Asus RT-AX86U How to stop hackers...Nothing works

[Rick Dean]

I've tried everything but still my 86U is taken over within hours of a hard reset. Appears to me the certificate is being replaced. My passwords are 32 characters generated. It's like an evil spirit has taken over the router. Been thru all the settings and have contacted Asus with little luck. Would Merlin firmware do better? For complete logs check out my Drive link. Your thoughts are much appreciated. Rick from Kansas

Asus AX-86U Logs - Google Drive

drive.google.com

May 5 00:05:07 kernel: klogd started: BusyBox v1.24.1 (2022-12-13 05:13:08 CST)
May 5 00:05:07 kernel: Linux version 4.1.52 (gitserv_asus@bpza001bud) (gcc version 5.5.0 (Buildroot 2017.11.1) ) #2 SMP PREEMPT Tue Dec 13 06:54:38 CST 2022
May 5 00:05:07 kernel: CPU: AArch64 Processor [420f1000] revision 0
May 5 00:05:07 kernel: Kernel command line: root=ubi:rootfs_ubifs ubi.mtd=0 rootfstype=ubifs coherent_pool=4M cpuidle_sysfs_switch pci=pcie_bus_safe rootwait
May 5 00:05:07 kernel: Virtual kernel memory layout:
May 5 00:05:07 kernel: vmalloc : 0xffffff8000000000 - 0xffffffbdffff0000 ( 247 GB)
May 5 00:05:07 kernel: vmemmap : 0xffffffbe00000000 - 0xffffffbfc0000000 ( 7 GB maximum)
May 5 00:05:07 kernel: 0xffffffbe00000000 - 0xffffffbe00e00000 ( 14 MB actual)
May 5 00:05:07 kernel: fixed : 0xffffffbffabfd000 - 0xffffffbffac00000 ( 12 KB)
May 5 00:05:07 kernel: PCI I/O : 0xffffffbffae00000 - 0xffffffbffbe00000 ( 16 MB)
May 5 00:05:07 kernel: modules : 0xffffffbffc000000 - 0xffffffc000000000 ( 64 MB)
May 5 00:05:07 kernel: memory : 0xffffffc000000000 - 0xffffffc040000000 ( 1024 MB)
May 5 00:05:07 kernel: .init : 0xffffffc000736000 - 0xffffffc000770000 ( 232 KB)
May 5 00:05:07 kernel: .text : 0xffffffc000080000 - 0xffffffc0007352b4 ( 6869 KB)
May 5 00:05:07 kernel: .data : 0xffffffc000771000 - 0xffffffc000945540 ( 1874 KB)
)

 

[Tech9]

May 5 is the date before the router gets the time from NTP servers - during the boot process. Nothing is hacked there, but you better remove your shared link with tons of other information facilitating eventual real hacking. There are things there you don't have to or want to share on Internet.

 

[Rick Dean]

May 5 is the date before the router gets the time from NTP servers - during the boot process. Nothing is hacked there, but you better remove your shared link with tons of other information facilitating eventual real hacking. There are things there you don't have to or want to share on Internet.

Thanks. Just removed the link. But I have to ask. Why is Busybox being used that appears for uploading a new certificate? If you'd like I could pm you a private link of my drive link for a better look. Thanks, Rick

 

[ColinTaylor]

What are you experiencing that makes you think you've been hacked? I looked at your latest log file (before you deleted it) and there was nothing unusual there.

The router's operating system is built around busybox.

 

[Rick Dean]

Local network fellow says all our computers and phones are being used as a repository for malicious purposes. Clean the phones and it repopulates via the desktops. The Mspy crap cannot be removed from our S10 phones even after a factory reset. I've tried many times. Rick

 

[Rick Dean]

Phones get hot, obvious clicking when talking on phones and over 60k photos uploaded from my computer. All backed up though. Seems whomever was using my wife's phone to initiate the uploads. I'll send you a link to that log.... Rick

 

[Tech9]

Local network fellow

Ask your local network fellow for help. I see nothing wrong with your router. What's happening to your clients - I don't know. Just minutes ago you have posted online your entire router configuration with files and GUI screenshots. Perhaps you need some safer Internet use advice first. Not trying to offend you, but the best protection is safe practices. No hardware or software can protect you when you don't know well what are you doing online.

 

[Rick Dean]

I've got over a years worth of Google Takeout data. Thanks for looking, Rick

Activities - A list of Google services accessed by.csv

drive.google.com

 

[Rick Dean]

Thanks. Local guy is the Radio Shack manager. Rick

 

[OakleyFreak]

Have you run a capture with Wireshark ?

On the desktop that you suspect malicious activity

 

[Rick Dean]

Not familiar with Wireshark. Is it a software download?

 

[OakleyFreak]

Not familiar with Wireshark. Is it a software download?

Yes.
But it may be to overwhelming at first for you.
No offense intended.
Try downloading it and running it.
It will capture your traffic.
You might be able to pinpoint a source ip of the offending traffic.
Are you running other counter measures ?
Spybot search and Destroy comes to mind.
I would also try running a stand alone Trojan horse detector. Your issue may not be the router ..
Hitman Pro comes to mind for the Trojan horse check.

 

[Tech9]

Local guy is the Radio Shack manager.

If this local guy thinks something is wrong he probably has better ideas what to help you with. I believe he wants you to help him with your Credit Card. Scare tactics are good sign. The file with Google services accessed means nothing. Phones and tablets may automatically upload pictures and videos to corresponding cloud storage and depending on user settings. The same devices may contact preset servers multiple times a day and this is how they work normally. The scare tactics work well and you're saving mostly unrelated to any hacking information. Seems like the Radio Shack manager is winning.

 

[AndreiV]

Overwhelming sense of Déjà vu .......................

 

[Smokey613]

I had no idea Radio Shack was still in business. I used to spend a lot of time in one back in the 70s and 80s.

 

[HWDan]

 

[AndreiV]

The Mspy crap cannot be removed from our S10 phones even after a factory reset. I've tried many times

Mspy is parental control and phone tracking software that you have to install yourself. It isn't malware and can't be on your router.

 

[Rick Dean]

I had no idea Radio Shack was still in business. I used to spend a lot of time in one back in the 70s and 80s.

Back again....hacking still happening.

I had no idea Radio Shack was still in business. I used to spend a lot of time in one back in the 70s and 80s.

Back agin....Hacking still going on. This time with Linux. Any help would be appreciated. Why us this hacker so determined? Photos of yesterday's action. (Files may not be in order)

 

[ColinTaylor]

Back again....hacking still happening.

Back agin....Hacking still going on. This time with Linux. Any help would be appreciated. Why us this hacker so determined? Photos of yesterday's action. (Files may not be in order)

Sorry, but your pictures are very difficult to read. Can you explain what part of that you think is a problem?

I can see that there are some connection attempts from 167.248.133.51. This is from the Censys port scanner. This is perfectly normal because your exposing your router's VPN server to the internet.

 

[Ripshod]

I don't see anything there that could be interpreted as hacking.Standard random internet probes.

Typo corrected******