Possibly been hacked. Need assistant from senior users.

[ColinTaylor]

Can someone please help with following;
Under the AiProtection->Security Event section it lists a MAC address. This same address is listed under Tools->Sysinfo on the WAN port (it says there's 2 there on VLAN). But I can't determine what device this is as it doesn't show under NetworkMap->ClientList or anywhere else in the router. I've checked all other devices too & it's nowhere else, so I'm at a loss .

The "2" refers to VLAN number 2, not 2 different things. The LAN ports are part of VLAN number 1. The MAC address is that of your WAN port, meaning the "event" came through the WAN port (duh!). In other words, knowing the MAC address tells us absolutely nothing useful.

 

[Dracobark]

Greetings,

Today while trying to change some router settings on my RT-N66U I noticed I've been hacked as well (korean langauge, vpn, abnormal logins in log etc). I was using an older "vanilla" asus firmware (newest fw was only released a few days ago) so I reset my router and updated to the latest firmware.

I'm considering flashing merlin to gain access to some features as well as additional protection (skynet). ASUS released a new firmware a few days ago fixing some exploits:

So my question is: does the latest Merlin firmware include these fixes? Or is it safer to stay on ASUS firmware for now?

 

[JaimeZX]

Watch what? The "attacks" are not aimed at you in person, it is bots searching the net , these things bounce off systems that are properly secured. Everyone on the net gets these "attacks" , just keep your router firmware up to date.

Yep. Totally tracking that.

Before Trend Micro added the hit list to the GUI were you being hacked/compromised every day?

Not as far as I know! But I knew the activity was taking place.

If you are genuinely attacked you'll know about it.

What you mean is "if the attack is successful." I disagree. If an attack succeeded in breaking security, I might know it. Depends on what the attacker wants to accomplish.

What I am suggesting (with one and only one week's worth of data) is that the attacks all took place during the work week. Furthermore, since according to this thread this appears to be a new activity (Koreans coming in through WAN opened by the mobile app) - I am suggesting that the attackers may be actively managing the botnet as part of their M-F job. But again - that's a hypothesis based on a week of data.

I'll keep an eye on that pattern to see if it remains a M-F kind of thing.

 

[RMerlin]

So my question is: does the latest Merlin firmware include these fixes? Or is it safer to stay on ASUS firmware for now?

All the DNS/DHCP issues were already fixed in 380.69_2. Some of the issues listed above these were fixed in 380.69_2, a few weren't, and are fixed for 380.70. The AiCloud issues aren't fixed yet, and won't be in 380.70 either.

 

[jappish84]

You can add me to the list. Same as Op. Was on legacy fw, updated to latest Merlin.

Sent from my LG-H815 using Tapatalk

 

[JaimeZX]

So my "weekday" pattern doesn't seem to fit. I'm seeing zero attempts since Saturday. So that's good... just didn't fit my hypothesis. lol

 

[lukaszzsch]

Today i had a phone call with potential buyer of my router. He has currently rt66u. As i figured out- he also has been hacked. Chinese language, wan access enabled...

Wysłane z mojego LG-H870 przy użyciu Tapatalka

 

[Daspied]

The only way you guys should be accessing your router remotely, or anything on your network for that matter is by setting up a VPN server on the router, or to the device directly. These Web Ui's are not meant for prolonged exposure to the Internet they simply are not secure enough.

 

[xtropodx]

Would someone please advise if I need to be concerned about following from my log & if so how do I stop it? The source IP is one of my cameras, and it seems they're connecting to a DST IP, which I don't believe should be happening ? ie 129.250.35.251. I don't recognise it. This is on latest Merlin FM running VPN Server&client.

Apr 11 03:54:24 kernel: ACCEPT IN=br0 OUT=eth0 SRC=<sourceIP> DST=8.8.8.8 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=1848 DF PROTO=UDP SPT=39366 DPT=53 LEN=41
Apr 11 03:54:24 kernel: ACCEPT IN=br0 OUT=eth0 SRC=<sourceIP> DST=8.8.8.8 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=1849 DF PROTO=UDP SPT=39366 DPT=53 LEN=41
Apr 11 03:54:24 kernel: ACCEPT IN=br0 OUT=eth0 SRC=<sourceIP> DST=129.250.35.251 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=53065 DF PROTO=UDP SPT=42921 DPT=123 LEN=56

Apr 11 05:04:33 kernel: ACCEPT IN=br0 OUT=eth0 SRC=<sourceIP> DST=8.8.8.8 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=19225 DF PROTO=UDP SPT=44069 DPT=53 LEN=41
Apr 11 05:04:33 kernel: ACCEPT IN=br0 OUT=eth0 SRC=<sourceIP> DST=8.8.8.8 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=19226 DF PROTO=UDP SPT=44069 DPT=53 LEN=41
Apr 11 05:04:33 kernel: ACCEPT IN=br0 OUT=eth0 SRC=<sourceIP> DST=103.38.120.36 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=48113 DF PROTO=UDP SPT=47550 DPT=123 LEN=56

