Old Miraheze Wiki Pages:KB848249

Introduction

Li Ao downloaded an OpenWrt software package named "v2raya" and "luci-app-v2raya". As he sought information about the usage of this software, and was tring to activate the Web management console, he noticed unsoliticitly behaviour which may indicates automated file downloading. He later confirmed that this package has the ability of not only triggering automated downloads from Internet locations, but changing router configuration automatically, with information given by a YouTube video.

He confirmethat this software package has rogue behaviours which may cause damages to proper configuration, and may result in insultion to users.

Symptoms

Li Ao downloaded the packages named "v2raya" and "luci-app-v2raya" from the OpenWrt software package repository. As he was going to look on the user interface to learn the design concepts in order to know the usage, he noticed that its Web interface indicated a message telling some missing files were downloading. He later confirmed the guess of rogue software is true, with a YouTube video showing the behaviour of the software.

As confirmed on information of the GitHub repository, the software will not only download from GitHub missing components, but will also apply routing configurations without the user's consent. As it connects to the added v2Ray servers, a fixed rule which will result in traffic leaking for routers without a default routing perference but with certain types of custom configurations.

He did neither review the complete source code nor the actual machine code executions before confirming the software has rogue features.

Solution

Li Ao does not recommend to modify the source code of the packages to build custom packages for production use. Instead, he recommends using the packages from Project V, an open-source project producing network proxy tools with obfuscation functionalities. The following packages are recommended:

• v2ray-core
• v2ray-example
• v2ray-extra