Hi all,

got a new Asus GT-AXE16000 and installed the current asuswrt-merlin version (386.8).
Last friday i installed diversion via amtm. Since then (i don't know if it really is corresponding in time) i get daily (~20per day) alarms from AIProtection - Two Way IPS:

EXPLOIT Remote Command exec ution via Shell Script -2

always from the same ip

First i restarted my router to get a new IP: no change.
Then I tried to disable Diversion. No change.
Lastly I resetted my router via administration->restore ... no change.

I am a bit worried even if all these attacks are labled as blocked.

Does anybody know what this kind of attack means.
Can i block that IP somewhere?

Thanks in advance



It's just a normal bot scanner, ignore it.

To be safe make sure you have disabled SSH WAN access and Web Access from WAN (Administration - System).

Hi Colin,

thanks for your reply. Yes, i disabled both options.
What makes me wonder is that the same IP (bot) "attacks" me even after resetting the router and/or getting a new IP. Is this normal or is mac-adress used to "find me". Sorry if this is a stupdi question ... i don't know much about internet security and possible attacks.
Was the close time connection between diversion installation and the attack just a coincidence?

Again thanks!


This is normal - welcome to the internet.

The problem with AiProtection is that it reports lots of scary sounding things that would otherwise just be dropped silently. This makes people think that this is something new or something that is specifically aimed at them. It isn't, it's just that any other router (or your router if you turn off AiProtection) wouldn't report it.

Was the close time connection between diversion installation and the attack just a coincidence?
Yes, just coincidence.