Apr 11 06:09:26 kernel: ACCEPT IN=br0 OUT=eth0 SRC=<sourceIP> DST=8.8.8.8 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=9057 DF PROTO=UDP SPT=42556 DPT=53 LEN=41
Apr 11 06:09:26 kernel: ACCEPT IN=br0 OUT=eth0 SRC=<sourceIP> DST=8.8.8.8 LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=9058 DF PROTO=UDP SPT=42556 DPT=53 LEN=41
Apr 11 06:09:26 kernel: ACCEPT IN=br0 OUT=eth0 SRC=<sourceIP> DST=203.23.237.200 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=59082 DF PROTO=UDP SPT=39722 DPT=123 LEN=56

 

[ColinTaylor]

@xtropodx Nothing to worry about. It's connecting to an American NTP server to get the time.

 

[sfx2000]

PROTO=UDP DPT=123

This is an NTP query to various servers - normally not a concern...

As long as you don't see a lot of incoming NTP traffic from the internet, not too much to worry about - that being said, there is a well document NTP DDOS...

https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/

So look at your rule sets - any incoming NTP queries should probably be dropped (or just don't expose that port)

 

[mr-nobody]

Hi Guys

Logged on to my Asus to find that it was probably hacked as well.
It’s a RT-AC68U running Merlin 380.

The UI was changed to Korean.

VPN Server was ON and an VPN user added.
Remote Access from WAN was enabled.
DDNS enabled.

I am pretty sure all these setting was changed, and not by me.

The reason I noticed it was that when I started my ASUS Router app for IOS, it asked if I wanted to enable remote access from WAN and turning on DDNS.
I haven’t seen that before. When I refused I couldn´t connect, even if I was at my LAN?

I have flashed the firmware to 384 and reinitialized the router settings.

Does anyone know if this unwanted access was a known exploit in 380 and if I am now protected against that by running 384?

I am of course worried if my router could have been hacked from within my LAN because then I am still at risk.

Any help will be appreciated.
Thanks.

 

[ColinTaylor]

The reason I noticed it was that when I started my ASUS Router app for IOS, it asked if I wanted to enable remote access from WAN and turning on DDNS.
I haven’t seen that before.

From what I've read in this forum the app was changed recently so that it now asks for permission, whereas previously it didn't.

Does anyone know if this unwanted access was a known exploit in 380 and if I am now protected against that by running 384?

Merlin previously stated that there are some known exploits that can't or won't be fixed in 380. So the best you can do is keep up to date with 384, but that doesn't mean that there won't be new exploits found.

 

[skeal]

Hi Guys

Logged on to my Asus to find that it was probably hacked as well.
It’s a RT-AC68U running Merlin 380.

The UI was changed to Korean.

VPN Server was ON and an VPN user added.
Remote Access from WAN was enabled.
DDNS enabled.

I am pretty sure all these setting was changed, and not by me.

The reason I noticed it was that when I started my ASUS Router app for IOS, it asked if I wanted to enable remote access from WAN and turning on DDNS.
I haven’t seen that before. When I refused I couldn´t connect, even if I was at my LAN?

I have flashed the firmware to 384 and reinitialized the router settings.

Does anyone know if this unwanted access was a known exploit in 380 and if I am now protected against that by running 384?

I am of course worried if my router could have been hacked from within my LAN because then I am still at risk.

Any help will be appreciated.
Thanks.

My advice would be to not allow web access from wan for any reason. Use a vpn instead.

 

[mr-nobody]

My advice would be to not allow web access from wan for any reason. Use a vpn instead.

Hi Skeal and ColinTaylor
Thanks for your posts.
I would never allow web access from wan.
I am just trying to find out if my Asus router could be hacked from outside without wan access allowed or if it has been hacked from inside my Lan.
If it was from inside my Lan, then I am not sure to be protected even when upgraded to 384

 

[ColinTaylor]

I am just trying to find out if my Asus router could be hacked from outside without wan access allowed or if it has been hacked from inside my Lan.
If it was from inside my Lan, then I am not sure to be protected even when upgraded to 384

Everything you described is consistent with the other reports of people being hacked from the WAN, even when WAN access wasn't enabled. I don't think your problem is on the LAN.

 

[RMerlin]

Using Asus's mobile app will enable WAN access without telling you.

 

[mr-nobody]

Using Asus's mobile app will enable WAN access without telling you.

That sounds like a really risky behavior. Do you know if thats by choice or a bug?

 

[RMerlin]

That sounds like a really risky behavior. Do you know if thats by choice or a bug?

No idea, I don't use their mobile app, and haven't been following up on it either. I think it was enabled by default to allow remote access by the mobile application. No idea if they eventually made it user-configurable or not.

 

[ColinTaylor]

Using Asus's mobile app will enable WAN access without telling you.

I thought I read in these forums that they changed that recently? Of course that doesn't help people that had used it previously.