JAC4 compromised image (hacked malware)

Discussion in 'Cisco/Linksys Network Storage Devices' started by donaldisquackers, May 29, 2018.

  1. donaldisquackers

    donaldisquackers New Member Member

    I may be one of a few people still running a NAS200, recently I noticed it was running very slow. A little digging revealed it was proxing hundreds of connections per hour, if not more. Upon booting the device would connect to ya.ru and hostby.channelnet.ie . The included toolset on busybox wasn't enough for me to find the actual executable running this stuff. I was unable to see the PIDs of the open ports and all processes seemed "normal."

    Some packet sniffing showed even more nefarious activity. This device has been behind a firewall all of its life. Figuring somehow it got exploited, I decided to re-flash the last firmware image onto it. Again, it does the exact same thing, starts making connections to the above hosts.

    I obtained the original Cisco/Linksys firmware, all clear, no nefarious connection. For giggles, I re-flashed the Jac4 firmware I had, it started making those connections again. If you are still running JAC4, check to see if your version is the same and exhibiting the same behavior. I originally downladed this in 2011.


    NAS200_V34R79jac4.bin md5:f448ae48c3e84aba0cfe89167c44f78a
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice