Photovoltaic
18-01-17, 22:57
My 1 year old Xtrend ET-10000 is occasionally misbehaving.
When it misbehaves, it's sending a Flood of outgoing traffic to an as yet undetermined destination; it looks like it's participating in a DoS attack. Small packets, very very high Packets per second. Which cripples my internet connection and no doubt isn't helping someone else's either.
The system does have a password for ssh/telnet but access via the web interface doesn't seem to require one, so if people are able to make an inbound connection to get at the box, it still seems feasible they've pwned it somehow.
When the box is sending a flood of traffic, mgcamd is using 100%+ CPU even though the box shouldn't be running a cam at all. I can terminate mgcamd which seems to stop the traffic but it seems to restart itself later.
The box has IPv6 Connectivity. I have tried to find out how to disable this, but so far have not. If someone's making an inbound connection, I've a feeling it must be IPv6, as it only has an RFC1918 v4 address, with no ports or anything mapped through the router. However, it's possibly that the connection for the seeming remote control is now being initiated from the inside on a cron job or something to let 3rd party in. I don't really know.
Help Wanted:
I would like to know, if people can tell me:
1. How to permanently disable IPv6 on the system. It doesn't need to be enabled. It's just a gaping security hole at the moment.
2. Are there any known exploits or particular known previous examples of this particular pattern of abuse that people are familiar with, and can direct me to a related discussion?
3. I probably should be reflashing the box at this point but I have never done this and don't really know how. But I'm familiar with Linux generally, and have reflashed android devices before so it isn't toooo daunting, I just need to know where to start, and if there are any special considerations to take into account when trying to clean up a system which may have been compromised.
When it misbehaves, it's sending a Flood of outgoing traffic to an as yet undetermined destination; it looks like it's participating in a DoS attack. Small packets, very very high Packets per second. Which cripples my internet connection and no doubt isn't helping someone else's either.
The system does have a password for ssh/telnet but access via the web interface doesn't seem to require one, so if people are able to make an inbound connection to get at the box, it still seems feasible they've pwned it somehow.
When the box is sending a flood of traffic, mgcamd is using 100%+ CPU even though the box shouldn't be running a cam at all. I can terminate mgcamd which seems to stop the traffic but it seems to restart itself later.
The box has IPv6 Connectivity. I have tried to find out how to disable this, but so far have not. If someone's making an inbound connection, I've a feeling it must be IPv6, as it only has an RFC1918 v4 address, with no ports or anything mapped through the router. However, it's possibly that the connection for the seeming remote control is now being initiated from the inside on a cron job or something to let 3rd party in. I don't really know.
Help Wanted:
I would like to know, if people can tell me:
1. How to permanently disable IPv6 on the system. It doesn't need to be enabled. It's just a gaping security hole at the moment.
2. Are there any known exploits or particular known previous examples of this particular pattern of abuse that people are familiar with, and can direct me to a related discussion?
3. I probably should be reflashing the box at this point but I have never done this and don't really know how. But I'm familiar with Linux generally, and have reflashed android devices before so it isn't toooo daunting, I just need to know where to start, and if there are any special considerations to take into account when trying to clean up a system which may have been compromised.