Extreme Hack That Got Much Worse After Reflashing

[CornfieldWin]

Frankly, I never seen anything like this, but the vulnerability was my fault.

My router now runs a corrupted version of Merlin 3006.102.5 on AX88U Pro connected via Spectrum provided copper cable modem symmetric at 600Mb.

My Guest Portal SSID was left open unprotected after initial experimentation for at least 3 months (personal negligence, plead guilty). Upon discovery yesterday that the router had been exposing a neighborhood WIFI candy store, an access code was created whereupon the system immediately crashed. Internet connection (via unbound) was permanently lost. Two flash and restore with SHA256 verified Asuswrt-Merlin downloads brought up a deeply corrupted version that appears could almost be a prior version due to missing features but was restored with the original Asuswrt-Merlin download and a second fresh one. Most critically, Backmon which had worked previously now fails by reporting tar file corruption. Oddly, there was no Internet connection until unbound was (re) installed.

The UI appears to be a throwback: Guest Pro in particular is different than before initial restoration. Entire Guest Pro options like vlan bridging is gone. Entware email fails to test, although working perfectly before. Internal dnsmasq.conf and dnsmas1-[n].conf files are incomplete and 2 missing vlan config files, and YazDHCP failed to update dnsmasq.conf.add or dnsmasq.conf. Most importantly, dv-vnstat installed a week ago shows unexpected outbound traffic dropped dramatically overnight, which was a prior clue to be investigated (dv-nstat was not yet a trusted tool) and Skynet or Diversion reported unusual traffic from Bulgaria also tbi. I have idea yet what other damage may have been done to my extensive IOT devices, streaming media devices, etc. The level of sophistication to pull this off is staggering and reveals deep knowledge of ASUS boot firmware and Asuswert-Merlin system software (aka as router firmware), this is not an everyday hack. It is doubtful that the immediate neighbors have the sophistication, semi-rural WNY is no tech haven, but compromise on any nearby WIFI enabled system might have also found my vulnerability very quickly.


I post this as a warning there may be a sophisticated bot net and persistent malware threat out there targeting ASUS-Merlinwrt (or I may have piled bonehead mistake upon bonehead mistake but I don't see where past the glaringly open access). I seek input before taking further action to report such a serious incident.

 

[ColinTaylor]

There is not enough information in your post to identify a specific problem or vulnerability. There are indeed numerous malware/bots that target Asus routers (not specifically asuswrt-merlin), as there are for other manufacturers. Given the extensive customisations you've described in other threads it's not clear whether the core problem is with the firmware itself or the addon scripts and customisations your setup relies upon. Your issues could easily be caused by corruption of the contents of the attached USB drive.

I would start by removing any USB drives and performing a hard factory reset. Then proceed to configure a basic setup (without JFFS scripts and configs enabled) and see if that looks normal.

[Wireless Router] ASUS router Hard Factory Reset - Method 2 | Official Support | ASUS Global

N.B. If you really think this is a vulnerability in the firmware (beyond your own exposure of the router to the public) then you'd need to take a backup of the entire router (not just its config) before doing the factory reset. Otherwise any potential evidence of a hack will be lost.

 

[Ripshod]

I would immediately try flashing fresh firmware using the recovery method with latest asus firmware. I believe that would remove anything malignant.

RT-AX88U Pro - Support

www.asus.com

Strictly my own opinion

 

[OzarkEdge]

I post this as a warning there may be a sophisticated bot net and persistent malware threat out there targeting ASUS-Merlinwrt (or I may have piled bonehead mistake upon bonehead mistake but I don't see where past the glaringly open access). I seek input before taking further action to report such a serious incident.

When and how did you detect this hack issue? Maybe it is unrelated to your open WiFi that may not extend far enough to reach any threat at your location. Maybe it is instead related to your post here that sounds like you may have been fooled by malvertising. But given open WiFi, it is hard to know now where the threat originated from unless you can correlate time and events.

If you can install healthy firmware, be sure to Hard Reset it first before configuring from scratch.

FW Reset FAQ

Reset button/webUI Restore/node removal clears settings in NVRAM; reboot restores fw defaults from CFE

Hard Reset via WPS button/webUI Restore+Initialize also clears data logged in /jffs partition

OE

 

[CornfieldWin]

There is not enough information in your post to identify a specific problem or vulnerability. There are indeed numerous malware/bots that target Asus routers (not specifically asuswrt-merlin), as there are for other manufacturers. Given the extensive customisations you've described in other threads it's not clear whether the core problem is with the firmware itself or the addon scripts and customisations your setup relies upon. Your issues could easily be caused by corruption of the contents of the attached USB drive.

I would start by removing any USB drives and performing a hard factory reset. Then proceed to configure a basic setup (without JFFS scripts and configs enabled) and see if that looks normal.

