I'm about ready to turn in for tonight. I've been planning on making my next blog post a shining review of the newly released decentralization appliance, the Freedombox. However, right now my freedombox is sitting off on my desk with its brain preparing for a forensic analysis in Kali. How did we get here?
It started while I was sitting on my computer. I was acutally about to run a virus scan for what I thought was a false positive on my laptop, so I rebooted to safemode with networking, but I was unable to join the network. My wife complained about the network being unusable, so I looked at the status of my router on my phone. Nearly 100% CPU usage. Resetting the router did nothing. I managed to get onto the web UI, and immediately went to check connections. The connections showed a ton of connections going to my freedombox. My first guess was that the tor node running on the freedombox had suddenly gotten too many inbound connections, so I disabled tor on the freedombox, but the problem only started getting worse. I was unable to do anything on the router at all. At this point I pulled the LAN cable out of the freedombox and suddenly the CPU usage on the router nosedived and it was accessible again. Next, I pulled the WAN cable out of the router, and plugged the freedombox back in. Now, I checked the web access history on the router for the freedombox and it was full of sketchy chinese websites such as 388wj.com. If my freedombox was being attacked from the outside, I wouldnt be seeing weird URLs in the traffic. This means we may have been compromised.
I sshed into the box and realized I didnt have any security tools on the box, such as chkrootkit or lynis. The problem is the instant I create a direct route from the freedombox to the WAN, my router melts and I can't connect to the freedombox. So I shut it down and pulled out the SD crd the system is running on.
Tomorrow, I will run chkrootkit on the box, and potentially try to do some real forensics on it. If I can't solve anything, then I'll have to just reimage the box and install lynis and get backups ready first thing. This is going to suck. I have my calendar saved on the freedombox, but it had been misbehaving already, so it was already scheduled for a wipe. Hopefully I am able to identify something from the SD card and learn something from all of this.