--    1 0        0           30716 tcvlantag.ko
-rw-rw-r--    1 0        0            3748 wlanlanisolate.ko


I also saw that they setup 2 additional user accounts from passwd file, perhaps to get back if they lose access or something. Not like I'm gonna use this router again lol. :lol:

I'm currently trying to finish that python script, may be it will work. If you guys have any other ideas let me know :)
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43225
Location: 56N 3W

PostPosted: Thu Jun 08, 2017 7:57 am    Post subject: Reply with quote

i11umina7i,

Code:
# mount
/dev/mtdblock7 on / type squashfs (ro,relatime)
ramfs on /tmp type ramfs (rw,relatime)


squashfs is read only by design. Writable storage is faked by using a piece of RAM.
There are various ways to do that unionfs, aufs and so on. Live media, like the Gentoo Live CD do this to give the illusion of being able to write over things on the CD.
In your router, /tmp is in RAM and things are symlinked there.

Code:
etc -> /tmp/etc
var -> /tmp/var


This means that your attackers flashed the device, or their changes will drop out if you do a factory reset.

The flash memory is divided into two or three parts.
The boot loader - if you change this, you may 'brick' the device
The root filesystem - the bit you normally change when you do a firmware update.
User settings persistent storage - passwords, user names, wifi keys and so on. A factory reset will clear this region, so that the defaults appear again.

Set up your nfs on your PC. Then test mount it on your PC to make sure it works.
Code:
mkdir /mnt/testnfs
mount -t nfs 127.0.0.1:/<exported/path> /mnt/testnfs

Only when that works can you try the command on the router.

Some other things to try.
a) A factory reset - the hack may drop out and you will loose all your settings.
b) Flash the device with the latest vendor firmware - you run the risk of 'bricking' the router.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
i11umina7i
n00b
n00b


Joined: 07 Jun 2017
Posts: 5
Location: /dev/valhalla

PostPosted: Sat Jun 10, 2017 5:20 am    Post subject: Reply with quote

Thanks @NeddySeagoon.

I have tried nfs, it works locally but when trying to make it work with the router it's not able to connect. I've cleared the iptables rule on the router as well as that on my machine but there could be some other filtering mechanism that is preventing connections other than ssh and telnet. I saw something related to ebtables on the router and searched for it online and from what I can understand it seems to be firewall for routing packets through bridges (could be wrong).

Anyway in the end I was able to clone the files over ssh using my custom python script. I'm not sure if posting the scripts and configs here would pose any security risk or have information that can be personally identfiable. Also it might not be appropriate for this forum, so I'll refrain from doing so. If you're curious and want to take a look at them or want to help me figure out what really happened feel free to pm me.

This incident was a huge wake up call for me, I always fantasized about getting hacked in really innovative ways but never thought that it could happen to me in real life.

The config files for the router (which sort of looks like kernel config in Gentoo) includes customized features for isps in other countries as well with option to enable social media monitoring features, etc. so I'm guessing that the attackers might not be a random hacker poking around for fun with that level of access.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43225
Location: 56N 3W

PostPosted: Sat Jun 10, 2017 8:17 am    Post subject: Reply with quote

i11umina7i,

I'm not very familiar with router network appliances. I used Smoothwall for a long time.
I moved away from Smoothwall when I consolidated all my physical servers into one system divided into KVMs and Smoothwall would not install into a KVM.

If you are thinking of trying Smoothwall, its a network appliance, not a program. The installer wipes the system that its installed on.
Now, my router is a Gentoo Hardened based KVM, which my network provider can't get their head round at all.

Routers are generally set up for a wide market and ease of use. That means that they come preprogrammed with lots of settings, which the user chooses from a web interface. Thus lots of things that are no use to you is to be expected.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum