Backdoor firewall entries in Mega?

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4  Next
Author Message
bitmage
DD-WRT Novice


Joined: 31 Jul 2008
Posts: 2

PostPosted: Thu Jul 31, 2008 17:02    Post subject: Backdoor firewall entries in Mega? Reply with quote
I installed DD-WRT v24 mega Release 7/27/08 yesterday to try it out. I was interested in the firewall rules it used, so I did the following:

root@DD-WRT:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 194.231.229.20 0.0.0.0/0
ACCEPT 0 -- 212.65.2.116 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520

Ok, so the first two rules allow all protocols from two sites 194.231.229.20 and 212.65.2.116. Why are these rules here? They appear to open up your firewall to anyone at those addresses.
Sponsor
switch
DD-WRT Guru


Joined: 30 Apr 2008
Posts: 967
Location: Romania

PostPosted: Thu Jul 31, 2008 19:16    Post subject: Reply with quote
Did you perhaps apply them yourself? I don't see them here...
_________________
Q: How do I do ...? A: Read the tutorials or Search forums
bitmage
DD-WRT Novice


Joined: 31 Jul 2008
Posts: 2

PostPosted: Thu Jul 31, 2008 19:28    Post subject: Reply with quote
switch wrote:
Did you perhaps apply them yourself? I don't see them here...


Definitely not. This was a fresh install on a WRT54GS v1. I did some configuration of port forwards and the like, but nothing with those addresses.

The build I installed was:
http://www.dd-wrt.com/dd-wrtv2/downloads/v24-sp1/Broadcom/Linksys/WRT54GS_v1/dd-wrt.v24_mega_generic.bin

I did some googling and found this post (halfway down):
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=186951&sid=46a65c7a79a13c6ea1d3fb62c474af11
where another user reports the same entries after installing flashed dd-wrt.v24-9856_NEWD_mega.bin and is erroneously told that it's for pinging.

Something accidentally left in from testing maybe?
SEA
DD-WRT Novice


Joined: 22 Sep 2007
Posts: 20

PostPosted: Thu Jul 31, 2008 22:57    Post subject: Reply with quote
Same here.
DD-WRT v24-sp1 (07/27/08 ) mega - build 10012

and both ips (194.231.229.20, 212.65.2.116) present in source code, at list google finds this:
http://svn.dd-wrt.com:8000/dd-wrt/changeset/6627?format=diff&new=6627

IPs resolve to:
newmedia.bensheim.manet.de
u12-20.dsl.vianetworks.de

And it really really looks like backdoor!


Last edited by SEA on Fri Aug 01, 2008 15:38; edited 1 time in total
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Thu Jul 31, 2008 23:16    Post subject: Reply with quote
I tried to get in touch with BS...no go...but I left him the link for this thread.

Hopefully, he can provide an explanation.

redhawk

_________________
The only stupid question....is the unasked one.
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Thu Jul 31, 2008 23:20    Post subject: Reply with quote
even i see no reason for this. these ip addresses arent valid anymore. it seems that chris implemented this for a customer. i removed it now
_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Thu Jul 31, 2008 23:21    Post subject: Reply with quote
BrainSlayer wrote:
even i see no reason for this. these ip addresses arent valid anymore. it seems that chris implemented this for a customer. i removed it now


Thank you, sir!

redhawk

_________________
The only stupid question....is the unasked one.
nemesisdb
DD-WRT User


Joined: 10 Oct 2006
Posts: 197

PostPosted: Fri Aug 01, 2008 0:09    Post subject: Reply with quote
Just wanted to clarify to others that despite the thread title, these entries are not confined to the mega build. They're in my SP1 VPN build as well (10011).

Even if they are harmless, is there a way I can remove them short of flashing new firmware?
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Fri Aug 01, 2008 0:20    Post subject: Reply with quote
nemesisdb wrote:
Just wanted to clarify to others that despite the thread title, these entries are not confined to the mega build. They're in my SP1 VPN build as well (10011).

Even if they are harmless, is there a way I can remove them short of flashing new firmware?


I checked my 10061 mini_generic build earlier...they are NOT in this build.

