Asus RT-AC66U DNS hacking

Mpuk7

Occasional Visitor
Hi all,
I'm hoping I might be able to get advice on this please.
I have an Asus RT-AC66U I bought 2nd hand in January and twice now I have discovered the DNS has een manually added after I set it as automatic.
The router logs indicate something happening at around 5am when I would have been fast asleep.
I've looked into various DNS changer type hacks and run scans for malware etc. No PCs would be on at that time, possibly mobile phones if anything.
I have the latest stock Asus firmware installed, a long complex password on the router as well as default user id changed. Web access is allowed and I use the Asus android app. I can't figure out where this is happening or if this is a new security exploit even?
The new fake dns is different both times but still same provider in the Netherlands.
I can supply router logs or the IP if interested.
I tried Asus support but they were immensely useless and sent a standard unhelpful reply. I'm thinking about going to Merlin instead now does that work with the android app all or is there an alternative?
 
Last edited:

ColinTaylor

Part of the Furniture
If you post a link to the complete syslog we can have a look.
 

Mpuk7

Occasional Visitor
Hi ColinTaylor,
No worries, have attached the file to this post.
I edited out IP addresses for my own connection but to confirm the two changes seemed to have been on:
Feb 24th @ 0524hrs
March 11th @ 0458hrs
Please also ignore the failed logins showing for around 9am today (11th) as that was me using the incorrect case for the username in a panic to restore it to automatic DNS before any damage occurred.
 

Attachments

ColinTaylor

Part of the Furniture
Unfortunately the aren't any messages regarding DNS in the log :(. Looks like they're being suppressed. Are there any options on the router to increase the logging level?

Regarding the events on the 24th and 11th; it looks like they were caused by your WAN connection going down. My guess is that your ISP did some maintenance at that time. That shouldn't change your router's DNS settings though.

To clarify; you're saying that previously "WAN - Internet Connection" > "Connect to DNS Server automatically" was previously set to "Yes" but was changed to "No"? What were the new DNS IP addresses?
 

john9527

Part of the Furniture
It looks like you were actually hacked on Feb 15 and Mar 7, and they came back later to cause trouble.
My best assessment is that this may be an exploit of CVE-2018-5721, but I can't find an official ASUS OEM release for the AC66 that contains the fix. Merlin release 380.69 does pick up the fix, and I'd recommend you update to that release to rule things out. I would do a factory reset and reconfigure manually, make sure you do not have WAN access enabled, and change your router password.
 

Mpuk7

Occasional Visitor
Many thanks both, the last time it was set to 185.117.75.242 and 8.8.8.8 in the DNS, this time it was a different IP. I did report that initial IP to the abuse e-mail and actionfraud in the UK. When I tested making that my primary DNS and tried pinging www.ebay.co.uk for example it came back with IPs in the same range so dread to think what sites were being redirected by it.
I have attached a screenshot of the DNS settings as shown this morning. the new primary DNS was set to 185.183.96.174 with 8.8.8.8 again for secondary as I think is normal for DNS hacks?
That would make sense about the connection going down to maintenance by the ISP.
Thanks for the info on CVE-2018-5721 john9527 and the hack dates, I'll transition over to Merlin asap.
 

Attachments

ColinTaylor

Part of the Furniture
Same thing reported here and here (unless that's you as well).

I take it you are in the UK. Who is your ISP?
 

RMerlin

Asuswrt-Merlin dev
Web access is allowed
Disable that. Every few months Asus fixes newly discovered security exploits related to the built-in web server. That code is simply not reliable enough to be exposed to the Internet.
 

coxhaus

Part of the Furniture
I don't know how you guys do ACL access lists but you need to block all DNS access but the ones you want that way if you are hacked their DNS will fail immediately because it is blocked by the firewall and none of your machines will be compromised. The only cure for a bad DNS is to reinstall all devices.
 

Mpuk7

Occasional Visitor
Disable that. Every few months Asus fixes newly discovered security exploits related to the built-in web server. That code is simply not reliable enough to be exposed to the Internet.
Many thanks RMerlin, am I safe to enable web access with your firmware as it looks like a much better option than the Asus stock one or is web access too risky generally?
 

Mpuk7

Occasional Visitor
I don't know how you guys do ACL access lists but you need to block all DNS access but the ones you want that way if you are hacked their DNS will fail immediately because it is blocked by the firewall and none of your machines will be compromised. The only cure for a bad DNS is to reinstall all devices.
Good point, I did consider means of blocking any IPs owned by that one company or something as it seems to direct websites to IPs owned by Host Sailor Ltd
 

RMerlin

Asuswrt-Merlin dev
Many thanks RMerlin, am I safe to enable web access with your firmware as it looks like a much better option than the Asus stock one or is web access too risky generally?
No, it's the same httpd code as Asus. While I might have fixed a few extra buffer overrun issues, the whole code is still not something I would trust in the open. I recommend using a VPN tunnel for remote management.
 

RMerlin

Asuswrt-Merlin dev
Asuswrt doesn't have ACL's, it's a consumer device.
Could manually be done through iptables most likely, a bit similar to how DNSFilter works, except instead of rerouting, you'd just be allowing outbound connections to port 53 of your desired DNS, followed by a rule dropping all outbound port 53 access.
 

Mpuk7

Occasional Visitor
No, it's the same httpd code as Asus. While I might have fixed a few extra buffer overrun issues, the whole code is still not something I would trust in the open. I recommend using a VPN tunnel for remote management.
That's great, thanks. I'll get the VPN option set up.
 

Mpuk7

Occasional Visitor
Sorry, can I just ask on the best VPN to use as I can see PPTP and OpenVPN and would like to set up with the built in VPN on my Android phone. Is there a guide for the best and most secure setup that anyone can suggest at all please?
 

Mpuk7

Occasional Visitor
Merlin release 380.69 does pick up the fix, and I'd recommend you update to that release to rule things out. I would do a factory reset and reconfigure manually, make sure you do not have WAN access enabled, and change your router password.
Sorry just before I transition over to Merlin, am I ok to do the factory reset via the router web interface or does it need to be the reset button?
 

john9527

Part of the Furniture
Sorry just before I transition over to Merlin, am I ok to do the factory reset via the router web interface or does it need to be the reset button?
The factory reset is done after the new firmware is loaded. My favorite reset method is via the WPS button.
Hold in the WPS button while powering on the router. After about 10 secs the power led will start a 'fast' blink. Release the WPS button and the router will reboot having been reset.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top