WIFIHELL - 科技改变生活

 找回密码
 注册WIFIHELL

QQ登录

只需一步,快速开始

开启左侧

[ASUS通用] 华硕梅林固件确定被入侵 建议立即修改路由器密码

[复制链接]
222ba 发表于 2018-4-9 13:36:13 | 显示全部楼层 |阅读模式

注册WIFIHELL,浏览更多技术贴!

您需要 登录 才可以下载或查看,没有账号?注册WIFIHELL

x
2018年4月
梅林固件确定有漏洞被入侵,症状如下:

1、被开启华硕DDNS
2、被开启PPTP服务器,V票N菜单下,并且新建了用户
3、配置页面变成韩文
4、部分用户日志内有列出如下情况


  1. Mar 24 04:20:03 dropbear[23427]: Password auth succeeded for 'admin' from 105.109.29.184:49505
  2. Mar 24 04:20:35 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin;cat /proc/version'
  3. Mar 24 04:20:37 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbinATH=$PATH:/usr/sbin iptables -L -n'
  4. Mar 24 04:20:41 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin;ps'
  5. Mar 24 04:20:45 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin;cat /bin/cat 2>/dev/null'
  6. Mar 24 04:21:17 ddns: Completed custom ddns update
  7. Mar 24 04:22:10 dropbear[23427]: User admin executing 'cat > /tmp/bungee'
  8. Mar 24 04:22:33 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbinATH=$PATH:/usr/sbin iptables -D INPUT -p tcp --dport 8853 -j ACCEPT; PATH=$PATH:/usr/sbin iptables -I INPUT -p tcp --dport 8853 -j ACCEPT'
  9. Mar 24 04:22:38 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbinATH=$PATH:/usr/sbin iptables -t nat -D PREROUTING -p tcp --dport 8853 -j ACCEPT; PATH=$PATH:/usr/sbin iptables -t nat -I PREROUTING -p tcp --dport 8853 -j ACCEPT'
  10. Mar 24 04:22:42 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbinATH=$PATH:/usr/sbin iptables -D DMZ -t nat -p tcp --dport 8853 -j RETURN; PATH=$PATH:/usr/sbin iptables -I DMZ -t nat -p tcp --dport 8853 -j RETURN'
  11. Mar 24 04:22:48 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin;chmod +x /tmp/bungee'
  12. Mar 24 04:22:54 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin;( /tmp/bungee 8853 30 360 14400 0 10000 > /dev/null 2>&1 )&'
  13. Mar 24 04:23:00 dropbear[23427]: User admin executing 'export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin;rm -f /tmp/bungee'
  14. Mar 24 04:23:04 dropbear[23427]: Exit (admin): Exited normally
复制代码



此事件估计和华硕这个更新记录有关联。

  1. Version 3.0.0.4.384.20624
  2. 2018/03/2742.7 MBytes
  3. ASUS RT-AC68U Firmware version 3.0.0.4.384.20624
  4. Suport multi-langue(UTF-8) network name*
  5. Supported Let's encrypt to help get free Certificate Authority (CA). To enable this feature, the router needs to obtain public IP from ISP.

  6. Security fixed

  7. -Fixed information disclosure vulnerability. Thanks to Haitan Xiang and Fand Wang.
  8. -Fixed CVE-2018-8826 remote code execution vulnerability. Thanks to Chris Wood.----------------------------------THIS
  9. -Fixed AiCloud 2.0 Reflected XSS Vulnerability. Thanks to Guy Arazi and Niv Levi contribution.
复制代码



处理办法:
建议复位路由器,并且更新到比较新版本的国内改版梅林。

1、手动关闭DDNS
2、关闭VPN服务器
3、经常检查路由器内参数
4、修改现有用户名和密码6、防火墙内关闭响应PING请求



WIFIHELL | 万丰乐活 2020开启新的征程,好货不断!
关闭

站点推荐上一条 /1 下一条

万丰乐活

GMT+8, 2024-12-21 19:55

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表