I don't know if this is stored in a variable someplace...without it installed on mine...I can't find it...try a telnet session and grep the nvram for those addresses....it might be possible to do an "nvram unset" from there.

[EDIT] - I just did a remote login and checked my home router...it is not in the 10011 - std build either.

redhawk

_________________
The only stupid question....is the unasked one.
JudeGlass
DD-WRT Novice


Joined: 01 Aug 2008
Posts: 2

PostPosted: Fri Aug 01, 2008 11:39    Post subject: Temporary Solution Reply with quote
I confirmed this on the latest VPN build so, to take care of it for myself I built this as a temporary fix until the corrections make their way into the current builds:

1) Goto the "Administration" tab and in the Cron section make sure Cron is enabled and paste the following into the Additional cron jobs:

Code:
30,59 * * * * root /tmp/custom.sh


2) Find the "Commands" sub-tab up top and paste the following script into the Command Shell box:
Code:

#!/bin/sh
#
# DD-WRT v2.4 errant firewall rules temporary fix.

echo Testing for errant firewall rules...
LINE1=`iptables -L INPUT -n --line-numbers | grep 194\.231\.229\.20 | awk '{print $1}'`

if [ -z "$LINE1" ]
then
echo Errant 194.231.229.20 rule not found.
else
iptables -D INPUT $LINE1
echo Errant 194.231.229.20 rule removed.
fi

LINE2=`iptables -L INPUT -n --line-numbers | grep 212\.65\.2\.116 | awk '{print $1}'`

if [ -z "$LINE2" ]
then
echo Errant 212.65.2.116 rule not found.
else
iptables -D INPUT $LINE2
echo Errant 212.65.2.116 rule removed.
fi

Now just hit the "Save Custom Script" button.

Every 30 minutes your router will check to see if the bad rules are there and remove them.
You may wonder why use a cron job instead of the startup or, more appropriately, the firewall script option.
Well it seems that the startup script runs before the firewall is initiated. And the firewall script will run before the system adds these bad rules in.
Every time the firewall restarts or, of course, whenever the router reboots, the rules will pop back up, though neither should happen very often.
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Fri Aug 01, 2008 12:49    Post subject: Reply with quote
its easier.
do the following
nvram unset ral
nvram commit

on next reboot these values are gone (until you reset the config)

_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
JudeGlass
DD-WRT Novice


Joined: 01 Aug 2008
Posts: 2

PostPosted: Fri Aug 01, 2008 12:55    Post subject: Reply with quote
i knew that would happen Smile
nemesisdb
DD-WRT User


Joined: 10 Oct 2006
Posts: 197

PostPosted: Fri Aug 01, 2008 21:18    Post subject: Reply with quote
BrainSlayer wrote:
its easier.
do the following
nvram unset ral
nvram commit

on next reboot these values are gone (until you reset the config)


appparently I messed that up. do I enter those commands through an ssh terminal or how? cause that didn't remove them following a reboot.
marvin
DD-WRT Novice


Joined: 02 Aug 2008
Posts: 2

PostPosted: Sat Aug 02, 2008 23:07    Post subject: Reply with quote
Just gave DD-WRT a try and wondered about this two allow rules in the INPUT chain ... Shocked

Please release a new image ASAP, otherwise this release is not trustworthy. It renders the iptables filters NULL.

BrainSlayer wrote:
its easier.
nvram unset ral
nvram commit

on next reboot these values are gone (until you reset the config)


Didn't work for me either. It survives a "firewall" reload, but not a reboot. Probably missed something?

Thanks.
marvin
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Sat Aug 02, 2008 23:15    Post subject: Reply with quote
seems rather harmless..

packets would have to get past NAT before they are accepted to internal sockets.

anyways.. another way to stop it (if you're worried) is to create some iptables DROP rules.

iptables -I INPUT 1 -s 194.231.229.20 -d 0.0.0.0/0 -j DROP
iptables -I INPUT 2 -s 212.65.2.116 -d 0.0.0.0/0 -j DROP

But I am not seeing this problem either, using TNG build 10061 nokaid_nohotspot.
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum