"The people's bank of China" entry in Deco logs - Mirai botnet infects Deco?

"The people's bank of China" entry in Deco logs - Mirai botnet infects Deco?

"The people's bank of China" entry in Deco logs - Mirai botnet infects Deco?
"The people's bank of China" entry in Deco logs - Mirai botnet infects Deco?
2023-12-16 23:31:58 - last edited 2023-12-17 02:28:07
Tags: #logs
Model: Deco PX50  
Hardware Version: V1
Firmware Version: 1.2.1 Build 20230920 Rel. 62115

What on earth is going on here? The People's Bank of China line is very concerning along with the Deco connecting to an external IP address.

 

Sat Dec 16 18:03:09 2023 daemon.err uhttpd[6052]: ./vh: line 1: syntax error: unexpected "("

Sat Dec 16 18:03:09 2023 daemon.err uhttpd[6052]: Connecting to 45.95.146.126 (45.95.146.126:80)

Sat Dec 16 18:03:09 2023 daemon.err uhttpd[6052]: vh 100% |*******************************| 50576 0:00:00 ETA

Sat Dec 16 18:03:09 2023 daemon.err uhttpd[6052]: ./vh: line 1: syntax error: unexpected "("

Sat Dec 16 18:03:09 2023 daemon.err uhttpd[6052]: Connecting to 45.95.146.126 (45.95.146.126:80)

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: vh 87% |*************************** | 42795 0:00:00 ETA vh 100% |*******************************| 48884 0:00:00 ETA

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: ./vh: line 1: syntax error: unexpected "("

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: sh: can't create The People's Bank of China.: Read-only file system

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: ls: /tmp/merge/UN: No such file or directory

Sat Dec 16 18:03:09 2023 daemon.err uhttpd[6052]: ./vh: line 1: syntax error: unexpected "("

Sat Dec 16 18:03:09 2023 daemon.err uhttpd[6052]: Connecting to 45.95.146.126 (45.95.146.126:80)

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: vh 87% |*************************** | 42795 0:00:00 ETA vh 100% |*******************************| 48884 0:00:00 ETA

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: ./vh: line 1: syntax error: unexpected "("

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: sh: can't create The People's Bank of China.: Read-only file system

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: ls: /tmp/merge/UN: No such file or directory

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: Failed to execute call dispatcher target for entry '/locale'.

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: The called action terminated with an exception:

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: ?:0: attempt to index a nil value

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: stack traceback:

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: [C]: in function 'assert'

Sat Dec 16 18:03:10 2023 daemon.err uhttpd[6052]: ?: in function 'dispatch'

  4      
  4      
#1
Options
7 Reply
Re:"The people's bank of China" entry in Deco logs
2023-12-17 01:09:51

  @Alexmesh 

Suggest you check for malware on all your attached systems.

---------------------------------------------------------------------------------------------------- XE75 V1.0 2-pack / 6 GHz backhaul / Router mode / 300 down 25 up / USA
  0  
  0  
#2
Options
Re:"The people's bank of China" entry in Deco logs
2023-12-17 01:33:09 - last edited 2023-12-17 02:27:21

  @Alexmesh The house was empty at the time this happened, according to what I've found online it targets Linux based network devices and is a worm called Mirai. How do I know if my Deco devices are now infected?

  0  
  0  
#3
Options
Re:"The people's bank of China" entry in Deco logs
2023-12-18 01:39:55

  @Alexmesh 

Hi, Nice to see you again, and Thank you very much for the feedback.

Could you please help us send a copy of the system log file to security@tp-link.com?

TP-Link Product Security Advisory

Wait for your reply and best regards.

  0  
  0  
#4
Options
Re:"The people's bank of China" entry in Deco logs
2023-12-18 13:03:55

  @David-TP Hi David, I'll do that now as I've had an email from them. I'm wondering if this could be why I was having ethernet backhaul failures, I've since taken that Deco offline (I saved log files first) and I can't see anything related in the other Deco units. I was getting netowork slowdowns on the night this happened when I returned home like a DDOS attack until I removed that Deco unit, is it safe to use at this point or is the firmware infected?

  0  
  0  
#5
Options
Re:"The people's bank of China" entry in Deco logs - Mirai botnet infects Deco?
2023-12-21 16:00:32

For those wondering on updates I'm in contact with TP link support and they are taking this issue very seriously.

  2  
  2  
#6
Options
Re:"The people's bank of China" entry in Deco logs - Mirai botnet infects Deco?
2023-12-21 21:21:54

  @Alexmesh Please keep us updated.

  1  
  1  
#7
Options
Re:"The people's bank of China" entry in Deco logs - Mirai botnet infects Deco?
2024-02-14 14:58:13

  @potatoes They appear to have released a new firmware update which I assume addresses this, I've been on a debug firmware due to other backhaul problems but I haven't seen anything in the logs since updating to it.

  0  
  0  
#8
Options

Information

Helpful: 4

Views: 728

Replies: 7

Tags

logs