8400 questions

9885 answers


14155 members

0 votes
705 views 3 comments

We have some RUT9230 installed as 4g modem (firmware version : RUT2XX_R_00.00.89)
For some needs their sim card has a public IP.

And I want to know if the two lines below in User Scripts are normal or not :

"exit 0"



2 Answers

0 votes


If the goal is to run /sbin/keepaliver on router start up, then yes, looks normal. Just lose the quotation marks ("").

Also, judging from the name /sbin/keepaliver looks like a custom file. So you might need to give it executable rights for this to work:

chmod +x /sbin/keepaliver

Best answer


The quotation marks are not in User Scripts. It was a way for me to distinguish it from the rest of the text. And I now see it is a wysiwyg editor !!! blush

In fact, I don't know what is this file. And I suspect a malware. Your answer shows me that it is not "normal".



So, you didn't add the /sbin/keepaliver part yourself? I'm asking because it's definitely not the default value, as /sbin/keepaliver does not exist. If you didn't add it yourself, then yes, it's possibly malware. The default, untouched User Scripts file should look like this.

I recommend resetting the router and setting up a strong password (especially if you're using remote access). Also, the firmware is 2.5 years old, I recommend upgrading it as well. Firmware downloads RUT2xx routers are stored here.

I removed the script (via ssh) and reseted User Script as the default value.
The suspicious connections did not reappear. Great.

But, you are right : we have to upgrade our router and reinforce the security. We are gathering recommendations.

Thank you for all.
0 votes
Update your Firmware Version asap. It looks like your Router was owned due to a bug in firmware <= 00.03.265.

Search for "CVE-2017-8116: Teltonika router unauthenticated remote code execution" and update the firmware asap and check if WAN HTTP(S) access is activated in Administration --> Access Control Menu.

BR, Ronald