# Paranoid about security

## i11umina7i

I'm a Gentoo user and usually I'm security conscious about most things, although not an expert in the field but I believe I have much to learn.

Recently I have found out by accident that my home router has been compromised. The intruders used sophisticated scripts and tools to do various  nefarious things that I don't have much idea about as there are no logs on the system. They bonded my network with their own, set up scripts to monitor my social media activities as well as installed custom CA certs along with custom iptables rules. The router is a cheap & insecure ISP supplied router that was vulnerable to remote code injection, that is how I assume they got their foot through the door.

I can go into much more details, I have all their tools and scripts that I can perhaps share if anyone is willing to help me learn more about them but that can be done later.

I had one question, is it normal for dnsmasq to listen on high ports such as like this:

```
Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      21471/dnsmasq       

tcp        0      0 127.0.0.1:54307         127.0.0.1:47454         TIME_WAIT   -                   

tcp        0      0 127.0.0.1:53324         127.0.0.1:37071         TIME_WAIT   -                   

udp        0      0 127.0.0.1:53            0.0.0.0:*                           21471/dnsmasq       

udp        0      0 0.0.0.0:68              0.0.0.0:*                           27907/dhclient      

udp        0      0 0.0.0.0:33597           0.0.0.0:*                           21471/dnsmasq       

udp        0      0 0.0.0.0:9155            0.0.0.0:*                           27907/dhclient      

```

What I'm interested in knowing is whether my current Gentoo system is compromised and what are the steps I can take to find out more about that.

I wanted to convert my Gentoo to a hardened Gentoo profile but now I'm considering making a fresh hardened Gentoo install. What do you guys think?

I'm also willing to share the CA Cert that was planted but I want your opinion / feedback first.

----------

## josephg

from what i understand, i see your dnsmasq is listening only on port 53 which is the iana standard dns port.

 *i11umina7i wrote:*   

> Recently I have found out by accident that my home router has been compromised.

 

how did you find out? perhaps i should check mine too.

 *i11umina7i wrote:*   

> The router is a cheap & insecure ISP supplied router that was vulnerable to remote code injection, that is how I assume they got their foot through the door.

 

same here. isp supplied router.. no idea about configs, as they don't expose much to users.

----------

## krinn

 *i11umina7i wrote:*   

> I wanted to convert my Gentoo to a hardened Gentoo profile but now I'm considering making a fresh hardened Gentoo install. What do you guys think?

 

That you should do fresh, first because your system might be compromise, not something to reuse.

And second, because the migration is not as easy as changing profile.

----------

## i11umina7i

Thanks for the feedback guys.

Alright, one issue that I'm working on right now is figuring out how to get the files out of the router.

Utilities like ftp, scp, sftp, nc etc. have been removed from the system by the intruders. There is tftp and something called 'bftp' which I haven't used before but it seems to be a bit buggy and running into issues when trying to connect. I still have ssh and telnet access on the router.

So I have a few questions, and I think there's no better place to get answers from other than here   :Razz: 

1) How can I go about acquiring the files from the router under such circumstances? It is a busybox system. I'm currently coding a python script that uses paramiko ssh module to connect over ssh, concatenate the files over stdout and write the data received locally. I think it might work but will have to see if it runs into issues over large binary files as I'm not sure if there are any memory related limitations in python. Last resort would be to open up the device and dump the data but that's a lot of work.

2) Is it possible to backdoor or modify ssh service on my router so that when I connect to it, it backdoors the host OS (gentoo box from which I'm connecting?). What about the cat utility, is it also possible to setup a file in a way so that when I concatenate the file over ssh it sends over special escapse sequences to my terminal that can be malicious?

These are just some of the things that I can think of at the moment. The attackers seemed quite skilled at what they seem to be doing. After I get the scripts (roughly 50-60 bash scripts), I'll post here to get some feedback on what they might be related to  :Razz: 

----------

## ct85711

Well, if it has busybox; you may want to see if busy box has it's own copy of ftpput (to put a file to an ftp server) or wget.  Wget would be useful in allowing you to download a file to the router (allowing you to retrieve say something else so you can easily download the files).

Note:  I am not an expert with busybox, just going by it's documentation.

----------

## NeddySeagoon

i11umina7i,

Ask busybox what it can do for you.  Log into the router and give the 

```
busybox
```

 command.

Busybox will respond with the commands that it was built with.  You might have ftpd and/or httpd.

bind mount root with  -o ro somewhere, then serve somewhere with ftpd/httpd, so you can get things via ftp/http.

