Hello,
This morning i noticed some very strange logs on my router. I have seen the similar threads but i don't have remote config enabled. SSH is not enabled. However this morning i noticed this in my logs.
Feb 14 00:00:21 syslogd started: BusyBox v1.17.4
Feb 14 00:00:21 kernel: klogd started: BusyBox v1.17.4 (2018-01-31 17:28:03 CST)
Feb 14 00:00:21 kernel: Linux version 2.6.36.4brcmarm (root@asus) (gcc version 4.5.3 (Buildroot 2012.02) ) #1 SMP PREEMPT Wed Jan 31 17:32:52 CST 2018
...
Feb 14 00:00:22 kernel: Creating 2 MTD partitions on "brcmnand":
Feb 14 00:00:22 kernel: 0x000004000000-0x000007ec0000 : "brcmnand"
Feb 14 00:00:22 kernel: 0x000007ec0000-0x000008000000 : "asus"
Feb 14 00:00:22 kernel: VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
Feb 14 00:00:22 kernel: ctf: module license 'Proprietary' taints kernel.
Feb 14 00:00:22 kernel: Disabling lock debugging due to kernel taint
Feb 14 00:00:22 kernel: et_module_init: passivemode set to 0x0
Feb 14 00:00:22 kernel: et_module_init: txworkq set to 0x0
Feb 14 00:00:22 kernel: et_module_init: et_txq_thresh set to 0xce4
Feb 14 00:00:22 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.14.126 (r561982)
Feb 14 00:00:22 kernel: et_probe: mvlan vid[0]: 0
Feb 14 00:00:22 kernel: et_probe: mvlan vid[1]: 0
Feb 14 00:00:22 kernel: et_probe: mvlan en 0
Feb 14 00:00:22 kernel: dpsta_init: msglevel set to 0x1
Feb 14 00:00:22 kernel: wl_module_init: passivemode set to 0x0
Feb 14 00:00:22 kernel: wl_module_init: igs set to 0x0
Feb 14 00:00:22 kernel: wl_module_init: txworkq set to 0x0
Feb 14 00:00:22 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 14 00:00:22 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 14 00:00:23 nat: apply redirect rules
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 16 for vlan1 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 5 for vlan1 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 16 for vlan2 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 5 for vlan2 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 13 for vlan1 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 1 for vlan1 mvlan_en 0
Feb 14 00:00:28 WAN Connection: ISP's DHCP did not function properly.
Feb 14 00:00:32 dnsmasq[265]: warning: no upstream servers configured
Feb 14 00:00:32 RT-AC68U: start httpd
Feb 14 00:00:33 syslog: Generating SSL certificate...
Feb 14 00:00:33 lldpd[293]: cannot get ethtool link information with GLINKSETTINGS (requires 4.9+): Operation not permitted
Feb 14 00:00:33 lldpd[293]: cannot get ethtool link information with GSET (requires 2.6.19+): Operation not permitted
Feb 14 00:00:35 NAT Tunnel: AAE Service is stopped
Feb 14 00:00:35 AAE: AAE Service is started
Feb 14 00:00:35 disk monitor: be idle
Feb 14 00:00:35 jffs2: valid logs(1)
Feb 14 00:00:35 hour monitor: daemon is starting
Feb 14 00:00:36 wan: [deconfig] udhcpc done[286]
Feb 14 00:00:36 rc_service: udhcpc 341:notify_rc start_firewall
Feb 14 00:00:36 miniupnpd[344]: version 1.9 started
Feb 14 00:00:36 miniupnpd[344]: HTTP listening on port 55913
Feb 14 00:00:36 miniupnpd[344]: Listening for NAT-PMP/PCP traffic on port 5351
Feb 14 00:00:36 wan: finish adding multi routes
Feb 14 00:00:36 Mastiff: init
Feb 14 00:00:36 miniupnpd[344]: add_filter_rule() : chain FUPNP not found
Feb 14 00:00:36 rc_service: udhcpc 341:notify_rc stop_upnp
Feb 14 00:00:36 rc_service: waitting "start_firewall" via udhcpc ...
Feb 14 00:00:36 miniupnpd[344]: add_filter_rule() : chain FUPNP not found
No idea why its Feb 14... then the NTP resets it soon after.
Sorry for the length of it. I now seem to have a "new" network 10.8.0.1 which has ports 53, 443, 7788 open, internally. Is this a backdoor of some kind?
Help!! Basically i need help cleaning this up please?
