Virus on device bought from Amazon

As far as I remember… ClamAV, ad blocker, docker, fail2ban, nano hhmmmmm and I don’t remember if there was any other more…

Tbh, it does not make sense to install ClamAV without having any proxy running which will intercept TLS.

I checked but can’t find anything about IP connection info, are you looking through the default browser interface or via luci? I did however find a load of warning which is kind of concerning (@admon any ideas?)

these errors are fine :+1:

these are from gl internal scripts the wireguard part of it, probably theres still alot of regressions :wink:


Glad to hear so :relieved: Many thanks!

1 Like

Is it just me or is this post not a major cause for concern? Is there an easy way to check that our devices are clean of any malware? Also is GL.iNET or Amazon selling used devices as new? I recall when I challenged GL.iNET years ago when buying one of their devices that looked new but had a username and password already set on it. I was told at the time that they did this on occasions to test the devices before selling them but this could have obviously just been away to fob people off.

Nope, because it’s an open operating system.
There are plenty of ways to hide malware and malicious code inside it.

It would be the same as asking: “Can I be sure that the PC I bought is free of malware”?
You can’t.

But in this thread it’s a bit different: The questioner has been actively doing things with the device for several months - including installing 3rd party plugins. Therefore, I would completely rule out an infection of the brand new device.

Best way of being sure that there is no malware is to flash the device using Uboot. Only Uboot will erase the OS completely.


I wonder if we could crowd fund and audit :thinking:

This does indeed feel like a big cause for concern as I doubt OP was the one and only customer to have the same issue if it turns out not to be plugin related.

I’m going to try looking through the log in luci and try searching for the IP in OPs post.

1 Like

I think I’m okay as startup local data is blank, this is the path you need to view if you want to check yours

If I am being honest, I think it would be great if Gl-inet would send OP a replacement device and provide a shipping label for OP to return it to them prepaid. This would be better before things are done that would taint the system further (any clean up efforts made) but there still may be forensic value to them. @alzhao

1 Like

Let me park right here :thinking:

This is definately no problem because that is our standard RMA process.

But from the discussion it seems a problem that happened during use. RMA will just cover the problems.

This is the only case that we met for the router compromised so a way to enhance seucrity is more valuable than RMA.


Exactly why I pinged you on this one. I thought it might be interesting to you to examine the device to try to figure out what happened in case it was more that a bad plugin. Thank you for responding.