Busybox also has mount.  Maybe it supports nfs mounts?

I would be reluctant to share a piece of my HDD over nfs with a compromised system but would be OK sharing a USB stick that way. 

Set up an nfs share on your PC. Sacrifice a USB stick.

Mount the share on the router.

Use it like it was a local filesystem.

bind mount root with  -o ro somewhere, then use cp from somewhere to the nfs mount point.

-- edit --

```
busybox mount -t nfs -o ro 192.168.100.55:/mnt/mediatomb /mnt/cdrom
```

works here.

That's busybox nfs mounting my media collection, which is on a system at 192.168.100.55.

You won't need the -o ro.

----------

## i11umina7i

Thanks @NeddySeagoon

It looks like the whole thing is a read-only filesystem. Before the hacking I remember the filesystem was writable, or atleast part of it. 

```

# busybox 

BusyBox v1.00 (2015.09.07-07:21+0000) multi-call binary

Usage: busybox [function] [arguments]...

   or: [function] [arguments]...

   BusyBox is a multi-call binary that combines many common Unix

   utilities into a single executable.  Most people will create a

   link to busybox for each function they wish to use, and BusyBox

   will act like whatever it was invoked as.

Currently defined functions:

   [, addgroup, adduser, adslstat, arp, ash, awk, basename,

   brasinfo, busybox, cat, chmod, cp, crond, cut, date, dd,

   delgroup, deluser, dirname, dmesg, echo, env, expr, false,

   free, ftpget, ftpput, getty, grep, head, hostname, ifconfig,

   igmp, init, insmod, ipcs, kill, killall, klogd, ln, login,

   ls, maceui, mdev, mkdir, more, mount, mv, netstat, nslookup,

   nslookup6, passwd, pidof, ping, ping6, pppstat, ps, pwd,

   reboot, rm, rmdir, rmmod, route, run-parts, sed, sh, sleep,

   sysctl, syslogd, tail, taskset, test, tftp, top, traceroute,

   traceroute6, true, udhcpc, udhcpd, umount, uname, uptime,

   usleep, wc, wget, wlan, yes

# mount

/dev/mtdblock7 on / type squashfs (ro,relatime)

proc on /proc type proc (rw,relatime)

ramfs on /tmp type ramfs (rw,relatime)

devpts on /dev/pts type devpts (rw,relatime,mode=600)

# busybox mount -t nfs 192.168.1.34:/export/nfs /

mount: Mounting 192.168.1.34:/export/nfs on / failed: No such device

# busybox mount -t nfs 192.168.1.34:/export/nfs /usr/

mount: Mounting 192.168.1.34:/export/nfs on /usr failed: No such device

```

As for attempting to mount over nfs, its not working. I don't have much experience with nfs, I followed the instructions on gentoo wiki and it is possible that I did something wrong. May be you can give me some suggestions.

I have a feeling the whole system was engineered with custom binaries to prevent tampering or data transfer out of the system.

For example, busybox tends to act in a weird way which I can't explain:

```

# busybox ls -la /dev/ | grep mtdb

Command "busybox ls -la /dev/ | grep mtdb" is forbidden!

# busybox ls -la /dev/ | grep mt  

brw-rw-r--    1 0        0         31,   0 mtd

crw-rw-r--    1 0        0         90,   0 mtd0

crw-rw-r--    1 0        0         90,   2 mtd1

crw-rw-r--    1 0        0         90,  20 mtd10

crw-rw-r--    1 0        0         90,  22 mtd11

crw-rw-r--    1 0        0         90,   4 mtd2

crw-rw-r--    1 0        0         90,   6 mtd3

crw-rw-r--    1 0        0         90,   8 mtd4

crw-rw-r--    1 0        0         90,  10 mtd5

crw-rw-r--    1 0        0         90,  12 mtd6

crw-rw-r--    1 0        0         90,  14 mtd7

crw-rw-r--    1 0        0         90,  16 mtd8

crw-rw-r--    1 0        0         90,  18 mtd9

brw-rw-r--    1 0        0         31,   0 mtdblock0

brw-rw-r--    1 0        0         31,   1 mtdblock1

brw-rw-r--    1 0        0         31,  10 mtdblock10

brw-rw-r--    1 0        0         31,  11 mtdblock11

brw-rw-r--    1 0        0         31,   2 mtdblock2

brw-rw-r--    1 0        0         31,   3 mtdblock3

brw-rw-r--    1 0        0         31,   4 mtdblock4

brw-rw-r--    1 0        0         31,   5 mtdblock5

brw-rw-r--    1 0        0         31,   6 mtdblock6

brw-rw-r--    1 0        0         31,   7 mtdblock7

brw-rw-r--    1 0        0         31,   8 mtdblock8

brw-rw-r--    1 0        0         31,   9 mtdblock9

crw-rw-r--    1 0        0        250,   0 mtr0

# busybox ls -la /dev/ | grep mtd

Command "busybox ls -la /dev/ | grep mtd" is forbidden!

# busybox ls -la /dev/ | grep mtdbl

Command "busybox ls -la /dev/ | grep mtdbl" is forbidden!

