ASUS-AC68U Strange Logs - Please Help

[mattgrav]

Hello,
This morning i noticed some very strange logs on my router. I have seen the similar threads but i don't have remote config enabled. SSH is not enabled. However this morning i noticed this in my logs.

Feb 14 00:00:21 syslogd started: BusyBox v1.17.4
Feb 14 00:00:21 kernel: klogd started: BusyBox v1.17.4 (2018-01-31 17:28:03 CST)
Feb 14 00:00:21 kernel: Linux version 2.6.36.4brcmarm (root@asus) (gcc version 4.5.3 (Buildroot 2012.02) ) #1 SMP PREEMPT Wed Jan 31 17:32:52 CST 2018
...
Feb 14 00:00:22 kernel: Creating 2 MTD partitions on "brcmnand":
Feb 14 00:00:22 kernel: 0x000004000000-0x000007ec0000 : "brcmnand"
Feb 14 00:00:22 kernel: 0x000007ec0000-0x000008000000 : "asus"
Feb 14 00:00:22 kernel: VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
Feb 14 00:00:22 kernel: ctf: module license 'Proprietary' taints kernel.
Feb 14 00:00:22 kernel: Disabling lock debugging due to kernel taint
Feb 14 00:00:22 kernel: et_module_init: passivemode set to 0x0
Feb 14 00:00:22 kernel: et_module_init: txworkq set to 0x0
Feb 14 00:00:22 kernel: et_module_init: et_txq_thresh set to 0xce4
Feb 14 00:00:22 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.14.126 (r561982)
Feb 14 00:00:22 kernel: et_probe: mvlan vid[0]: 0
Feb 14 00:00:22 kernel: et_probe: mvlan vid[1]: 0
Feb 14 00:00:22 kernel: et_probe: mvlan en 0
Feb 14 00:00:22 kernel: dpsta_init: msglevel set to 0x1
Feb 14 00:00:22 kernel: wl_module_init: passivemode set to 0x0
Feb 14 00:00:22 kernel: wl_module_init: igs set to 0x0
Feb 14 00:00:22 kernel: wl_module_init: txworkq set to 0x0
Feb 14 00:00:22 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 14 00:00:22 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)
Feb 14 00:00:23 nat: apply redirect rules
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 16 for vlan1 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 5 for vlan1 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 16 for vlan2 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 5 for vlan2 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 13 for vlan1 mvlan_en 0
Feb 14 00:00:23 kernel: et0: et_mvlan_netdev_event: event 1 for vlan1 mvlan_en 0
Feb 14 00:00:28 WAN Connection: ISP's DHCP did not function properly.
Feb 14 00:00:32 dnsmasq[265]: warning: no upstream servers configured
Feb 14 00:00:32 RT-AC68U: start httpd
Feb 14 00:00:33 syslog: Generating SSL certificate...
Feb 14 00:00:33 lldpd[293]: cannot get ethtool link information with GLINKSETTINGS (requires 4.9+): Operation not permitted
Feb 14 00:00:33 lldpd[293]: cannot get ethtool link information with GSET (requires 2.6.19+): Operation not permitted
Feb 14 00:00:35 NAT Tunnel: AAE Service is stopped
Feb 14 00:00:35 AAE: AAE Service is started
Feb 14 00:00:35 disk monitor: be idle
Feb 14 00:00:35 jffs2: valid logs(1)
Feb 14 00:00:35 hour monitor: daemon is starting
Feb 14 00:00:36 wan: [deconfig] udhcpc done[286]
Feb 14 00:00:36 rc_service: udhcpc 341:notify_rc start_firewall
Feb 14 00:00:36 miniupnpd[344]: version 1.9 started
Feb 14 00:00:36 miniupnpd[344]: HTTP listening on port 55913
Feb 14 00:00:36 miniupnpd[344]: Listening for NAT-PMP/PCP traffic on port 5351
Feb 14 00:00:36 wan: finish adding multi routes
Feb 14 00:00:36 Mastiff: init
Feb 14 00:00:36 miniupnpd[344]: add_filter_rule() : chain FUPNP not found
Feb 14 00:00:36 rc_service: udhcpc 341:notify_rc stop_upnp
Feb 14 00:00:36 rc_service: waitting "start_firewall" via udhcpc ...
Feb 14 00:00:36 miniupnpd[344]: add_filter_rule() : chain FUPNP not found

No idea why its Feb 14... then the NTP resets it soon after.

Sorry for the length of it. I now seem to have a "new" network 10.8.0.1 which has ports 53, 443, 7788 open, internally. Is this a backdoor of some kind?

Help!! Basically i need help cleaning this up please?

 

[mattgrav]

okay i think i am being paranoid! there is no auth succeded anywhere in the logs, so i am guessing this is normal.

Still not sure why it jumped 3 days ahead and i have now locked it down further and changed passwords.

Apologies for wasting your time if you read all this!
thanks

 

[ColinTaylor]

The Feb 14 date is the default date that was set in the firmware when it was compiled, probably Feb 14 2017. It's just coincidence that it's close to today's date.

The 10.8.0.1 network is your OpenVPN server.