AX58U | Flashed to Merlin | Logs are Scary

[jz87]

Hi,

Very green when it comes to networking so I apologize if this has been answered... I've been looking online extensively and so far, all I've been able to internalize is that the DROP warnings are good/expected/the result of my firewall.

I noticed a few issues with performance after changing to public DNS etc. (post Merlin flash) so I took a look at the system logs thinking I'd know what to do and.... I didn't. I've copied portions out below.

So like I noted, the DROPS are - it seems - good.

But it's this stuff that's giving me the heebee jeebies (extracted from the below small portsion of the log):

May 18 20:38:31 custom_script: Running /jffs/scripts/service-event-end (args: restart logger)​

May 18 20:38:47 rc_service: httpd 4189:notify_rc restart_logger​

May 18 20:38:47 syslogd exiting​

May 18 20:38:47 syslogd started: BusyBox v1.25.1​

Similar entries also said something about starting my VPN on its own... which wasn't cool:

May 18 17:40:18 rc_service: httpd 4189:notify_rc start_wgc 1​

May 18 17:40:18 kernel: wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.​

May 18 17:40:18 kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.​

May 18 17:40:19 WireGuard: Starting client 1.​

May 18 17:40:19 custom_script: Running /jffs/scripts/service-event-end (args: start wgc)​

May 18 17:40:19 dnsmasq[4489]: read /etc/hosts - 24 names​

May 18 17:40:19 dnsmasq[4489]: using nameserver 127.0.1.1#53​

May 18 17:40:19 dnsmasq[4489]: using only locally-known addresses for _dns.resolver.arpa​

May 18 17:40:19 dnsmasq[4489]: using only locally-known addresses for use-application-dns.net​

May 18 17:40:19 dnsmasq[4489]: using nameserver 127.0.1.1#53​

May 18 17:40:19 dnsmasq[4489]: using only locally-known addresses for _dns.resolver.arpa​

May 18 17:40:19 dnsmasq[4489]: using only locally-known addresses for use-application-dns.net​

May 18 17:40:22 rc_service: httpd 4189:notify_rc restart_vpnrouting0​

May 18 17:40:22 vpndirector: Routing MTL from 10.0.0.2 to any through wgc1​

Oh, and dumb thing I did in case it could cause any issues: tried installing some addons without having installed entware so the all failed... and the AMTM screen says skynet is still there, even after i used the uninstall commands/scripts like I've seen posted.

amtm 3.7 FW by thelonelycoder​

RT-AX58U (armv7l) FW-388.2 @ 10.0.0.1​

Operation Mode: Wireless router​

The Asuswrt-Merlin Terminal Menu​

​

2 open Skynet v7.4.1​

​

vp open VPNMON-R2 v​

rt open RTRMON v1.55​

​

i show all available scripts or tools​

u check for script updates​

​

amtm options​

e exit t theme r reset a about​

_____________________________________________​

​

Enter option​

Anyways... any insight/help/advice would be appreciated.... legit at the point where I can't even understand the answer if I already stumbled upon it so gonna beg for some grace here.

THANK YOU.



Small portion of log/info below;

	UTC 2023 merlin@f4e3563
Bootloader (CFE)	0.1.0.7
Wireless Driver Version	wl0: Feb 16 2023 03:02:51 version 17.10.157.2809 (r801046) f085068 wl1: Feb 16 2023 03:04:25 version 17.10.157.2809 (r801046) f085068 FWID 01-191b00
Features	11AX 2.4G 5G HTTPS PARENTAL2 WIFI_LOGO account_binding acl96 alexa am_addons amas app appnet bcmhnd bcmwifi betaupg bwdpi cake cfg_sync cfg_wps_btn cloudsync conndiag dhdlog dis11b diskutility dnsfilter dnspriv dnssec dualwan email eula ftp_ssl hdspindown hnd_ax_675x ifttt iperf3 ipsec_srv ipv6 ipv6pt letsencrypt manual_stb mbo media modem movistarTriple mssid mumimo nandflash netool nfsd no_finiwl ntpd ofdma ookla openvpnd pptpd printer proxysta psta pwrctrl realip reboot_schedule repeater rrsut s46 smart_connect ssh stainfo switchctrl tcode timemachine tor update usbX1 usb_bk user_low_rssi usericon utf8_ssid vpnc webdav wifi2017 wifiradar wireguard wl6 wpa3 wrs_wbl
Uptime	0 days 4 hour(s) 34 minute(s) 24 seconds
Temperatures	2.4 GHz: 43°C - 5 GHz: 45°C - CPU: 56°C

​

CPU
CPU Model	BCM675x - Cortex A7 ARMv7 revision 5 (Cores: 3)
CPU Frequency	1500 MHz
CPU Load Average (1, 5, 15 mins)	0.40, 0.48, 0.51

​

Memory
Total	500.18 MB
Free	152.17 MB
Buffers	11.77 MB
Cache	40.04 MB
Swap	No swap configured

​

Internal Storage
NVRAM usage	71121 / 131072 bytes
JFFS	2.65 / 47.00 MB

 

[ColinTaylor]

If you don't understand what you're seeing I suggest you do a hard factory reset and configure your router again, this time without installing any addon scripts or changing options you don't understand. Once you're sure everything is working correctly then think about what it is you want to change or add. Don't just change or add things "just because you can". Just my 2 cents.