```

Here are some other interesting stuff, let me know if there's anything unsual or I should know about. I don't have much experience with busybox.

```

# ls -la /dev/

drwxrwxr-x    5 0        0             820 .

drwxrwxr-x   12 0        0             207 ..

crw-rw-r--    1 0        0        240,   0 ac0

crw-rw-r--    1 0        0        230,   0 acl0

crw-rw-r--    1 0        0          4,  64 console

crw-rw-r--    1 0        0         10, 123 gpio

crw-rw-r--    1 0        0        220,   0 hwnat0

crw-rw-r--    1 0        0         10, 151 led

lrwxrwxrwx    1 0        0              12 log -> /var/log/log

brw-rw-r--    1 0        0         31,   0 mtd

crw-rw-r--    1 0        0         90,   0 mtd0

crw-rw-r--    1 0        0         90,   2 mtd1

crw-rw-r--    1 0        0         90,  20 mtd10

crw-rw-r--    1 0        0         90,  22 mtd11

crw-rw-r--    1 0        0         90,   4 mtd2

crw-rw-r--    1 0        0         90,   6 mtd3

crw-rw-r--    1 0        0         90,   8 mtd4

crw-rw-r--    1 0        0         90,  10 mtd5

crw-rw-r--    1 0        0         90,  12 mtd6

crw-rw-r--    1 0        0         90,  14 mtd7

crw-rw-r--    1 0        0         90,  16 mtd8

crw-rw-r--    1 0        0         90,  18 mtd9

brw-rw-r--    1 0        0         31,   0 mtdblock0

brw-rw-r--    1 0        0         31,   1 mtdblock1

brw-rw-r--    1 0        0         31,  10 mtdblock10

brw-rw-r--    1 0        0         31,  11 mtdblock11

brw-rw-r--    1 0        0         31,   2 mtdblock2

brw-rw-r--    1 0        0         31,   3 mtdblock3

brw-rw-r--    1 0        0         31,   4 mtdblock4

brw-rw-r--    1 0        0         31,   5 mtdblock5

brw-rw-r--    1 0        0         31,   6 mtdblock6

brw-rw-r--    1 0        0         31,   7 mtdblock7

brw-rw-r--    1 0        0         31,   8 mtdblock8

brw-rw-r--    1 0        0         31,   9 mtdblock9

crw-rw-r--    1 0        0        250,   0 mtr0

crw-rw-r--    1 0        0          1,   3 null

crw-rw-r--    1 0        0        200,   0 pmap

crw-rw-r--    1 0        0        108,   0 ppp

crw-rw-r--    1 0        0          5,   2 ptmx

drwxr-xr-x    2 0        0               0 pts

crw-rw-r--    1 0        0          2,   0 ptyp0

crw-rw-r--    1 0        0          2,   1 ptyp1

crw-rw-r--    1 0        0          2,   2 ptyp2

crw-rw-r--    1 0        0        111,   2 qostype

brw-rw-r--    1 0        0          8,   0 sda

brw-rw-r--    1 0        0          8,   1 sda1

brw-rw-r--    1 0        0          8,   2 sda2

brw-rw-r--    1 0        0          8,  16 sdb

brw-rw-r--    1 0        0          8,  17 sdb1

brw-rw-r--    1 0        0          8,  18 sdb2

drwxrwxr-x    2 0        0               3 shm

crw-rw-r--    1 0        0          5,   0 tty

crw-rw-r--    1 0        0          4,   0 tty0

crw-rw-r--    1 0        0          4,  64 ttyS0

crw-rw-r--    1 0        0          3,   0 ttyp0

crw-rw-r--    1 0        0          3,   1 ttyp1

crw-rw-r--    1 0        0          3,   2 ttyp2

crw-rw-r--    1 0        0          1,   9 urandom

drwxrwxr-x    2 0        0               3 usb

crw-rw-r--    1 0        0         10, 130 watchdog

crw-rw-r--    1 0        0        201,   0 wlanlanisolate

crw-rw-r--    1 0        0          1,   5 zero

# ls -la

drwxrwxr-x   12 0        0             207 .

drwxrwxr-x   12 0        0             207 ..

drwxrwxr-x    2 0        0             533 bin

drwxrwxrwx    4 0        0              82 boaroot

drwxrwxr-x    5 0        0             820 dev

lrwxrwxrwx    1 0        0               8 etc -> /tmp/etc

drwxrwxr-x    3 0        0            1143 lib

lrwxrwxrwx    1 0        0              11 linuxrc -> bin/busybox

drwxrwxrwx   84 0        0               0 proc

drwxrwxr-x    2 0        0             248 sbin

