Hi in the last few weeks i kept getting feeds down for maintainance so posted my problem and was told about the Aidra virus, after a read (not to clued up on linux) i did the following.

So i have reflashed my router with clean firmware renamed my default password on it and did the same to my twin running build 753, with no restore and a clean usb stick (so all that was left were my recordings on my hard drive) everything else picons, logs, epg gets stored on the usb.

Last night i discovered its back and i now have ~wget.

I have ondemand installed and openwebif with 2 custom ports set up, is there anything else i could try?

Thanks

Robert

Anything else on your network that could contain the virus?

I had this problem before on a VU+Duo, and did the same as you - router reboot and clean install of ViX. So far I have not been hit again, but it's only a week or so since I updated.

With this problem you should keep a regular check on your logs to check for any unauthorised login attempts. In the VU+ there is a file called messages in the /var/log folder that has this information.

THanks for the replies.

Judge The only other devices on my network are a widows home server and a yamaha receiver

Burnham i will take a look at that file

Time for another clean install again

Been through the logs and get a couple of entries like this does this mean anything to anyone

Oct 19 10:13:13 tmtwin authpriv.notice login[29757]: ROOT LOGIN on '/dev/pts/1' from '84.46.243.138:57414'

address goes here. Lithuania Dainava (kaunas) Sc Lithuanian Radio And Tv Center

Oct 19 09:55:45 tmtwin authpriv.notice login[11640]: ROOT LOGIN on '/dev/pts/1' from '84.240.239.234:58039'

this one goes here Kazakhstan Almaty Digital Tv Llp

It's a ip address, and it's saying that some one from that address has accessed your system, ie it has likely been hacked.

I see you have since added in the ip addresses since my reply, do you subscribe to any of these services or have you noticed any thing strange with your own card etc ??.

Hi pheonix thanks for the reply i have an unsubbed white card that is only used for 5HD, i installed on demand but didn't use it and i use the latest vhannibals but edited for my channels and i only watch freesat, mbc on 26E and F1 on 19E.

So when you say hacked are we talking about the twin or my router and any ideas on how to prevent it as i chaged my passwords on both machines

Robert

If you have the line ROOT LOGIN in your messages file that means someone has discovered the password of your TM-TWIN receiver.

I suggest you change the password again, and keep checking the messages log file. With luck you should only get a log line that says INVALID LOGIN. That means people are continuing to attempt to access your receiver, but failing as they do not have your new password.

Thanks for the helpfull replies i have now changed my box password again can i just ask before i put this to bed, how would they have found the box i.e through a plugin or something else like an open port on the router although only 2 open for webif and they are not default ones, just wondered if it was something i could uninstall and live without

Thanks

Robert

update just found these after changing password last night

Oct 20 08:57:55 tmtwin authpriv.warn login[17965]: invalid password for 'root' on '/dev/pts/0' from '178.248.38.132:57926'
Oct 20 08:58:02 tmtwin authpriv.warn login[18479]: invalid password for 'root' on '/dev/pts/0' from '178.248.38.132:57927'
Oct 20 08:58:09 tmtwin authpriv.warn login[19121]: invalid password for 'UNKNOWN' on '/dev/pts/0' from '178.248.38.132:57928'
Oct 20 08:58:16 tmtwin authpriv.warn login[19635]: invalid password for 'root' on '/dev/pts/0' from '178.248.38.132:57929'
Oct 20 08:58:19 tmtwin authpriv.warn login[19635]: invalid password for 'UNKNOWN' on '/dev/pts/0' from '178.248.38.132:57929'
Oct 20 08:58:23 tmtwin authpriv.warn login[20277]: invalid password for 'UNKNOWN' on '/dev/pts/0' from '178.248.38.132:57930'

They must be scanning your open ports, and finding the open port. As long as you see the invalid password message you know you are still secure.

I suggest you change the webif port again. And check if you really need it to be open in your router. Not sure what you mean when you say you have opened 2 ports for the webif - I think you only need one open.

Also you must check immediately that your webif is password protected - go your webif setup screen and make sure enable http authentication is set to yes. If you have left this at the default of no, then anyone can access your webif.