 

[dave14305]

Certainly hard reset to give yourself peace of mind. Until then, it sounds like the partial uninstall of Skynet left firewall logging enabled (it’s usually off). Go to the Firewall page and set “Logged packets type” to None and apply.

 

[jz87]

If you don't understand what you're seeing I suggest you do a hard factory reset and configure your router again, this time without installing any addon scripts or changing options you don't understand. Once you're sure everything is working correctly then think about what it is you want to change or add. Don't just change or add things "just because you can". Just my 2 cents.

Thanks for the reply but it seems I may have overplayed the my lack of understanding and that you might have focused on that a bit too much. I was employing a touch of hyperbole there. I more meant to say that this is my first real brush with modded firmware in the networking/security space... so jargon is mainly a bit lost on me.

 

[jz87]

Certainly hard reset to give yourself peace of mind. Until then, it sounds like the partial uninstall of Skynet left firewall logging enabled (it’s usually off). Go to the Firewall page and set “Logged packets type” to None and apply.

Thank you! Gonna try to do that now... but first, if you have time:

Honestly, I'd get the same peace of mind from a hard reset that I'd get if someone with more experience than me here tells me that they don't think it's necessary...

Originally, my plan was hit the reformat jffs on next reboot (button and reflash the router with merlin (idea being to get rid of any addons before I really knew what I was doing, and then start again, slower.)

But I started seeing a lot of ppl warning against 'formatting' the jffs partition, and I saw in the change log that the "service-event-end " was a feature not a problem.

Anyways, all that to say: what would you do with this same info - cuz generally, its working pretty well.

 

[drinkingbird]

Thank you! Gonna try to do that now... but first, if you have time:

Honestly, I'd get the same peace of mind from a hard reset that I'd get if someone with more experience than me here tells me that they don't think it's necessary...

Originally, my plan was hit the reformat jffs on next reboot (button and reflash the router with merlin (idea being to get rid of any addons before I really knew what I was doing, and then start again, slower.)

But I started seeing a lot of ppl warning against 'formatting' the jffs partition, and I saw in the change log that the "service-event-end " was a feature not a problem.

Anyways, all that to say: what would you do with this same info - cuz generally, its working pretty well.

I think up until a couple days ago many would say don't worry about it. But there have been some issues recently with malware and/or a buggy release from Asus causing issues.

Even if not malware or anything else buggy, just uninstalling 3rd party addons leaves crap behind, and to be honest, when you flash 3rd party firmware, you should WPS factory reset (preferably before and after, but since the install went fine, after is enough obviously) and reconfigure by hand regardless.

 

[jz87]

Certainly hard reset to give yourself peace of mind. Until then, it sounds like the partial uninstall of Skynet left firewall logging enabled (it’s usually off). Go to the Firewall page and set “Logged packets type” to None and apply.

Ummm, so ok, you nailed it in two seconds. Logs are quiet and clear now.... wow. Thank you.

 

[jz87]

I think up until a couple days ago many would say don't worry about it. But there have been some issues recently with malware and/or a buggy release from Asus causing issues.

Even if not malware or anything else buggy, just uninstalling 3rd party addons leaves crap behind, and to be honest, when you flash 3rd party firmware, you should WPS factory reset (preferably before and after, but since the install went fine, after is enough obviously) and reconfigure by hand regardless.

Ouf... Ok, so I guess I may as well..but I think I might ride this wave for a few more days while I read up on best practices...kinda just want to find someone who specializes in this and pay them to go through it and set it up with (for? ...no no with, definitely with) me.

 

[dave14305]

A lot of the logs you’ve highlighted are a result of pushing a button in the GUI.

If you want to disable addons you can disable “JFFS scripts and custom configs” on the System page.

If you’ve configured Wireguard and DNS Privacy, I wouldn’t worry too much. See which script is using service-event-end.

cat /jffs/scripts/service-event-end
ls -l /jffs/scripts
cat /jffs/scripts/firewall-start

You can cleanup remnants of Skynet in firewall-start if present.

 

[drinkingbird]

Ouf... Ok, so I guess I may as well..but I think I might ride this wave for a few more days while I read up on best practices...kinda just want to find someone who specializes in this and pay them to go through it and set it up with (for? ...no no with, definitely with) me.

