Hello Guest, if you are reading this it means you have not registered yet. Please take a second, Click here to register, and in a few simple steps you will be able to enjoy our community and use our OpenViX support section.
Results 1 to 12 of 12

Thread: possible compromised VIX on zgemma h7

  1. #1

    Title
    Forum Supporter
    Donated Member
    Join Date
    Mar 2014
    Location
    UK
    Posts
    163
    Thanks
    36
    Thanked 6 Times in 6 Posts

    possible compromised VIX on zgemma h7

    Interested on thoughts of this especially from anyone in the ViX team. If it is confirmed this is unusual I will setup the box again from scratch.

    So I have noticed 3 things lately on the box.

    1 - After the box has been up for a while e.g. 1-2 weeks, which isnt that long for a tv STB. The box wont respond to the remote control and outputs no service to the tv, am required to power cycle it. SSH still responsive. The last time thi s occurred, I was looking at the back of the box as I did the power cycle, and noticed constant network activity as well as one of the usb drives been busy, this was obviously unusual especially as the usb drives are only holding archived shows, and not used for recordings, epg etc. So should be idle when the box is idle.
    2 - Memory usage is really high, so bear in mind many boxes still have half gig of ram or less, this box right now even right after a reboot is using 759meg of ram, and if I look in 'top' the biggest process listed is enigma2 at around 80meg of ram. Nothing else comes close, so the fact I have memory usage that is unaccounted for is a bit of a warning sign, note this does not include cache usage which has its own counter. This 759meg is userland usage.
    3 -There is a unkillable root process called '999999999999999' running, top reports very low ram usage but it is using a moderate amount of cpu, its the sort of filename rogue software has, I tried to search for a binary with this name but doesnt exist on the system. If dev's confirm this process should not be running on a clean vix box I am resetting the configuration.

    Info below

    Box
    Brand & Model: Zgemma H7
    Chipset: Broadcom 7251s
    Main Memory: 236708 kB free / 1028048 kB total
    Box Uptime: 0:09
    Software
    System OE: OE-Alliance 4.3
    Firmware version: OpenViX 5.3.013 (2019-12-13)
    Kernel / Drivers: 4.10.12 / 20191123
    Zgemma H7S, internal 2tb WDC WD20NPVZ-00W HDD, ViX as below
    System OE: OE-Alliance 4.4
    Firmware version: OpenViX 5.4.013 (2021-06-24)
    Kernel / Drivers: 4.10.12 / 20191123

  2. #2
    ccs's Avatar
    Title
    ViX Beta Tester
    Join Date
    Sep 2014
    Posts
    5,836
    Thanks
    554
    Thanked 1,276 Times in 1,089 Posts
    Have you opened ports on your router to allow access to the box from the internet?

  3. #3

    Title
    Forum Supporter
    Donated Member
    Join Date
    Mar 2014
    Location
    UK
    Posts
    163
    Thanks
    36
    Thanked 6 Times in 6 Posts
    no, there is no routing to the box from the internet, but the box can of course make connections out to the internet.

    I know how it possibly got compromised, if it is compromised.

    I installed a package from a unverified source, so that would be the overwhelming likelyhood of the source.
    Zgemma H7S, internal 2tb WDC WD20NPVZ-00W HDD, ViX as below
    System OE: OE-Alliance 4.4
    Firmware version: OpenViX 5.4.013 (2021-06-24)
    Kernel / Drivers: 4.10.12 / 20191123

  4. #4
    ccs's Avatar
    Title
    ViX Beta Tester
    Join Date
    Sep 2014
    Posts
    5,836
    Thanks
    554
    Thanked 1,276 Times in 1,089 Posts
    ….. and don't forget that anything on your local network could also be compromised.

  5. #5
    abu baniaz's Avatar
    Title
    Moderator
    Join Date
    Sep 2010
    Location
    East London
    Posts
    23,335
    Thanks
    6,421
    Thanked 9,146 Times in 6,224 Posts
    Are you using mgcamd?

