Menu
What's new
By:
Filters Better Search

Malicious access, only 1 attempt

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

matthew_eli

matthew_eli

Senior Member
Hi guys, I don't know if this is the right place to post this experience, but I'm running the latest stable Merlin firmware (380.64) and yesterday, during the new year eve, I discovered someone managed to access to my router, both with SSH and webUI. Here are the involved lines on syslog:

http://pastebin.com/4HiewCTT

...

http://pastebin.com/736znapW

(I can't even post the log code here...)


Both addresses are from Palestinian territory, I'm from Italy; the main strange thing is they have no troubles in finding this password: they made it at their first attempt! This was my password strength:

Code: 
Length: 13
Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)
Entropy: 58.5 bits
Charset Size: 68 characters

Now I canged it and I forbid access from WAN for both SSH and webUI. My main concern now is if these guys used an exploit to gain the access to my router; what can I do for securing the router more? I already use an IPSET protection based on firewall scripts.

From what I checked, in webUI they only changed minor setting on SSH administration page, by disabling it and changing the port. Is there any possibility to trace what they did? I also checked my jffs partition, but I haven't found anything in there.

Please, help me!
 
looks automated.... is this a known exploit?
 
Check your LAN clients for malware. If they got your router password on the first attempt that might indicate that they got it by infecting your PC.

EDIT: If you had previously been accessing your router from an external location (i.e. friends house, cyber café) perhaps they had been infected with malware or had a key logger installed.
 
Last edited:
To be safe, I would reflash the firmware, do a factory default reset, wipe the JFFS2 partition content, and restore a config backup if you have one.

The fact that it took a look at python makes me believe this might not be targeting routers specifically (who almost never have python installed) but Linux servers in general, but just to be safe I'd still wipe that firmware & nvram.
 
These are exactly same with the logs that I saw last week on my router, only IP address is different. This is becoming weird. Maybe we need to call Sherlock Holmes :)
 
RMerlin said:
To be safe, I would reflash the firmware, do a factory default reset, wipe the JFFS2 partition content, and restore a config backup if you have one.

The fact that it took a look at python makes me believe this might not be targeting routers specifically (who almost never have python installed) but Linux servers in general, but just to be safe I'd still wipe that firmware & nvram.
Click to expand...

If one looks at the libs and paths - it does seem to be targeted towards embedded devices...

Probably should look at accounts and also at dropbear specifically... I'm not thinking this is a dropbear issue, but it does need to be looked it.

I've seen a big uptick in SSH hits in the past week or so on my firewall..
 
RMerlin said:
do a factory default reset, wipe the JFFS2 partition content,
Click to expand...
Doesn't factory default reset wipes out JFFS partition?
 
You must log in or register to reply here.

Similar threads

kernol
wanduck: WARNING - router is in manufacturing mode
Replies
2
Views
689
kernol
kernol
K
The dreaded "HTTPS is a relatively more secured web access protocol. We strongly suggest to enter the ASUS router setting page via HTTPS protocol."
Replies
16
Views
1K
Diablo99
Diablo99
A
SSH by Authorized Keys without username and password Asus Router
Replies
10
Views
3K
Jeffrey Young
J
whippoorwill
Router refuses to login thru https (secure) though configured as such
Replies
10
Views
873
jerry6
jerry6
J
Understanding router access via computer
Replies
8
Views
706
drinkingbird
drinkingbird
Similar threads
Thread starter Title Forum Replies Date
G Malicious sites being blocked but AiProtection is off Asuswrt-Merlin 3
G RESOLVED: Lost access to WebUI from LAN, SSH is working Asuswrt-Merlin 1
N Connecting an ax58u to a BT homehub 5, via a lan port, and not getting internet access. Asuswrt-Merlin 3
K Have global ipv6 address but unable to access internet over ipv6 Asuswrt-Merlin 39
M Allow admin web GUI access on another interface (tailscale0) Asuswrt-Merlin 0
M Isolating home security cameras and providing remote access? Asuswrt-Merlin 5
L When I access the System Log --> IPv6 tab the web server crashes Asuswrt-Merlin 0
A Enable Web Access from WAN can't stay enabled Asuswrt-Merlin 2
D Guest network with intranet access v. using the main network Asuswrt-Merlin 4
D GT-AX6000 - 3004_388.6_0 - Wireguard client - No Access to Servers local LAN Asuswrt-Merlin 5

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 628 (members: 15, guests: 613)
Top