If you don't need 3rd party addons, scripts, etc, setting it up from a full reset is pretty simple. Let's hope you're not riding the wave of an infected router (with a lot of logging now disabled and possibly masking it).

 

[jz87]

If you’ve configured Wireguard and DNS Privacy, I wouldn’t worry too much. See which script is using service-event-end.

cat /jffs/scripts/service-event-end
ls -l /jffs/scripts
cat /jffs/scripts/firewall-start

You can cleanup remnants of Skynet in firewall-start if present.

Update:

cat /jffs/scripts/service-event-end

Result:

#!/bin/sh

ls -l /jffs/scripts

Result:

-rwxrwxrwx 1 Username root 224167 May 18 05:53 firewall
-rwxr-xr-x 1 Username root 158906 May 18 06:10 rtrmon.sh
-rwxr-xr-x 1 Username root 10 May 17 15:31 service-event-end
-rwxr-xr-x 1 Username root 14 May 18 06:14 vpnmon-r2.sh

cat /jffs/scripts/firewall-start

Result:

cat: can't open '/jffs/scripts/firewall-start': No such file or directory



Then I got cocky and went rogue, and typed in: cat /jffs/scripts/firewall

Result: (code was loooong, is this the whole installer or something?... after this copy paste dump, I added a bit more about what happened next)

#!/bin/sh

# Router Firewall And Security Enhancements #
# By Adamm - https://github.com/Adamm00/IPSet_ASUS #
# 14/05/2023 - v7.4.1 #
#############################################################################################################


export PATH="/sbin:/bin:/usr/sbin:/usr/bin:$PATH"
printf '\033[?7l'
clear
sed -n '2,14p' "$0"
export LC_ALL=C
mkdir -p /tmp/skynet/lists
mkdir -p /jffs/addons/shared-whitelists

ntptimer="0"
while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ] && ! echo "$1" | grep -qE "(uninstall|disable)"; do
ntptimer="$((ntptimer + 1))"
if [ "$ntptimer" = "60" ]; then echo; logger -st Skynet "[*] Waiting For NTP To Sync"; fi
sleep 1
done
if [ "$ntptimer" -ge "300" ]; then logger -st Skynet "[*] NTP Failed To Start After 5 Minutes - Please Fix Immediately!"; echo; exit 1; fi

skynetloc="$(grep -ow "skynetloc=.* # Skynet" /jffs/scripts/firewall-start 2>/dev/null | grep -vE "^#" | awk '{print $1}' | cut -c 11-)"
skynetcfg="${skynetloc}/skynet.cfg"
skynetlog="${skynetloc}/skynet.log"
skynetevents="${skynetloc}/events.log"
skynetipset="${skynetloc}/skynet.ipset"
stime="$(date +%s)"

if [ -z "${skynetloc}" ] && tty >/dev/null 2>&1; then
set "install"
fi

###############
#- Functions -#
###############

Kill_Lock() {
if [ -f "/tmp/skynet.lock" ] && [ -d "/proc/$(sed -n '2p' /tmp/skynet.lock)" ]; then
logger -st Skynet "[*] Killing Locked Processes ($(sed -n '1p' /tmp/skynet.lock)) (pid=$(sed -n '2p' /tmp/skynet.lock))"
logger -st Skynet "[*] $(ps | awk -v pid="$(sed -n '2p' /tmp/skynet.lock)" '$1 == pid')"
kill "$(sed -n '2p' /tmp/skynet.lock)"
rm -rf /tmp/skynet.lock
echo
fi
}

Check_Lock() {
if [ -f "/tmp/skynet.lock" ] && [ -d "/proc/$(sed -n '2p' /tmp/skynet.lock)" ] && [ "$(sed -n '2p' /tmp/skynet.lock)" != "$$" ]; then
if [ "$(($(date +%s) - $(sed -n '3p' /tmp/skynet.lock)))" -gt "1800" ]; then
Kill_Lock
else
logger -st Skynet "[*] Lock File Detected ($(sed -n '1p' /tmp/skynet.lock)) (pid=$(sed -n '2p' /tmp/skynet.lock)) - Exiting (cpid=$$)"
echo; exit 1
fi
fi
echo "$@" > /tmp/skynet.lock
echo "$$" >> /tmp/skynet.lock
date +%s >> /tmp/skynet.lock
lockskynet="true"
}

if [ ! -d "${skynetloc}" ] && ! echo "$@" | grep -wqE "(install|uninstall|disable|update|restart|info)"; then
Check_Lock "$@"
usbtest="0"
if [ -z "${skynetloc}" ]; then usbtest="10"; fi
while [ ! -d "${skynetloc}" ] && [ "$usbtest" -le "10" ]; do
usbtest="$((usbtest + 1))"
logger -st Skynet "[*] USB Not Found - Sleeping For 10 Seconds ( Attempt $usbtest Of 10 )"
sleep 10
done
if [ ! -d "${skynetloc}" ] || [ ! -w "${skynetloc}" ]; then
logger -st Skynet "[*] Problem

.......

