From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 4B46F21F25E for ; Sat, 3 Jan 2015 16:20:56 -0800 (PST) Received: by mail-qg0-f43.google.com with SMTP id z107so14094202qgd.16 for ; Sat, 03 Jan 2015 16:20:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=4c6TzAkwl0eshVdKOGtkTOJviQJmVUpt+ITjdtt2YXc=; b=nPkO5UaAJurvN0htZg4+qm9keKpdb//wqnGE+FCza686G6kG78RnI4a8nB+2dSV2MS VfXiLMjMuGKpJs9UNSYh8fTXj6OiyTT27MSYv8qNTKIocqRPSp90bxoBKHy6Ksvf6EDu +EzDavlEuPJU2qgTC+z+17hRg4EeH95jMG/0LQN49RWURfpHWKXIpTHXCVHtvm/ntcdF oTUiQckh5gExMULPbECd119XKhPAASLlYQYvqc6VPsJkNBNXs/eWL8pgg0lWxgL4eitT SsUFcPMFzJeb6Y+91WZLDtAL6VLM0UWJ/8Djf5/v1OlCx/NfEXMxSEFakIPA2akCowHX SmDw== X-Received: by 10.224.111.194 with SMTP id t2mr129878052qap.86.1420330855656; Sat, 03 Jan 2015 16:20:55 -0800 (PST) Received: from [172.30.55.5] (ool-2f10b31b.dyn.optonline.net. [47.16.179.27]) by mx.google.com with ESMTPSA id g103sm26019893qgd.41.2015.01.03.16.20.54 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 03 Jan 2015 16:20:54 -0800 (PST) Message-ID: <54A88765.5040809@gmail.com> Date: Sat, 03 Jan 2015 19:20:53 -0500 From: William Katsak User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: cerowrt-devel@lists.bufferbloat.net Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: [Cerowrt-devel] Possibly Serious Compromise X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2015 00:21:25 -0000 I"m having a possible very serious issue with Cero. I started noticing slow internet access today and checked the router. I noticed a boatload of dns resolutions. These push the router load over 1, and eventually dnsmasq crashes and has to be restarted. After tracing it for an hour or so and ruling out misbehaving software on the local net, I enabled logging in dnsmasq and saw that the resolutions were coming from 127.0.0.1. I kept running netstat -up until I saw some of the connections, and saw that they were coming from lua. All of the requests seem to be reverse DNS lookups of all kinds of crazy IPs. These requests look like part of some attack/compromise. If I kill lighthttpd, everything settles down and runs fine. If I turn it back on, the traffic starts again. I am thinking some kind of vulnerability in the http server allowing malformed requests from outside? I can't for the life of me figure out how they are getting in though. I have very few changes to the firewall config, and only a few port forwards. I'll send more info as I get it. Anyone else see anything like this? -Bill -- **************************************** William Katsak ****************************************