  6. #6

    Title
    Forum Supporter
    Donated Member
    Join Date
    Mar 2014
    Location
    UK
    Posts
    163
    Thanks
    36
    Thanked 6 Times in 6 Posts
    not using mgcamd no.
    Zgemma H7S, internal 2tb WDC WD20NPVZ-00W HDD, ViX as below
    System OE: OE-Alliance 4.4
    Firmware version: OpenViX 5.4.013 (2021-06-24)
    Kernel / Drivers: 4.10.12 / 20191123

  7. The Following User Says Thank You to chrcoluk For This Useful Post:

    abu baniaz (24-02-20)

  8. #7
    birdman's Avatar
    Title
    Moderator
    Join Date
    Sep 2014
    Location
    Hitchin, UK
    Posts
    7,769
    Thanks
    235
    Thanked 1,656 Times in 1,305 Posts
    Quote Originally Posted by chrcoluk View Post
    2 - Memory usage is really high, so bear in mind many boxes still have half gig of ram or less, this box right now even right after a reboot is using 759meg of ram, and if I look in 'top' the biggest process listed is enigma2 at around 80meg of ram. Nothing else comes close, so the fact I have memory usage that is unaccounted for is a bit of a warning sign, note this does not include cache usage which has its own counter. This 759meg is userland usage.
    Linux uses all (well, almost all) free memory to cache file-system activity. For any system that has active file-systems it's quite normal for most of memory to be "in-use" (unless you have many GBs of memory). But it isn't.
    EDIT: But you seem to reckon it isn't that anyway...

    3 -There is a unkillable root process called '999999999999999' running, top reports very low ram usage but it is using a moderate amount of cpu, its the sort of filename rogue software has, I tried to search for a binary with this name but doesnt exist on the system. If dev's confirm this process should not be running on a clean vix box I am resetting the configuration.
    My et8000 has these:

    Code:
    root       249     2  0 02:37 ?        00:00:00 [nnnnnnnn]
    root       250     2  0 02:37 ?        00:00:00 [nnnnnnnnnnnnnnn]
    root       251     2  0 02:37 ?        00:00:00 [nnnnnnnnnnnnnnn]
    root       252     2  0 02:37 ?        00:00:00 [nnnnnnnnnnnnnnn]
    root       253     2  0 02:37 ?        00:00:00 [nnnnnnnnnnnn]
    root       254     2  0 02:37 ?        00:00:00 [nnnnnnnnnnnnn]
    root       255     2  0 02:37 ?        00:00:00 [nnnnnnnnnnnnnnn]
    They've always been there. They are kernel threads. According to /proc/<pid>/wchan they are all waiting on BKNI_WaitForGroup.

    EDIT: BKNI appears to be something to do with the "Broadcom 'proprietary' graphic acceleration instruction pipeline".
    Last edited by birdman; 25-02-20 at 03:51.
    MiracleBox Prem Twin HD - 2@DVB-T2 + Xtrend et8000 - 5(incl. 2 different USBs)@DVB-T2[terrestrial - UK Freeview HD, Sandy Heath] - LAN/USB-stick/HDD

  9. #8

    Title
    Forum Supporter
    Donated Member
    Join Date
    Mar 2014
    Location
    UK
    Posts
    163
    Thanks
    36
    Thanked 6 Times in 6 Posts
    thanks birdman, it isnt cache usage unless somehow the resource counters have gone fubar, also it is really high right after a reboot and it takes time for cache's to populate.

    I will check the kernel thread stuff.

    Currently the box is quite bad I already have setup a cron to auto restart enigma nightly because of disk swapping causing channels to stutter, and I may have even to make that twice daily, and possibly even an automatic reboot. The setting up from scratch is going to happen its just when I got time to do it.

    --edit--

    Thanks to birdman's info I have a bit more information now.