drwxrwxr-x    2 0        0               3 sys

drwxrwxrwx    5 0        0               0 tmp

drwxrwxr-x    4 0        0             124 userfs

drwxrwxr-x    6 0        0              63 usr

lrwxrwxrwx    1 0        0               8 var -> /tmp/var

# ls -ls userfs/bin/

  10 -rwxrwxr-x    1 0        0           10276 CAdecoder

  14 -rwxrwxr-x    1 0        0           14552 ated

  29 -rwxrwxr-x    1 0        0           29932 autoFwUpgrade

  63 -rwxrwxr-x    1 0        0           64632 bftpd

 144 -rwxrwxr-x    1 0        0          147948 boa

 900 -rwxrwxr-x    1 0        0          921220 cfg_manager

 172 -rwxrwxr-x    1 0        0          175936 dhcp6c

 158 -rwxrwxr-x    1 0        0          161424 dhcp6s

  54 -rwxrwxr-x    1 0        0           54844 dhcrelay

 109 -rwxrwxr-x    1 0        0          111736 dnsmasq

  54 -rwxrwxr-x    1 0        0           55380 ecmh

 126 -rwxrwxr-x    1 0        0          128764 ethcmd

  88 -rwxrwxr-x    1 0        0           89776 ez-ipupdate

  32 -rwxrwxr-x    1 0        0           32628 hw_nat

  76 -rwxrwxr-x    1 0        0           77424 igmpproxy

  55 -rwxrwxr-x    1 0        0           56608 inadyn

  12 -rwxrwxr-x    1 0        0           12200 inetd

  21 -rwxrwxr-x    1 0        0           21800 iwpriv

  21 -rwxrwxr-x    1 0        0           21544 md5

  15 -rwxrwxr-x    1 0        0           15356 mtd

  37 -rwxrwxr-x    1 0        0           37620 ntpclient

  32 -rwxrwxr-x    1 0        0           32308 pppoe-relay

  94 -rwxrwxr-x    1 0        0           96668 radvd

 102 -rwxrwxr-x    1 0        0          104540 ripd

  71 -rwxrwxr-x    1 0        0           72540 rt2860apd

 646 -rwxrwxr-x    1 0        0          661808 snmpd

   7 -rwxrwxr-x    1 0        0            7108 tcapi

  25 -rwxrwxr-x    1 0        0           25180 tftpd

1972 -rwxrwxr-x    1 0        0         2019456 tr69

  11 -rwxrwxrwx    1 0        0           10828 vconfig

 100 -rwxrwxr-x    1 0        0          102508 zebra

# ls -l tmp/

-rwxrwxrwx    1 0        0             664 CPE_Status

-rwxrwxrwx    1 0        0               0 CurrentServiceType

-rwxrwxrwx    1 0        0             484 CurrentServiceType_All

-rwxrwxrwx    1 0        0               0 LastServiceType

-rwxrwxrwx    1 0        0               2 WirelessSchedule

-rw-r--r--    1 0        0              23 adsl_stats

-rwxrwxrwx    1 0        0               0 adsllockfd

--w---xr-T    1 0        0               0 atmlockfd

-rwxrwxrwx    1 0        0               2 authresult

-rwxrwxrwx    1 0        0             112 boa-temp

-rw-r--r--    1 0        0            3440 cur_ps

-rwxrwxrwx    1 0        0           36573 customer_defaultromfile

-rwxrwxrwx    1 0        0           46721 customer_runningromfile

drwxrwxrwx    2 0        0               0 cwmp

prwxrwxrwx    1 0        0               0 email4logfifo

drwxrwxrwx   46 0        0               0 etc

prw-r--r--    1 0        0               0 faultmgmtfifo

-rwxrwxrwx    1 0        0               0 ip6dfrt.info

-rwxrwxrwx    1 0        0             251 ip_neigh

-rwxrwxrwx    1 0        0               0 ipaddr_mapping.sh

-rwxrwxrwx    1 0        0             107 ipaddr_mapping0.sh

-rw-r--r--    1 0        0              15 lcp

-rwxrwxrwx    1 0        0              83 md5.txt

-rwxrwxrwx    1 0        0               9 newDirection.txt

---S--xr-T    1 0        0               0 portbindlockfd

-rwxrwxrwx    1 0        0              23 pppsid-nas8_0

-rwxrwxrwx    1 0        0               6 pppuptime-ppp80

-rwxrwxrwx    1 0        0               0 qoslockfd

-rwxrwxrwx    1 0        0              33 rt_device

prwxrwxrwx    1 0        0               0 sigtoudhcpdfifo

-rwxrwxrwx    1 0        0               0 snmpd.tmp

