GS1900-10HP hacked :\

GabrieleMax Posts: 1  Freshman Member
edited April 2021 in Switch
When I try to connect to my GS1900-10HP it sends me a file named

Yq2b40+w, when I open it I have:

Index of /mnt/web/


The first file is a compressed file and inside of it I have a lot of files with *.ko extension something like codec.ko and decoder.ko, really strange :\

In the second file I have:

if [ -f /mnt/web/modules.tar.lzma ];then
    rm -rf /lib/modules/*
    umount /lib/modules/

In the third file I have:

if [ -f /mnt/web/modules.tar.lzma ];then
    mount -t ramfs /dev/mem3 /lib/modules/
    cp /mnt/web/modules.tar.lzma /lib/modules/
    cd  /lib/modules/
    unlzma modules.tar.lzma
    tar -xvf modules.tar
    rm modules.tar
    cd -

After a port scan I have:

[email protected]:/home/gabriele# nmap -sS -P0 -sV -O
Starting Nmap 7.70 ( ) at 2018-08-04 16:12 CEST
Nmap scan report for
Host is up (0.020s latency).
Not shown: 998 closed ports
80/tcp  open  http    uc-httpd 1.0.0
554/tcp open  rtsp    H264DVR rtspd 1.0
MAC Address: XX:XX:XX:XX:XX:XX (ICP Internet Communication Payment AG)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Device: storage-misc

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 35.79 seconds

Now how can I fix it?| :\




  • Zyxel_Ryan
    Zyxel_Ryan Posts: 66  Zyxel Employee
    Hello @GabrieleMax

    I'm curious how you found the problem.
    Did you try to remove all other devices connected firstly and then connected PC with GS1900? 
    I suspect if it is possible that the files were actually coming from other devices, for example, one of other servers, instead of GS1900. 
    Could you have a try to remove all other devices connected with GS1900 and then connect PC again (only one PC) to see if there is still the same problem?