Virus in linux dreambox

**cazuela** · Jul 26th 2011

This is a small reminder to those, especially new users to linuxboxes .
Although what is publically posted all over the net from some years ago. (2007) It has come to light that it is occuring again....
This is what was originally posted back then :
[I]SPYWHARE ONBOARD? VIRUS IN LINUX DREAMBOX ?? CHECK YOUR BOX

something is hacking the dreambox when you have port 21 open
maybe because of 1 cw that leads to 100 others and that leads to 100.000 others and so on ( it is autoexecutable + self propogating)

when they have hacked you then they upload a tarfile 4347_tool2.tar in /var and unpack it in /var/tool2 and then run a script start.sh in /var/tool2 which uses a binary called tvconnector.
But it isn't always called 4347_tool2.tar. another was named 5059_tool2.tar.

Check Your processes under system info, and You'll find several instances of "TVconnector". Kill'em.

it should not be in your dreambox
my advice is to you all check your dreambox and if you see one of thes files/directories in your box

FLASH IT
dont take any risk maybe your box is sending data about your peers ,¿¿¿maybe your box is sending data to collect as evidence against you ??? .

This is not to alarm you simply make you aware !!!

As I mentioned at the start ,this has come to light again as it was recently used to " hide" a server within another server and sent the box crazy even passing on old+ fake cards from other servers but the line wasnt visible in DCC but through CCcam info on the TV screen!!!
So ¿ how do you check if your box has this "migrant" ???? go to VAR/tool2 and system info and check for "TVCONNECTOR" then eliminate it then reflash the box..
Any information provided on this site is not guaranteed in any way. Some articles may discuss topics that are illegal, so this information is provided for educational purposes only, your use of the content, downloads and files, or any part thereof, is made solely at your own risk and responsibility. Viewing Pay TV without a valid subscription is illegal. !! Linuxsat-Support.com cannot be held responsible for the content of any information stored or posted on this forum.

**master G** · Feb 5th 2013

Here is another one, i came across this post by gorski at satforum.me.
Please make sure your recievers are secure.

Dreambox virus / bot discovered!

Got something crass experienced today ... did not know that there is something

My buddy had problems for days with his dreambox. crashed every day and
then any files were in the / lib / folder and replaced enigma no longer
started. Always had to re-flash and the next day went again nothing.

Did he then helped times today and found out that his box permanently
accessible on the internet was because he made port release for telnet
and ftp, so he comes home from work and so on the box. Unfortunately,
standard username / password with root / dreambox.

Up his box was over again. Could then enable FTP and Telnet to log his box to see
which one has logged in to the box from poland, some files have copied
to the box and irgendnen made mischief.

Funny enough, the IP itself in the browser and ftp could achieve with standard root / dreambox login, ENIGMA1 was a box ...

On this strange box was a process named "m5" which has scanned probably
permanently any internet ip ranges and has tried there with root /
dreambox log and when login is successful, the bot was installed there
and exchanged a few libs that offered the . start This box has to infect
then probably tried every day my buddy and offered to install.

As there are for LIBS enigma1 but crashed out of the box because my buddy always are compiled for PowerPC and MIPSEL nich ...

Can in the compiled "m5" binary nich see much, but it's NEN BOT repays the IP's scanned and then tried to spread it.

But there are a couple of text strings to recognize the clear on it
indicate that it is a bot, commands such as DDOS, IP scans etc etc.

Code

PRIVMSG %s :* .advscan->random->b   <user> <pass>     - scan local ip range with user:pass, A.(B) class random
PRIVMSG %s :* .advscan->random->b                     - scan local ip range with d-link config reset bug
PRIVMSG %s :* .stop                                   - stop current operation (scan/dos)
PRIVMSG %s :* *** DDos Commands:
PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing,
PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs
PRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86
PRIVMSG %s :* .spoof          <ip>                    - set the source address ip spoof
PRIVMSG %s :* .synflood       <host> <port> <secs>    - tcp syn flooder
PRIVMSG %s :* .ngsynflood     <host> <port> <secs>    - tcp ngsyn flooder (new generation)
PRIVMSG %s :* .ackflood       <host> <port> <secs>    - tcp ack flooder
PRIVMSG %s :* .ngackflood     <host> <port> <secs>    - tcp ngack flooder (new generation)
PRIVMSG %s :* *** IRC Commands:
PRIVMSG %s :* .setchan        <channel>               - set new master channel
PRIVMSG %s :* .join           <channel> <password>    - join bot in selected room
PRIVMSG %s :* .part           <channel>               - part bot from selected room
PRIVMSG %s :* .quit                                   - kill the current process

Display More

The process ran on the box from poland dozens times and had dozens activate
Internet connections .... was so busy this strange box on the internet
looking for where you could log in as root / dreambox. And if that
succeeded a few files have been replaced ... bad for enigma2 boxes it
this is powerpc libs UDN did nothing more then go.

Got my bot binaries times loaded and zipped, vlt can since a something with but beware!

I find crass ... nich even knew that there is virus dreambox. Added to a
box on the internet have no password or with standard root / dreambox
login is not just smart, but that bots are looking for such a dream box
and infect I find pretty wicked!

Virus in linux dreambox

Participate now!

Share

Tags