-rwxrwxrwx    1 0        0               0 syslockfd

srwxrwxrwx    1 0        0               0 tcapi_sock

drwxrwxrwx    6 0        0               0 var

-rwxrwxrwx    1 0        0             376 wlanNeighborChannel

-rwxrwxrwx    1 0        0             494 wlanNeighborSSID

-rwxrwxrwx    1 0        0             556 wlanNeighborSignalStrength

-rwxrwxrwx    1 0        0              59 wlaninterferechannel

-rwSr-sr-T    1 0        0               0 wlanlockfd

-rwxrwxrwx    1 0        0              37 wlanutilizedchannel

# ls -la usr/script/

drwxrwxr-x    2 0        0            1533 .

drwxrwxr-x    6 0        0              63 ..

-rwxrwxr-x    1 0        0             165 AppFilterStop.sh

-rwxrwxr-x    1 0        0             151 IPv6_Dos_stop.sh

-rwxrwxr-x    1 0        0             759 IPv6_Firewall_start.sh

-rwxrwxr-x    1 0        0             202 IPv6_Firewall_stop.sh

-rwxrwxr-x    1 0        0              32 RebootScript

-rwxrwxr-x    1 0        0             165 UrlFilterStop.sh

-rwxrwxr-x    1 0        0             527 acl_stop.sh

-rwxrwxr-x    1 0        0             990 before_tr069_download.sh

-rwxrwxr-x    1 0        0            1439 before_web_download.sh

-rwxrwxr-x    1 0        0            2075 before_web_download_remove_wifi.sh

-rwxrwxr-x    1 0        0             678 before_web_upgrade.sh

-rwxrwxr-x    1 0        0             186 br_conf.sh

-rwxrwxr-x    1 0        0            2123 ddns.sh

-rwxrwxr-x    1 0        0            4187 ddns_run.sh

-rwxrwxr-x    1 0        0             338 dhcp6c_script

-rwxrwxr-x    1 0        0            2958 dmz.sh

-rwxrwxr-x    1 0        0             231 dslite_start.sh

-rwxrwxr-x    1 0        0             168 ether_mac.sh

-rwxrwxr-x    1 0        0             331 filter_dos_forward_start.sh

-rwxrwxr-x    1 0        0             199 filter_dos_forward_stop.sh

-rwxrwxr-x    1 0        0            2549 filter_forward_start.sh

-rwxrwxr-x    1 0        0             615 filter_forward_stop.sh

-rwxrwxr-x    1 0        0             331 fw_dos_start.sh

-rwxrwxr-x    1 0        0             579 fw_dos_stop.sh

-rwxrwxr-x    1 0        0            1636 fw_high.sh

-rwxrwxr-x    1 0        0            2078 fw_high_obm.sh

-rwxrwxr-x    1 0        0            2430 fw_low.sh

-rwxrwxr-x    1 0        0            1681 fw_middle.sh

-rwxrwxr-x    1 0        0             185 fw_start.sh

-rwxrwxr-x    1 0        0             412 fw_stop.sh

-rwxrwxr-x    1 0        0              97 getnow.sh

-rwxrwxr-x    1 0        0            3347 ipaddr_mapping.sh

-rwxrwxr-x    1 0        0            4224 ipfilter.sh

-rwxrwxr-x    1 0        0             201 ipfilter_start.sh

-rwxrwxr-x    1 0        0             119 ipfilter_stop.sh

-rwxrwxr-x    1 0        0             161 ipmacfilter_stop.sh

-rwxrwxr-x    1 0        0              88 ipv6macfilter_stop.sh

-rwxrwxr-x    1 0        0            1534 kill_apps_modules_for_save_memory.sh

-rwxrwxr-x    1 0        0             329 lanAlias_start.sh

-rwxrwxr-x    1 0        0             132 lanAlias_stop.sh

-rwxrwxr-x    1 0        0            1206 nat_start.sh

-rwxrwxr-x    1 0        0            1121 nat_stop.sh

-rwxrwxr-x    1 0        0             118 ntpclient.sh

-rwxrwxr-x    1 0        0            4027 port4_start.sh

-rwxrwxr-x    1 0        0             955 port4_stop.sh

-rwxrwxr-x    1 0        0            8879 ppp_start.sh

-rwxrwxr-x    1 0        0              69 restart_boa.sh

-rwxrwxr-x    1 0        0             773 samba.sh

-rwxrwxr-x    1 0        0             334 samba_add_dir.sh

-rwxrwxr-x    1 0        0             102 settime.sh

-rwxrwxr-x    1 0        0            1779 spi_fw_start.sh

-rwxrwxr-x    1 0        0             146 spi_fw_stop.sh