    This is the output for wchan

    Code:
    BKNI_WaitForEvent_tagged
    But interestingly when I did ls /proc/1649 (1640 is the PID), the exe is missing, there isnt one. If I run that command on any other process on the system, the exe variable is populated properly.

    see the error in this paste

    Code:
    root@vusolo2:~# ls /proc/1649
    -r--------    1 root     root             0 Feb 29 19:50 auxv
    -r--r--r--    1 root     root             0 Feb 29 19:50 cgroup
    --w-------    1 root     root             0 Feb 29 19:50 clear_refs
    -r--r--r--    1 root     root             0 Feb 24 14:53 cmdline
    -rw-r--r--    1 root     root             0 Feb 29 19:50 comm
    -rw-r--r--    1 root     root             0 Feb 29 19:50 coredump_filter
    -r--r--r--    1 root     root             0 Feb 29 19:50 cpuset
    lrwxrwxrwx    1 root     root             0 Feb 29 19:50 cwd -> /
    -r--------    1 root     root             0 Feb 29 19:50 environ
    ls: /proc/1649/exe: cannot read link: No such file or directory
    lrwxrwxrwx    1 root     root             0 Feb 24 14:53 exe
    dr-x------    2 root     root             0 Feb 29 19:50 fd
    dr-x------    2 root     root             0 Feb 29 19:50 fdinfo
    -r--r--r--    1 root     root             0 Feb 29 19:50 limits
    dr-x------    2 root     root             0 Feb 29 19:50 map_files
    -r--r--r--    1 root     root             0 Feb 29 19:50 maps
    -rw-------    1 root     root             0 Feb 29 19:50 mem
    -r--r--r--    1 root     root             0 Feb 29 19:50 mountinfo
    -r--r--r--    1 root     root             0 Feb 29 19:50 mounts
    -r--------    1 root     root             0 Feb 29 19:50 mountstats
    dr-xr-xr-x    7 root     root             0 Feb 29 19:50 net
    dr-x--x--x    2 root     root             0 Feb 29 19:50 ns
    -rw-r--r--    1 root     root             0 Feb 29 19:50 oom_adj
    -r--r--r--    1 root     root             0 Feb 29 19:50 oom_score
    -rw-r--r--    1 root     root             0 Feb 29 19:50 oom_score_adj
    -r--------    1 root     root             0 Feb 29 19:50 pagemap
    -r--------    1 root     root             0 Feb 29 19:50 personality
    lrwxrwxrwx    1 root     root             0 Feb 29 19:50 root -> /
    -r--r--r--    1 root     root             0 Feb 29 19:50 smaps
    -r--r--r--    1 root     root             0 Feb 24 14:53 stat
    -r--r--r--    1 root     root             0 Feb 24 14:55 statm
    -r--r--r--    1 root     root             0 Feb 29 19:50 status
    -r--------    1 root     root             0 Feb 29 19:50 syscall
    dr-xr-xr-x    3 root     root             0 Feb 29 19:50 task
    -rw-rw-rw-    1 root     root             0 Feb 29 19:50 timerslack_ns
    -r--r--r--    1 root     root             0 Feb 29 19:50 wchan
    snippet of ram

    Code:
    root@vusolo2:~# free -m
                  total        used        free      shared  buff/cache   available
    Mem:           1003         771         138           0          93         214
    Swap:           255           0         255
    Note how 93meg is used by the cache, it is added to free for available ram, 771 meg is used not including cache, but the only process using any measurable amount of ram is enigma at 11.5% of ram which is about 118 meg on this system. If it was cache usage I wouldnt be concerned.
    Last edited by chrcoluk; 29-02-20 at 21:01.
    Zgemma H7S, internal 2tb WDC WD20NPVZ-00W HDD, ViX as below
    System OE: OE-Alliance 4.4
    Firmware version: OpenViX 5.4.013 (2021-06-24)
    Kernel / Drivers: 4.10.12 / 20191123

  10. #9
    twol's Avatar
    Title
    Moderator
    Join Date
    Apr 2012
    Posts
    8,382
    Thanks
    987
    Thanked 2,888 Times in 2,243 Posts
    Quote Originally Posted by chrcoluk View Post
    The setting up from scratch is going to happen its just when I got time to do it.
    This is not a big deal, you have a multiboot box.
    So when you have time flash an image (with ImageManager) to a free slot (I am assuming that you have never done this, so your current image is in the 1st slot. Setup as much as you can from new (don’t use restore backup) and then reboot (power long press - multiboot restart or on latest image multiboot image selector) to slot 1(your current live image).
    So flip between the images until you are comfortable with the new image and you have time - and then you are OK.
    Gigablue Quad 4K & UE 4K
    .........FBC Tuners:
    ------------------> DUR-Line DCR 5-1-8-L4 Multiswitch to 1.5M dish(28.2E)
    ------------------> Spaun SUS 5581/33 NFA Multiswitch to 80 cm dish(19.2E)
    .......................> FBC & DVB-S2X into 90cm dish (27.5W) Opticum robust Unicable LNB
    AX HD61, Edision Osmio 4K+, Zgemma H9Combo, Octagon SF8008 , gbtrio4k, h9se using Legacy ports on multiswitches
    Zgemma H9 C/S into Giga4K

