[Chilli] Apparent intrusion attempt on AP running

Claus Stjernø claus at stjerno.dk
Mon Feb 16 09:13:58 UTC 2015 

Hi Ben,

 

My guess is that you got a virus infected client.

The client is trying to reach a site and is requesting a tasklist from a
predefined server. Your Chilli daemon is redirecting his http call’s but the
users request for the particular php code throws an error in the redir.c
code.

 

See the request for that particular php code here:
http://lists.clean-mx.com/pipermail/viruswatch/20120206/031018.html

 

The other could php calls could also be part of the virus but like others
have said, Google did not help here :)

 

Kind regards,

Claus

 

A Nanostation M2 running Openwrt AA with coova-chilli v1.2.9 stopped its
periodic heartbeat, and I had a chance to SSH in locally w/in 1 hour of the
last heartbeat.

 

I didn't get a chance to inspect the APs local state very well before having
to issue a "reboot -f" after the initial SSH session appeared to freeze.

 

Besides, the device only have 1Mbyte of remaining free memory, I did notice
these log messages from coova-chilli (trimmed and anonymized):

 

Feb 15 20:43:56 Openwrt local6.notice coova-chilli[2056]: chilli.c: 5005:

Client MAC=8C-84-01-XX-XX-XX assigned IP 101.209.43.124 Feb 15 20:44:16
Openwrt local6.err coova-chilli[18240]: redir.c: 3462:

invalid file extension! [wwwroot/apkupdate.php] Feb 15 20:44:19 Openwrt
local6.err coova-chilli[18243]: redir.c: 3462:

invalid file extension! [wwwroot/xmlupdate.php] ...

Feb 15 20:44:42 Openwrt local6.err coova-chilli[18283]: redir.c: 3462:

invalid file extension! [getTasklist.php] Feb 15 20:44:42 Openwrt local6.err
coova-chilli[18284]: redir.c: 3462:

invalid file extension! [getAccountNum.php] Feb 15 20:44:46 Openwrt
daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX IEEE 802.11: authenticated
Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX
IEEE 802.11: authenticated Feb 15 20:44:48 Openwrt daemon.info hostapd:
wlan0: STA 8c:84:01:XX:XX:XX IEEE 802.11: associated (aid 3) Feb 15 20:44:48
Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX

RADIUS: starting accounting session 0000002F-000001AD Feb 15 20:59:46
Openwrt local6.err coova-chilli[18919]: redir.c: 3462:

invalid file extension! [getTasklist.php] ...

Feb 15 20:59:49 Openwrt local6.err coova-chilli[18923]: redir.c: 3462:

invalid file extension! [getTasklist2.php] ...

 

The "invalid file extension" instances, if which there are a couple dozen,
are only a few seconds apart.  The URL parts like "getTasklist.php" and
"getAccountNum.php" seem to suggest whatever the client is doing (i.e.

hammering the chilli agent with lots of bogus port 80 requests) is abusive.
These log messages did coincide with this particular Nanostation verging on
unresponsive, although I didn't get a chance to run "top" or "uptime" before
needing to force a reboot.

 

Besides simply blocking this particular MAC from associating, are the other
measures to ward off intrusions like this?

 

--

Ben West

http://gowasabi.net

ben at gowasabi.net <mailto:ben at gowasabi.net> 

314-246-9434

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20150216/56138eb4/attachment.html>

More information about the Chilli mailing list