-rwxrwxr-x    1 0        0             355 syslogd.sh

-rwxrwxr-x    1 0        0             397 tun6to4restart.sh

-rwxrwxr-x    1 0        0             236 tun6to4stop.sh

-rwxrwxr-x    1 0        0            1329 udhcpc.sh

-rwxrwxr-x    1 0        0            1114 udhcpc_nodef.sh

-rwxrwxr-x    1 0        0             152 upgrade_firmware.sh

-rwxrwxr-x    1 0        0            3216 urlfilter_start.sh

-rwxrwxr-x    1 0        0              45 urlfilter_stop.sh

-rwxrwxr-x    1 0        0           19175 vserver.sh

-rwxrwxr-x    1 0        0           19925 wan_start.sh

-rwxrwxr-x    1 0        0           16252 wan_start_ipv4.sh

-rwxrwxr-x    1 0        0           23623 wan_start_ipv6.sh

-rwxrwxr-x    1 0        0            5485 wan_stop.sh

# ls -la /bin/

drwxrwxr-x    2 0        0             533 .

drwxrwxr-x   12 0        0             207 ..

lrwxrwxrwx    1 0        0               7 addgroup -> busybox

lrwxrwxrwx    1 0        0               7 adduser -> busybox

lrwxrwxrwx    1 0        0               7 ash -> busybox

-rwxr-xr-x    1 0        0          455112 busybox

lrwxrwxrwx    1 0        0               7 cat -> busybox

lrwxrwxrwx    1 0        0               7 chmod -> busybox

lrwxrwxrwx    1 0        0               7 cp -> busybox

lrwxrwxrwx    1 0        0               7 date -> busybox

lrwxrwxrwx    1 0        0               7 dd -> busybox

lrwxrwxrwx    1 0        0               7 delgroup -> busybox

lrwxrwxrwx    1 0        0               7 deluser -> busybox

lrwxrwxrwx    1 0        0               7 dmesg -> busybox

lrwxrwxrwx    1 0        0               7 echo -> busybox

lrwxrwxrwx    1 0        0               7 false -> busybox

lrwxrwxrwx    1 0        0               7 grep -> busybox

lrwxrwxrwx    1 0        0               7 hostname -> busybox

lrwxrwxrwx    1 0        0               7 kill -> busybox

lrwxrwxrwx    1 0        0               7 ln -> busybox

lrwxrwxrwx    1 0        0               7 login -> busybox

lrwxrwxrwx    1 0        0               7 ls -> busybox

lrwxrwxrwx    1 0        0               7 maceui -> busybox

lrwxrwxrwx    1 0        0               7 mkdir -> busybox

lrwxrwxrwx    1 0        0               7 more -> busybox

lrwxrwxrwx    1 0        0               7 mount -> busybox

lrwxrwxrwx    1 0        0               7 mv -> busybox

lrwxrwxrwx    1 0        0               7 netstat -> busybox

lrwxrwxrwx    1 0        0               7 pidof -> busybox

lrwxrwxrwx    1 0        0               7 ping -> busybox

lrwxrwxrwx    1 0        0               7 ping6 -> busybox

lrwxrwxrwx    1 0        0               7 ps -> busybox

lrwxrwxrwx    1 0        0               7 pwd -> busybox

lrwxrwxrwx    1 0        0               7 rm -> busybox

lrwxrwxrwx    1 0        0               7 rmdir -> busybox

lrwxrwxrwx    1 0        0               7 run-parts -> busybox

lrwxrwxrwx    1 0        0               7 sed -> busybox

lrwxrwxrwx    1 0        0               7 sh -> busybox

lrwxrwxrwx    1 0        0               7 sleep -> busybox

lrwxrwxrwx    1 0        0               7 true -> busybox

lrwxrwxrwx    1 0        0               7 umount -> busybox

lrwxrwxrwx    1 0        0               7 uname -> busybox

lrwxrwxrwx    1 0        0               7 usleep -> busybox

# ls -la lib/

drwxrwxr-x    3 0        0            1143 .

drwxrwxr-x   12 0        0             207 ..

-rwxrwxr-x    1 0        0           22532 ld-uClibc.so.0

-rwxrwxr-x    1 0        0          475444 libc.so.0

-rwxrwxr-x    1 0        0           11288 libcrypt.so.0

lrwxrwxrwx    1 0        0              14 libcrypto.so -> libcrypto.so.0

lrwxrwxrwx    1 0        0              18 libcrypto.so.0 -> libcrypto.so.0.9.7

-rwxrwxr-x    1 0        0         1065736 libcrypto.so.0.9.7