  11. The Following User Says Thank You to twol For This Useful Post:

    Sicilian (01-03-20)

  12. #10
    birdman's Avatar
    Title
    Moderator
    Join Date
    Sep 2014
    Location
    Hitchin, UK
    Posts
    7,769
    Thanks
    235
    Thanked 1,656 Times in 1,305 Posts
    Quote Originally Posted by chrcoluk View Post
    But interestingly when I did ls /proc/1649 (1640 is the PID), the exe is missing, there isnt one.
    This is true for kernel processes (things that show up within []). They run as a separate process, but don't have any executable to run.
    MiracleBox Prem Twin HD - 2@DVB-T2 + Xtrend et8000 - 5(incl. 2 different USBs)@DVB-T2[terrestrial - UK Freeview HD, Sandy Heath] - LAN/USB-stick/HDD

  13. The Following User Says Thank You to birdman For This Useful Post:

    Sicilian (01-03-20)

  14. #11

    Title
    Forum Supporter
    Donated Member
    Join Date
    Mar 2014
    Location
    UK
    Posts
    163
    Thanks
    36
    Thanked 6 Times in 6 Posts
    I will be doing the multiboot thing this weekend I think, thanks.

    Today I noticed the box OSD was stuck showing 7pm as the time. Turned on the tv, there is a frozen picture with audio still playing for the channel.

    I cannot login to ssh.

    The network led light is constantly flashing, I checked my firewall (pfsense), it shows absolutely no traffic at all on the vix ip, and the dhcp status is even offline, which indicates although there is a busy network led, there is actually no trafifc as if the box is in some kind of fit or something.
    Zgemma H7S, internal 2tb WDC WD20NPVZ-00W HDD, ViX as below
    System OE: OE-Alliance 4.4
    Firmware version: OpenViX 5.4.013 (2021-06-24)
    Kernel / Drivers: 4.10.12 / 20191123

  15. #12
    ^^COMPASS^^'s Avatar
    Title
    Forum Supporter
    Donated Member
    Join Date
    Dec 2011
    Posts
    268
    Thanks
    281
    Thanked 307 Times in 125 Posts
    Quote Originally Posted by chrcoluk View Post
    I will be doing the multiboot thing this weekend I think, thanks.

    Today I noticed the box OSD was stuck showing 7pm as the time. Turned on the tv, there is a frozen picture with audio still playing for the channel.
    Sounds to me like the same hardware fault that saw my good friend return two Zgemma H7s 4K boxes!

    The first was returned in December & when the replacement failed within a few weeks to the same fault the second box was returned in January to the forum sponsor,

    During the above time he contacted the Sponsor & was advised to open a support ticket on the shops website
    & i must say the support received from the sponsor was first class.

    In this instance both were returned free of charge and each returned box was reflashed put on test by our Sponsor whom updated the opened ticket regularly confirming of a Hardware fault both times & a replacement boxes were dispatched, so yes he's on his 3rd Zgemma which is fine but what's most important is the first class support he received during this time.

    Vu+UNO 4K SE [OE-Alliance-4.4 Firmware 5.4-010-Build Oscam-r11693-798][with keys]
    Vu+DUO 2 [OE-Alliance-4.4 Firmware 5.4-003-Build Oscam-r11572-798][with keys]
    Vu+SOLO 2 [OE-Alliance-4.3 Firmware 5.3-039-Build MGcamd]
    Vu+SOLO SE [OE-Alliance-4.4 Firmware 5.4-003-Build MGcamd]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
This website uses cookies
We use cookies to store session information to facilitate remembering your login information, to allow you to save website preferences, to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.