What's new

Asus RT-AC66U DNS hacking

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Mpuk7

Regular Contributor
Hi all,
I'm hoping I might be able to get advice on this please.
I have an Asus RT-AC66U I bought 2nd hand in January and twice now I have discovered the DNS has een manually added after I set it as automatic.
The router logs indicate something happening at around 5am when I would have been fast asleep.
I've looked into various DNS changer type hacks and run scans for malware etc. No PCs would be on at that time, possibly mobile phones if anything.
I have the latest stock Asus firmware installed, a long complex password on the router as well as default user id changed. Web access is allowed and I use the Asus android app. I can't figure out where this is happening or if this is a new security exploit even?
The new fake dns is different both times but still same provider in the Netherlands.
I can supply router logs or the IP if interested.
I tried Asus support but they were immensely useless and sent a standard unhelpful reply. I'm thinking about going to Merlin instead now does that work with the android app all or is there an alternative?
 
Last edited:
Hi ColinTaylor,
No worries, have attached the file to this post.
I edited out IP addresses for my own connection but to confirm the two changes seemed to have been on:
Feb 24th @ 0524hrs
March 11th @ 0458hrs
Please also ignore the failed logins showing for around 9am today (11th) as that was me using the incorrect case for the username in a panic to restore it to automatic DNS before any damage occurred.
 

Attachments

  • syslog 110318.txt
    117.9 KB · Views: 1,110
Unfortunately the aren't any messages regarding DNS in the log :(. Looks like they're being suppressed. Are there any options on the router to increase the logging level?

Regarding the events on the 24th and 11th; it looks like they were caused by your WAN connection going down. My guess is that your ISP did some maintenance at that time. That shouldn't change your router's DNS settings though.

To clarify; you're saying that previously "WAN - Internet Connection" > "Connect to DNS Server automatically" was previously set to "Yes" but was changed to "No"? What were the new DNS IP addresses?
 
It looks like you were actually hacked on Feb 15 and Mar 7, and they came back later to cause trouble.
My best assessment is that this may be an exploit of CVE-2018-5721, but I can't find an official ASUS OEM release for the AC66 that contains the fix. Merlin release 380.69 does pick up the fix, and I'd recommend you update to that release to rule things out. I would do a factory reset and reconfigure manually, make sure you do not have WAN access enabled, and change your router password.
 
Many thanks both, the last time it was set to 185.117.75.242 and 8.8.8.8 in the DNS, this time it was a different IP. I did report that initial IP to the abuse e-mail and actionfraud in the UK. When I tested making that my primary DNS and tried pinging www.ebay.co.uk for example it came back with IPs in the same range so dread to think what sites were being redirected by it.
I have attached a screenshot of the DNS settings as shown this morning. the new primary DNS was set to 185.183.96.174 with 8.8.8.8 again for secondary as I think is normal for DNS hacks?
That would make sense about the connection going down to maintenance by the ISP.
Thanks for the info on CVE-2018-5721 john9527 and the hack dates, I'll transition over to Merlin asap.
 

Attachments

  • Screenshot_20180311-102909.png
    Screenshot_20180311-102909.png
    178.3 KB · Views: 918
Web access is allowed

Disable that. Every few months Asus fixes newly discovered security exploits related to the built-in web server. That code is simply not reliable enough to be exposed to the Internet.
 
I don't know how you guys do ACL access lists but you need to block all DNS access but the ones you want that way if you are hacked their DNS will fail immediately because it is blocked by the firewall and none of your machines will be compromised. The only cure for a bad DNS is to reinstall all devices.
 
Disable that. Every few months Asus fixes newly discovered security exploits related to the built-in web server. That code is simply not reliable enough to be exposed to the Internet.
Many thanks RMerlin, am I safe to enable web access with your firmware as it looks like a much better option than the Asus stock one or is web access too risky generally?
 
I don't know how you guys do ACL access lists but you need to block all DNS access but the ones you want that way if you are hacked their DNS will fail immediately because it is blocked by the firewall and none of your machines will be compromised. The only cure for a bad DNS is to reinstall all devices.
Good point, I did consider means of blocking any IPs owned by that one company or something as it seems to direct websites to IPs owned by Host Sailor Ltd
 
Many thanks RMerlin, am I safe to enable web access with your firmware as it looks like a much better option than the Asus stock one or is web access too risky generally?

No, it's the same httpd code as Asus. While I might have fixed a few extra buffer overrun issues, the whole code is still not something I would trust in the open. I recommend using a VPN tunnel for remote management.
 
Asuswrt doesn't have ACL's, it's a consumer device.

Could manually be done through iptables most likely, a bit similar to how DNSFilter works, except instead of rerouting, you'd just be allowing outbound connections to port 53 of your desired DNS, followed by a rule dropping all outbound port 53 access.
 
No, it's the same httpd code as Asus. While I might have fixed a few extra buffer overrun issues, the whole code is still not something I would trust in the open. I recommend using a VPN tunnel for remote management.
That's great, thanks. I'll get the VPN option set up.
 
Sorry, can I just ask on the best VPN to use as I can see PPTP and OpenVPN and would like to set up with the built in VPN on my Android phone. Is there a guide for the best and most secure setup that anyone can suggest at all please?
 
Merlin release 380.69 does pick up the fix, and I'd recommend you update to that release to rule things out. I would do a factory reset and reconfigure manually, make sure you do not have WAN access enabled, and change your router password.
Sorry just before I transition over to Merlin, am I ok to do the factory reset via the router web interface or does it need to be the reset button?
 
Sorry just before I transition over to Merlin, am I ok to do the factory reset via the router web interface or does it need to be the reset button?
The factory reset is done after the new firmware is loaded. My favorite reset method is via the WPS button.
Hold in the WPS button while powering on the router. After about 10 secs the power led will start a 'fast' blink. Release the WPS button and the router will reboot having been reset.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top