-rwxrwxr-x    1 0        0            9496 libdl.so.0

-rwxrwxr-x    1 0        0            5388 libebt_802_3.so

-rwxrwxr-x    1 0        0           11192 libebt_among.so

-rwxrwxr-x    1 0        0           10876 libebt_arp.so

-rwxrwxr-x    1 0        0            5144 libebt_arpreply.so

-rwxrwxr-x    1 0        0            4968 libebt_ftos.so

-rwxrwxr-x    1 0        0           19832 libebt_ip.so

-rwxrwxr-x    1 0        0           21788 libebt_ip6.so

-rwxrwxr-x    1 0        0            6512 libebt_limit.so

-rwxrwxr-x    1 0        0            6208 libebt_log.so

-rwxrwxr-x    1 0        0            5976 libebt_mark.so

-rwxrwxr-x    1 0        0            4244 libebt_mark_m.so

-rwxrwxr-x    1 0        0            7208 libebt_nat.so

-rwxrwxr-x    1 0        0            4556 libebt_pkttype.so

-rwxrwxr-x    1 0        0           10676 libebt_policer.so

-rwxrwxr-x    1 0        0            4020 libebt_redirect.so

-rwxrwxr-x    1 0        0            3276 libebt_standard.so

-rwxrwxr-x    1 0        0           10640 libebt_stp.so

-rwxrwxr-x    1 0        0            3488 libebt_tc.so

-rwxrwxr-x    1 0        0            6288 libebt_ulog.so

-rwxrwxr-x    1 0        0            8092 libebt_vlan.so

-rwxrwxr-x    1 0        0            2164 libebtable_broute.so

-rwxrwxr-x    1 0        0            2368 libebtable_filter.so

-rwxrwxr-x    1 0        0            2368 libebtable_nat.so

-rwxrwxr-x    1 0        0           84600 libebtc.so

-rwxrwxr-x    1 0        0          245840 libgcc_s.so.1

-rwxrwxr-x    1 0        0           29376 libiw.so.28

-rwxrwxr-x    1 0        0            9344 liblog.so

-rwxrwxr-x    1 0        0          107236 libm.so.0

-rwxrwxr-x    1 0        0          121064 libmatrixssl.so

lrwxrwxrwx    1 0        0              14 libmxml.so -> libmxml.so.1.4

lrwxrwxrwx    1 0        0              14 libmxml.so.1 -> libmxml.so.1.4

-rwxrwxr-x    1 0        0           30216 libmxml.so.1.4

-rwxrwxr-x    1 0        0            1712 libnsl.so.0

-rwxrwxr-x    1 0        0           10832 libpppoatm.so

-rwxrwxr-x    1 0        0           30156 libpppoe.so

-rwxrwxr-x    1 0        0           79464 libpthread.so.0

-rwxrwxr-x    1 0        0            1716 libresolv.so.0

-rwxrwxr-x    1 0        0            4652 librt.so.0

-rwxrwxr-x    1 0        0          208276 libssl.so.0.9.7

-rwxrwxr-x    1 0        0            7740 libtcapi.so

-rwxrwxr-x    1 0        0            7740 libtcapi.so.1

-rwxrwxr-x    1 0        0            7740 libtcapi.so.1.4

-rwxrwxr-x    1 0        0            4900 libutil.so.0

-rwxrwxr-x    1 0        0            8767 libvah.so

drwxrwxr-x    3 0        0             340 modules

# ls -la lib/modules/

drwxrwxr-x    3 0        0             340 .

drwxrwxr-x    3 0        0            1143 ..

drwxrwxr-x    3 0        0              29 2.6.36

-rwxrwxr-x    1 0        0            8392 dying_gasp.ko

-rw-rw-r--    1 0        0           85736 hw_nat.ko

-rwxrwxr-x    1 0        0            4684 igmpsnoop.ko

-rw-rw-r--    1 0        0            6644 module_sel.ko

-rw-rw-r--    1 0        0           60560 mt7510ptm.ko

-rw-rw-r--    1 0        0           79720 mt7510sar.ko

-rw-rw-r--    1 0        0          159632 qdma.ko

-rw-rw-r--    1 0        0          328648 raeth.ko

-rw-rw-r--    1 0        0         1845592 rt3593ap.ko

-rwxrwxr-x    1 0        0         3406580 tc3162_dmt.ko

-rw-rw-r--    1 0        0          163176 tccicmd.ko

-rw-rw-r--    1 0        0           38336 tcledctrl.ko

-rw-rw-r--    1 0        0            9788 tcportbind.ko

-rwxrwxr-x    1 0        0           21720 tcsmux.ko

-rw-rw-r--    1 0        0           30716 tcvlantag.ko

-rw-rw-r--    1 0        0            3748 wlanlanisolate.ko

