

Source code for backdoor found in Tenda router - jenandre
https://github.com/socoola/yhrouter/blob/master/user/goahead/src/goahead.c 

======
paraxisi
[http://www.devttys0.com/2013/10/from-china-with-
love/](http://www.devttys0.com/2013/10/from-china-with-love/)

------
audidude
[https://github.com/socoola/yhrouter/blob/master/user/goahead...](https://github.com/socoola/yhrouter/blob/master/user/goahead/src/goahead.c#L939)

I'm no security export, but what this is doing is creating a UDP socket
(SOCK_DGRAM) that expects commands to be executed (using call_shell()). It
then replies with the output back to the sender of the UDP packet.

------
beltsonata
Er... where, exactly?

~~~
GrinningFool
Looks like here is where it gets interesting:
[https://github.com/socoola/yhrouter/blob/master/user/goahead...](https://github.com/socoola/yhrouter/blob/master/user/goahead/src/goahead.c#L957)

An example fo the inbound command structure, then code further below to
execute it and respond.

It listens on the LAN interface (assuming the value shown is what it says it
is) for datagram requests. Unless I'm missing something, that seems to
indicate an attacker must already be on the same network.

It does shell out the commands it receives - so perhaps more interesting would
be look and see what kinds of accessible binaries and scripts ship on the
device.

