Virus inserted on Residential Gateway - how to get rid of it

Tutor

Virus inserted on Residential Gateway - how to get rid of it

I have a couple of applications on a server behind my residential gateway, one that uses protocol 443 (https).  At some point last year I found that upon invocation of my address, I was presented with a false and expired SSL certificate.  After some hunting around, I found that this certificate is associated with a small web server named "mini_httpd", and further I found that it is mounted on a number of other AT&T Residential Gateways.  I don't know what it is doing, I don't know how it gets installed, but I can tell you how to detect if you have it, and how to get rid of it.  

 

Here is a link that tipped me off that a number of people with UVerse RG's have the same problem I had:  http://dazzlepod.com/ip/108.194.57.63/.  If that's your IP address...  for that matter if you're curious whether this is on your gateway, go to a computer that is outside your network (like at work) and try to link to your IP address on port 443, like so - 108.194.57.63:443.  You have to know your external IP address, but you can find it on the RG setup pages.

 

I believe that whoever puts this thing on the RG's is doing a brute force attack on the RG password, then doing whatever he does to install the web server.  The way to get rid of it is to do a reset of all settings then a hard reboot.  But you have to change the password to something harder than the default - tip, use combinations of letters, numbers, and symbols, maybe 20+ characters long.  Also you need to enable an option on the firewall|advanced configuration screen that prevents excessive session attempts.  I believe this will prevent it from happening again, but not exactly sure.  I never changed my default password, which is only 10 numeric characters, so I figure it was breached and the virus installed.  

 

AT&T should enable the excessive session option by default and should figure out how this thing was mounted in the first place.  I am assuming that there is a lot of traffic among these things between gateways but can't be sure.

 

Good luck.

Message 1 of 8 (2,327 Views)
Expert

Re: Virus inserted on Residential Gateway - how to get rid of it

Do you have wireless IPTV receivers in your setup?

If so, the special wireless access point that AT&T provides has a web server in it to allow AT&T to manage it. That web server runs on port 443, and the RG has a permanent firewall pinhole inserted in it to divert port 443 requests to the special access point.
Message 2 of 8 (2,298 Views)
Highlighted
Tutor

Re: Virus inserted on Residential Gateway - how to get rid of it

[ Edited ]

I do.... that would be quite frustrating.  

 

But I can't believe they would use a personal, unverified ssl certificate that is posted on a hackers web site, that expired in 2010 etc etc etc.  I didn't post it above, but I found that certificate in a code repository and while I didn't look into what the code did, I'm not sure I want to know.  Here it is -

[removed third party link]

 

I can't believe that ATT would put that same certificate in the RG.  And now that I've reset/rebooted, I'm not getting the behavior anymore.  But I guess that anything is possible.

Message 3 of 8 (2,241 Views)
Expert
Solution
Accepted by topic author dthou
‎09-30-2015 1:39 AM

Re: Virus inserted on Residential Gateway - how to get rid of it

It's probably a self-signed certificate. Many self-signed certificates from certain operating systems will be the same since they use the same mechanisms to self-sign them. The embedded Linux variant used on the wireless access point is a common variant, so it's probably the same as several other self-signed certificates, including some hacker certificates.

Usually, self-signed certificates are used only to provide the encrypted channel, but not authentication. This is fine for AT&T's purpose since they don't need to authenticate the wireless access point, but instead just make sure that their protocol for controlling it is hidden.

Message 4 of 8 (2,221 Views)
Tutor

Re: Virus inserted on Residential Gateway - how to get rid of it

Now it is back again.  I cannot understand why they would put it on port 443.  Take a look at this certificate, AT&T isn't that bad is it?  The specific cisco application appears to have a special pinhole in the ~3300 port neighborhood, which would be more logical to me.  Attached below is a summary of the certificate (same stuff I sent earlier from that hacker web site). 

 

Message 5 of 8 (2,096 Views)
Expert

Re: Virus inserted on Residential Gateway - how to get rid of it

OK, the AT&T system maintains port 443 open to the wireless access point. Their system keeps that configured on the RG.

If you're running a web server behind the RG that uses https (port 443), you will not be able to do it with just a firewall rule. If you delete the AT&T-created rule for the wireless access point and put your own rule for your web server in for port 443, your rule will eventually get deleted and the 443 rule for the WAP will get put back in.

If you want to keep wireless STBs and run a web server behind the RG on 443, then you will have to get static IPs and run the web server on one of them.
Message 6 of 8 (2,081 Views)
Tutor

Re: Virus inserted on Residential Gateway - how to get rid of it

I would assume that if I got rid of the wireless STB and had that TV hardwired, that this would go away, no?  Further, since my earlier posts, I've found that the wireless transmitter that connects to the STB is the one that maintains that port, so sorry for the questions ealier!

Message 7 of 8 (2,039 Views)
Expert

Re: Virus inserted on Residential Gateway - how to get rid of it

Yes, if you get rid of the wireless STBs, they should remove the port 443 rule, leaving that port available for your web server.
Message 8 of 8 (2,025 Views)
Share this topic
Announcements

Welcome to the AT&T Community Forums!!! Stop by the Community How-To section for tips on how to get started.