```

I also saw that they setup 2 additional user accounts from passwd file, perhaps to get back if they lose access or something. Not like I'm gonna use this router again lol.   :Laughing: 

I'm currently trying to finish that python script, may be it will work. If you guys have any other ideas let me know   :Smile: 

----------

## NeddySeagoon

i11umina7i,

```
# mount

/dev/mtdblock7 on / type squashfs (ro,relatime)

ramfs on /tmp type ramfs (rw,relatime) 
```

squashfs is read only by design. Writable storage is faked by using a piece of RAM.

There are various ways to do that unionfs, aufs and so on.  Live media, like the Gentoo Live CD do this to give the illusion of being able to write over things on the CD.

In your router, /tmp is in RAM and things are symlinked there. 

```
etc -> /tmp/etc

var -> /tmp/var
```

This means that your attackers flashed the device, or their changes will drop out if you do a factory reset.

The flash memory is divided into two or three parts.

The boot loader - if you change this, you may 'brick' the device

The root filesystem - the bit you normally change when you do a firmware update.

User settings persistent storage - passwords, user names, wifi keys and so on.  A factory reset will clear this region, so that the defaults appear again.  

Set up your nfs on your PC.  Then test mount it on your PC to make sure it works.

```
mkdir /mnt/testnfs

mount -t nfs 127.0.0.1:/<exported/path> /mnt/testnfs
```

Only when that works can you try the command on the router.

Some other things to try.

a) A factory reset - the hack may drop out and you will loose all your settings.

b) Flash the device with the latest vendor firmware - you run the risk of 'bricking' the router.

----------

## i11umina7i

Thanks @NeddySeagoon.

I have tried nfs, it works locally but when trying to make it work with the router it's not able to connect. I've cleared the iptables rule on the router as well as that on my machine but there could be some other filtering mechanism that is preventing connections other than ssh and telnet. I saw something related to ebtables on the router and searched for it online and from what I can understand it seems to be firewall for routing packets through bridges (could be wrong).

Anyway in the end I was able to clone the files over ssh using my custom python script. I'm not sure if posting the scripts and configs here would pose any security risk or have information that can be personally identfiable. Also it might not be appropriate for this forum, so I'll refrain from doing so. If you're curious and want to take a look at them or want to help me figure out what really happened feel free to pm me. 

This incident was a huge wake up call for me, I always fantasized about getting hacked in really innovative ways but never thought that it could happen to me in real life. 

The config files for the router (which sort of looks like kernel config in Gentoo) includes customized features for isps in other countries as well with option to enable social media monitoring features, etc.  so I'm guessing that the attackers might not be a random hacker poking around for fun with that level of access.

----------

## NeddySeagoon

i11umina7i,

I'm not very familiar with router network appliances.  I used Smoothwall for a long time.

I moved away from Smoothwall when I consolidated all my physical servers into one system divided into KVMs and Smoothwall would not install into a KVM.

If you are thinking of trying Smoothwall, its a network appliance, not a program.  The installer wipes the system that its installed on.

Now, my router is a Gentoo Hardened based KVM, which my network provider can't get their head round at all.

Routers are generally set up for a wide market and ease of use.  That means that they come preprogrammed with lots of settings, which the user chooses from a web interface. Thus lots of things that are no use to you is to be expected.

----------