That whole thing finally ended in this:


Installing Skynet v7.4.1

Looking For Available Partitions
[*] No Compatible ext* USB Partitions Found - Exiting!




This portion of the above massive code thing looked potentially instructive?

​

uninstall)​

echo "If You Were Experiencing Issues, Try Update Or Visit SNBForums/Github For Support"​

echo "https://github.com/Adamm00/IPSet_ASUS"​

echo​

while true; do​

echo "[!] Warning - This Will Delete All Files In The Skynet Directory"​

echo "Are You Sure You Want To Uninstall?"​

echo​

echo "[1] --> Yes"​

echo "[2] --> No"​

echo​

echo "Please Select Option"​

printf "[1-2]: "​

read -r "continue"​

echo​

case "$continue" in​

1)​

if grep -qE "^swapon .* # Skynet" /jffs/scripts/post-mount; then​

while true; do​

echo "Would You Like To Remove Skynet Generated Swap File?"​

echo "[1] --> Yes"​

echo "[2] --> No"​

echo​

echo "Please Select Option"​

printf "[1-2]: "​

read -r "removeswap"​

echo​

case "$removeswap" in​

1)​

echo " Removing Skynet Generated SWAP File"​

sed -i '\~ Skynet ~d' /jffs/scripts/post-mount /jffs/scripts/unmount​

sync; echo 3 > /proc/sys/vm/drop_caches​

swapoff -a​

rm -rf "$swaplocation"​

break​

;;​

2)​

break​

;;​

e|exit)​

echo "[*] Exiting!"​

echo; exit 0​

;;​

*)​

echo "[*] $removeswap Isn't An Option!"​

echo​

;;​

esac​

done​

fi​

echo " Unloading Skynet Components"​

Purge_Logs "all"​

Unload_Cron "all"​

Kill_Lock​

 

[jz87]

If you don't need 3rd party addons, scripts, etc, setting it up from a full reset is pretty simple. Let's hope you're not riding the wave of an infected router (with a lot of logging now disabled and possibly masking it).

Well thank you for that anxiety inducing note lol. Ok... picking up what you're putting down... gonna move on the reset sooner rather than later.,.. Is there anything in particular I should know ? Any special order/procedure I should follow? Any reason I need to think about the jffs or it just gets wiped?

Thanks again!

 

[jz87]

If you don't need 3rd party addons, scripts, etc, setting it up from a full reset is pretty simple. Let's hope you're not riding the wave of an infected router (with a lot of logging now disabled and possibly masking it).

Re third party apps, the whole reason i even started down this road was to beef up on DNS security etc, mainly with this:

DNScrypt - Dnscrypt Proxy Installer For Asuswrt-Merlin(Nov.)

For those wanting quick access for the thread that has been discontinued. Dnscrypt Installer for Asuswrt (DI_VERSION="v2.1.7") There are installation instructions on the page or users can simply use option di courtesy of our favorite AMTM provided by @thelonelycoder . This installer evolved...

www.snbforums.com

I got an error message at the end of the install, but then before i could copy and paste it, it disappeared and things seemed to be working...

 

[drinkingbird]

Re third party apps, the whole reason i even started down this road was to beef up on DNS security etc, mainly with this:

DNScrypt - Dnscrypt Proxy Installer For Asuswrt-Merlin(Nov.)

For those wanting quick access for the thread that has been discontinued. Dnscrypt Installer for Asuswrt (DI_VERSION="v2.1.7") There are installation instructions on the page or users can simply use option di courtesy of our favorite AMTM provided by @thelonelycoder . This installer evolved...

www.snbforums.com

I got an error message at the end of the install, but then before i could copy and paste it, it disappeared and things seemed to be working...

DNS encryption is somewhat useless to be honest. If you're afraid your ISP is collecting data on you, they can just look at what IP you go to after you do your DNS lookup. If you want it, configuring DoT via the GUI is easy to do and doesn't rely on some random person's script.

As far as the reset, if you're sticking with the same firmware you just hold down the WPS button and that also formats JFFS.

The paranoid version would be:
WPS factory reset
Configure just enough to get in
Load the firmware you want (even if the same one) from a fresh download from official site. Don't use android app or anything, just a trusted PC
Reboot, let the CPUs settle down to around 0
WPS factory reset again
Configure enough to get in
Let CPUs settle (should be quick this time)
If using merlin, go in and check off "format jffs at next boot", hit apply, reboot
Configure all your settings by hand

Either way, be picky with what addons/scripts you install. If you don't have a real need for it, or it is something that can be done via the GUI, don't use it.