I’ll ssh into my ddwrt Netgear after I get off work.
But I’ll end up just backing up the config and reflashing the FW on it.
It would be good if we could confirm this though, so people who are comfortable ssh’ing in to their router can confirm for themselves whether they’re infected or not. I checked, and this folder is nonexistent on mine.
I’d do a find on the whole fs for that string to be sure. But if I were to make some malware, I’d make it name things with random strings so it’s different for every install.
Was kind of worried about this when I saw the news, but I’m not on the list
and anyway, my power has went out so many times recently I’ve had plenty of resets.
They still don’t know the how infections actually occur, other than default username/password attempts. It shouldn’t be assumed this is the final form of the malware (especially when a state actor is suspected as the origin).
I found a report from Sophos:
I found none of the files mentioned. Probably the best way to see if you’re infected is to use a sniffer. Neither of these methods is user friendly to the average person.