A WARNING: virus in DMM boxes...

SPYWHARE ONBOARD? VIRUS IN LINUX DREAMBOX ?? CHECK YOURE BOX

something is hacking the dreambox when you have port 21 open
how they find you i dont know maybe because of 1 cw that leads to 100 others

and that leads to 100.000 others and so on

when they have hacked you then they uploaded a tarfile 4347_tool2.tar in /var and unpack it in /var/tool2 and then run a script start.sh in /var/tool2 which uses a binary called tvconnector.

who these people are i dont know what this does i dont know
i do know that it should not be in youre dreambox
this could easy be spyware from who knows
my advice is to you all check youre dreambox id you see one of thes files/dir's in youre box

FLASH IT

dont take any risk maybe youre box is sending data about youre peers
maybe youre box is sending data to collect as evidence against you

Thanx to the GBox/CCcam forum!!

Cheers! ;) 8)

Confirmed!

Found it a couple of days ago on my box. But it isn't allways called 4347_tool2.tar. Mine was named 5059_tool2.tar.

Check Your processes under system info, and You'll find several instances of "TVconnector". Kill'em.

My router-log showed data was transmitted to blog.balderberg.org and faderhuset.org (check url's in file).
danskfront.dk is also mentioned in url's, but I didn't see any data transmissions to that.
faderhuset is a religious sect.
danskfront is an extreme organisation (nazi tendensies) with relations to "Blood and Honour" and "Combat 18".


I'm sorry I didn't warn You 'bout it, but going trough the files indicated it was targeting ordinary linux servers, and since it connected to danish url's, I believed it just accidential hit my dreambox.

This evening I finally got the time to check out this "virus".

It turns out the "tvconnector" uses Your dreambox to overload the servers in question. Your box is the tool, not the target.
So, no critical data sniffed by "ugly people".:rofl

Explain, please...:confused:

TVconnector is a program originally used to put severe load to servers to test the servers ability to serve a large number clients (put the server under siege), and the program is mis-used to attack and shut down web-sites.
So it seems like someone wanted to shut down the sites in URL list, easy to understand knowing who's behind those sites.

Thanx, m8!:thum:

Just found this 'bout the original code on a website.


ABOUT SIEGE
Siege is an http regression testing and benchmarking utility. It was designed to let web developers measure the performance of their code under duress, to see how it will stand up to load on the internet. Siege supports basic authentication, cookies, HTTP and HTTPS protocols. It allows the user hit a web server with a configurable number of concurrent simulated users. Those users place the webserver "under siege."

PLATFORM SUPPORT
Siege was written on GNU/Linux and has been successfully ported to AIX, BSD, HP-UX and Solaris. It should compile on most System V UNIX variants and on most newer BSD systems. Because Siege relies on POSIX.1b features not supported by Microsoft, it will not run on Windows. Of course you can use Siege to test a Windows HTTP server.