The solution of hijacking 403/404 and inserting advertisement in millet router

These days, the millet router again to explode evil news, the previous period of 403/404 hijacked, now even ordinary last page has been hijacked, used to insert millet ads, simply can not endure! Small knitting hurriedly combined with the online great God and his own groping, found a temporary can solve the millet router hijacked 403/404 and insert ads evil deeds , then the millet router has any action, watch it change.

Forum to explode the material

Suspicious startup items and process profiling

In recent days slightly to the Millet Route (R1D) on the Startup items and processes do some analysis, preliminary get a slightly clean millet route:

1.1/etc/init.d/http_client_detect

In this startup, it is mainly loading nf_conn_ext_http and insmod nf_tcp_proxy two kernel modules, while having the boot/usr/sbin/http_dpi

I haven't studied it in depth yet, but preliminary judgment Millet routing monitors the user's HTTP data, has reached 404 hijack and insert the advertisement operation.

So this startup item must be removed, discarded

1.2/etc/init.d/rule_mgr

This startup entry has Http_match, nf_conn_ext_http, nf_tcp_proxy kernel modules

It's also used to assist in hijacking, abandoning

1.3/etc/init.d/http_status_stat

From the name alone, should be used to hijack 404, Abandoned

1.4/etc/init.d/statisticsservice

There is a section in the configuration file in the startup process: Ad_filter_stat_url = "http://127.0.0.1:8195/"

Feeling is the agent of advertising, you said nothing to access 8195 port to do what, another "ad" the name, is the advertising abbreviation Yes, abandoned

1.5/etc/init.d/sysapihttpd

This is the start of the HTTP server, the pure boot 80 port also just, started the N service and port, I will not have a spit slot

In a word is to cooperate with 404 hijacking and advertisement use, so need to abandon.

If the start item is disabled, you may not be able to access the Millet Routing Web Configuration page, do not worry, you can start uhttpd to implement.

1.6/etc/init.d/mihttpd

The same is the start of the configuration of Millet routing page, but not 80 ports, discard.

1.7/etc/init.d/xunlei

Millet routing in the download is the Thunderbolt, if there is download demand can not stop, but I do not have this demand, looked also uncomfortable, abandoned.

1.8/etc/init.d/messagingagent.sh

This startup item is to report some of the router data to the Millet server, and the mobile app remote access is to contact the millet server to get the relevant information about the route.

I do not describe the specific, personal feelings, will be some information to the millet, this matter is not reliable.

Although the "remote Management" under the guise of, who knows whether or not to upload personal privacy information.

If you still need to use the mobile phone app to configure the route remotely, you can keep it.

Operation Steps:

Of course there are other suspicious processes on the millet route, but they have not yet been made clear about their use or relevance.

This is mainly a preliminary solution to the 404 hijacking, insert ads such problems:

On hand this Millet route system version is: Development version 2.3.10, other versions have not tried.

2.1 First to open SSH permission, this does not need to say more, online tutorials a lot, can also be opened through the Millet official website, opened after the loss of warranty, personal measurement.

2.2 Close suspicious process actions:

/etc/init.d/rule_mgr stop

/etc/init.d/http_client_detect stop

/etc/init.d/http_status_stat stop

/etc/init.d/statisticsservice stop

/ETC/INIT.D/SYSAPIHTTPD stop

/ETC/INIT.D/MIHTTPD stop

Do not need remote access and thunder download, you can continue to operate:

/etc/init.d/messagingagent.sh stop

/etc/init.d/xunlei stop

In this way, the above process has been shut down.

2.3 Turn off the suspect process to run automatically:

/etc/init.d/rule_mgr Disable

/etc/init.d/http_client_detect Disable

/etc/init.d/http_status_stat Disable

/etc/init.d/statisticsservice Disable

/ETC/INIT.D/SYSAPIHTTPD Disable

/ETC/INIT.D/MIHTTPD Disable

Do not need remote access and thunder download, you can continue to operate:

/etc/init.d/messagingagent.sh Disable

/etc/init.d/xunlei Disable

In this case, the above process, reboot will not run after the boot

2.4 Start UHTTPD Operation:

Because it stopped sysapihttpd, millet. The routing configuration Web will not be accessible.

Luckily, there are uhttpd on the millet route.

First, revise the/etc/init.d/uhttpd.

Find [$use _uhttpd-eq 0] && return 0 This line, probably in the last 8th line, comment out the line.

Then start uhttpd:

/ETC/INIT.D/UHTTPD start

and set the power-on autorun:

/ETC/INIT.D/UHTTPD Enable

2.5 Some of the actions in the scheduled tasks also leave me in doubt.

The execution crontab-e can be commented out, and I am currently planning to keep only NTP in the task, and I have commented on the other items.

At this point, I personally think that can solve the millet route hijacking 404, insert ads, the problem of reporting data. My millet router run for 3 days, currently in normal use, there may be suspicious process, has not been found, continuing attention. Millet Route Purification program continue to analyze suspicious process, will it into the small black house, another way to use the original Luci to replace the current millet custom of millet Luci, install a plugin in mobile phone app operation, really egg pain.