This morning i noticed some very strange logs on my router. I have seen the similar threads but i don't have remote config enabled. SSH is not enabled. However this morning i noticed this in my logs.
Feb 14 00:00:21 syslogd started: BusyBox v1.17.4
Feb 14 00:00:21 kernel: klogd started: BusyBox v1.17.4 (2018-01-31 17:28:03 CST)
Feb 14 00:00:21 kernel: Linux version 2.6.36.4brcmarm (root@asus) (gcc version 4.5.3 (Buildroot 2012.02) ) #1 SMP PREEMPT Wed Jan 31 17:32:52 CST 2018
...
Feb 14 00:00:22 kernel: Creating 2 MTD partitions on "brcmnand":
Feb 14 00:00:22 kernel: 0x000004000000-0x000007ec0000 : "brcmnand"
Feb 14 00:00:22 kernel: 0x000007ec0000-0x000008000000 : "asus"
Feb 14 00:00:22 kernel: VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
Feb 14 00:00:22 kernel: ctf: module license 'Proprietary' taints kernel.
Feb 14 00:00:22 kernel: Disabling lock debugging due to kernel taint
Feb 14 00:00:22 kernel: et_module_init: passivemode set to 0x0
Feb 14 00:00:22 kernel: et_module_init: txworkq set to 0x0
Feb 14 00:00:22 kernel: et_module_init: et_txq_thresh set to 0xce4
Feb 14 00:00:22 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.14.126 (r561982)
Feb 14 00:00:22 kernel: et_probe: mvlan vid[0]: 0
Feb 14 00:00:22 kernel: et_probe: mvlan vid[1]: 0
Feb 14 00:00:22 kernel: et_probe: mvlan en 0
Feb 14 00:00:22 kernel: dpsta_init: msglevel set to 0x1
Feb 14 00:00:22 kernel: wl_module_init: passivemode set to 0x0
Feb 14 00:00:22 kernel: wl_module_init: igs set to 0x0
Feb 14 00:00:22 kernel: wl_module_init: txworkq set to 0x0
Feb 14 00:00:22 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 14 00:00:22 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 14 00:00:23 nat: apply redirect rules
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 16 for vlan1 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 5 for vlan1 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 16 for vlan2 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 5 for vlan2 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 13 for vlan1 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 1 for vlan1 mvlan_en 0
Feb 14 00:00:28 WAN Connection: ISP's DHCP did not function properly.
Feb 14 00:00:32 dnsmasq[265]: warning: no upstream servers configured
Feb 14 00:00:32 RT-AC68U: start httpd
Feb 14 00:00:33 syslog: Generating SSL certificate...
Feb 14 00:00:33 lldpd[293]: cannot get ethtool link information with GLINKSETTINGS (requires 4.9+): Operation not permitted
Feb 14 00:00:33 lldpd[293]: cannot get ethtool link information with GSET (requires 2.6.19+): Operation not permitted
Feb 14 00:00:35 NAT Tunnel: AAE Service is stopped
Feb 14 00:00:35 AAE: AAE Service is started
Feb 14 00:00:35 disk monitor: be idle
Feb 14 00:00:35 jffs2: valid logs(1)
Feb 14 00:00:35 hour monitor: daemon is starting
Feb 14 00:00:36 wan: [deconfig] udhcpc done[286]
Feb 14 00:00:36 rc_service: udhcpc 341:notify_rc start_firewall
Feb 14 00:00:36 miniupnpd[344]: version 1.9 started
Feb 14 00:00:36 miniupnpd[344]: HTTP listening on port 55913
Feb 14 00:00:36 miniupnpd[344]: Listening for NAT-PMP/PCP traffic on port 5351
Feb 14 00:00:36 wan: finish adding multi routes
Feb 14 00:00:36 Mastiff: init
Feb 14 00:00:36 miniupnpd[344]: add_filter_rule() : chain FUPNP not found
Feb 14 00:00:36 rc_service: udhcpc 341:notify_rc stop_upnp
Feb 14 00:00:36 rc_service: waitting "start_firewall" via udhcpc ...
Feb 14 00:00:36 miniupnpd[344]: add_filter_rule() : chain FUPNP not found
No idea why its Feb 14... then the NTP resets it soon after.
Sorry for the length of it. I now seem to have a "new" network 10.8.0.1 which has ports 53, 443, 7788 open, internally. Is this a backdoor of some kind?
Help!! Basically i need help cleaning this up please?