From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 552D321F261 for ; Sat, 3 Jan 2015 16:39:22 -0800 (PST) Received: by mail-ob0-f171.google.com with SMTP id uz6so56823138obc.2 for ; Sat, 03 Jan 2015 16:39:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=AVF/bxJAW96JeBoQxlR8d4TXei9yz3RxfhLwjjMr4MA=; b=0Nz5O09EGpxB2ZplpIYt8Aa2+lYEhGZGKYIQCX3fcNsCnSClYQfV8WaqZHhD5KD6LK DVpEemtkFgG5dHeegyYYLYBrqp7SB3ji24cfdsy7n6YDC5wioCzNTM2GacBEwMUQM6Kb SXAn4cvU3rSF3Kgaw2Jzp3gw/D8iR5y6en5253SzbmGz95TO3dP2ckSpFnPWuLx4m/Dj Gcp/MwsoUbsfmcfRyDqgpVXqAchv3CAK+kYCP7nayi3O58Z254qgsu2HUMO1TsHWSKgi KXdKg4drGkAa/i6uoggD+3NAMzvHKVnXnbEiMYbFkNoT7MiiuEDWQNn20ZUK3kmF+DYM +PIg== MIME-Version: 1.0 X-Received: by 10.182.241.133 with SMTP id wi5mr48659536obc.10.1420331961966; Sat, 03 Jan 2015 16:39:21 -0800 (PST) Received: by 10.202.169.209 with HTTP; Sat, 3 Jan 2015 16:39:21 -0800 (PST) In-Reply-To: <54A88765.5040809@gmail.com> References: <54A88765.5040809@gmail.com> Date: Sat, 3 Jan 2015 16:39:21 -0800 Message-ID: From: Dave Taht To: William Katsak Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Possibly Serious Compromise X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2015 00:39:51 -0000 Hmm. Port 81 is generally blocked from the outside world, which is where lua runs. Port 80 is open, but serves up nearly no files by default, and shouldn't be able to get to lua. Please install tcpdump-mini. put in a usb stick and mount it. do a tcpdump -i ge00 -w /whereverthestickis. Put the capture file up somewhere I can get at it. Or just capture for 60 seconds to /tmp (assuming little other traffic).You can also cut the size of the capture down with -s 128, but that wouldn't reveal what was going on as well. I was, incidentally, under the impression we'd left reverse dns lookups off in lighttpd. On Sat, Jan 3, 2015 at 4:20 PM, William Katsak wrote: > I"m having a possible very serious issue with Cero. I started noticing sl= ow > internet access today and checked the router. I noticed a boatload of dns > resolutions. These push the router load over 1, and eventually dnsmasq > crashes and has to be restarted. > > After tracing it for an hour or so and ruling out misbehaving software on > the local net, I enabled logging in dnsmasq and saw that the resolutions > were coming from 127.0.0.1. I kept running netstat -up until I saw some o= f > the connections, and saw that they were coming from lua. All of the reque= sts > seem to be reverse DNS lookups of all kinds of crazy IPs. > > These requests look like part of some attack/compromise. If I kill > lighthttpd, everything settles down and runs fine. If I turn it back on, = the > traffic starts again. I am thinking some kind of vulnerability in the htt= p > server allowing malformed requests from outside? I can't for the life of = me > figure out how they are getting in though. I have very few changes to the > firewall config, and only a few port forwards. > > I'll send more info as I get it. > > Anyone else see anything like this? > > -Bill > > > -- > **************************************** > William Katsak > **************************************** > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=C3=A4ht thttp://www.bufferbloat.net/projects/bloat/wiki/Upcoming_Talks