Possibly Hacked box, Some Security help needed

[Photovoltaic]

My 1 year old Xtrend ET-10000 is occasionally misbehaving.

When it misbehaves, it's sending a Flood of outgoing traffic to an as yet undetermined destination; it looks like it's participating in a DoS attack. Small packets, very very high Packets per second. Which cripples my internet connection and no doubt isn't helping someone else's either.

The system does have a password for ssh/telnet but access via the web interface doesn't seem to require one, so if people are able to make an inbound connection to get at the box, it still seems feasible they've pwned it somehow.


When the box is sending a flood of traffic, mgcamd is using 100%+ CPU even though the box shouldn't be running a cam at all. I can terminate mgcamd which seems to stop the traffic but it seems to restart itself later.


The box has IPv6 Connectivity. I have tried to find out how to disable this, but so far have not. If someone's making an inbound connection, I've a feeling it must be IPv6, as it only has an RFC1918 v4 address, with no ports or anything mapped through the router. However, it's possibly that the connection for the seeming remote control is now being initiated from the inside on a cron job or something to let 3rd party in. I don't really know.



Help Wanted:
I would like to know, if people can tell me:

1. How to permanently disable IPv6 on the system. It doesn't need to be enabled. It's just a gaping security hole at the moment.
2. Are there any known exploits or particular known previous examples of this particular pattern of abuse that people are familiar with, and can direct me to a related discussion?
3. I probably should be reflashing the box at this point but I have never done this and don't really know how. But I'm familiar with Linux generally, and have reflashed android devices before so it isn't toooo daunting, I just need to know where to start, and if there are any special considerations to take into account when trying to clean up a system which may have been compromised.

[ccs]

If you have port forwarding to the box set on your router, that's all they need to get in. It needs to be disabled.

Reflashing the box will clean it up.

The telnet command netstat -t will show you what TCP streams are in use.

[abu baniaz]

If you are using mgcamd, I'm guessing your configs have the logging on and you are trying connect to a non-existent IP address. This may be what is causing the Self DDOS attack. I may be wrong, so please check the L value in my_cfg.

If you have exposed your box by opening ports to it, it may indeed be part of a botnet.

[Photovoltaic]

No "Open Ports" in the traditional sense (There's no way in via IPv4) - but the entire box is exposed via IPv6 so that needs to be shut down - I appreciate not many people are using IPv6 in the home so it's not something you come across often, but it's a problem, I need to be able to disable IPv6 completely.

[abu baniaz]

Can you upload your my_cfg please. Zip it before attaching to post.

[duoduo]

Where did you get your cam setup from buddy, I fear this is where your issue lies. Personally, I would definitely recommend a new flash, lots of tutorials on here too help you out.

[Bangord30]

Can you not just uninstall mgcamd if don't need it see how it goes?

Sent from my VF695 using Tapatalk

[kryton]

Its your mg_cfg file causing the problem.

open it, look for logging and change L:{03} to L:{00}

Code:

# Log option, summ of:
# 00 off
# 01 network udp log
# 02 log to console
# 04 file, appended ! delete it by yourself, before it eat all your hdd
# + IP udp-port log-file-name
L: { 00 }

[Photovoltaic]

Its your mg_cfg file causing the problem.

open it, look for logging and change L:{03} to L:{00}

Code:

# Log option, summ of:
# 00 off
# 01 network udp log
# 02 log to console
# 04 file, appended ! delete it by yourself, before it eat all your hdd
# + IP udp-port log-file-name
L: { 00 }

Aha, that makes a lot of sense. I've changed that now, damn thing was trying to log to an RFC1918 address not even on my network...although the router should have been smart enough not to try and actually route that out to the default route...or..hmm, probably not. Damn



Well I'll see how it behaves after this and hopefully that will do the trick.





I still want to know how to disable IPv6 on the box though, if anyone has any ideas.