[Wireless Router] ASUS router Hard Factory Reset - Method 2 | Official Support | ASUS Global

N.B. If you really think this is a vulnerability in the firmware (beyond your own exposure of the router to the public) then you'd need to take a backup of the entire router (not just its config) before doing the factory reset. Otherwise any potential evidence of a hack will be lost.

Fair enough, TP-link almost got itself banned. Went to asuswrt-Merlin because of a more aggressive update cycle than from ASUS. No claim of definitive causes. The problems including no Internet access appear immediately after a clean refresh with no entware and persist after USB removal, reformat and swap file recreation. Obviously this is a persistent rootkit, good enough to evade factory reset. Likely, the initial root kit did not destabilize Merlin by much, but the persistent part does, possibly designed for an earlier version. The incomplete Guest Pro options is a possible clue. BackMon supposedly does preserve whole images (if the rootkit allows it) and hopefully the files are intact with the tar error being a rootkit ruse. A really clever rootkit would keep itself out of restore files as unnecessary. If you want them, you can have them. Backmon restore did work three days ago but not now. Last step, will reflash back to Asuswrt and look around. For now, is there a way to do a clean sweep of NAND/NOR memory removing all rootkit hooks to do a total restore that does not rely on what is already there like an independent USB or serial boot loader?

 

[ColinTaylor]

It is unclear whether you followed the recommendations above to perform a hard factory reset and running your router without a USB drive plugged in.

If you did then to flash a completely fresh image of the firmware to the NAND you would use the "Rescue Mode" alluded to in post #3.

[Wireless Router] How to use Rescue Mode (Firmware Restoration)? | Official Support | ASUS Global

 

[bennor]

... an access code was created whereupon the system immediately crashed.

Access code to what? The router? The Guest Network Pro profile Guest Portal? Or something else? How exactly did you create the "access code" on the GUI or via SSH?

I post this as a warning there may be a sophisticated bot net and persistent malware threat out there targeting ASUS-Merlinwrt (or I may have piled bonehead mistake upon bonehead mistake but I don't see where past the glaringly open access).

Based on your many recent posts, including the various scripts you have indicated you were running (including Unbound) in other posts, it is more likely you introduced a script or modified a setting or left the WiFi unsecured, and which lead to either being hacked or more likely a corrupted firmware. There is a specific malware attack recently (see this link) but the latest Asus and Asus-Merlin firmware address the vulnerabilities that were discovered from that attack. There are unsupported addon scripts that won't operate properly on Asus-Merlin 3006.102.x firmware. Installing one or more of those unsupported scripts may introduce issues. At least one addon script (scMerlin if I remember right) will modify the router GUI layout. It is possible an incomplete removal of scMerlin is interfering with the router GUI.

Do what others have suggested:
Disconnect the USB hard drive.
Disconnect all other network clients but one single wired computer connected direct to the router (don't use an extender or the like).
Download the very latest Asus firmware to the computer.
Perform a hard factory reset on the router.
Perform the router Quick Internet Setup (QiS) just enough to gain access to the GUI. DO NOT flash/import a previously saved router.cfg file.
Flash the very latest Asus firmware to the router and then reboot the router.
Perform another hard factory reset on the router.
Once again perform a basic QiS setup just enough to gain access to the GUI. DO NOT connect the USB drive to the router. If you choose to flash Asus-Merlin firmware DO NOT install any addon scripts. DO NOT flash/import a previously saved router.cfg file.
Verify the router is working properly at its most basic reset configuration without any user modifications and without attaching a USB drive to the router.
Only then, after verifying its working properly, should you proceed to modifying the router manually to suit your use case by connecting a USB drive, or installing Addon scripts in Asus-Merlin firmware. Checking along the way to ensure those changes are not causing problems. DO NOT flash/import a previously saved router.cfg file.

If you choose to use the Asus firmware recovery tool, make sure to follow it's steps exactly using the latest stock Asus firmware.

[Wireless Router] How to use Rescue Mode (Firmware Restoration)? | Official Support | ASUS Global

 

[CornfieldWin]

When and how did you detect this hack issue? Maybe it is unrelated to your open WiFi that may not extend far enough to reach any threat at your location. Maybe it is instead related to your post here that sounds like you may have been fooled by malvertising. But given open WiFi, it is hard to know now where the threat originated from unless you can correlate time and events.

If you can install healthy firmware, be sure to Hard Reset it first before configuring from scratch.

FW Reset FAQ

Reset button/webUI Restore/node removal clears settings in NVRAM; reboot restores fw defaults from CFE

Hard Reset via WPS button/webUI Restore+Initialize also clears data logged in /jffs partition

OE

As reported, yesterday night when I stumbled upon the open Guest Pro Portal configuration. I immediately established an access code. A blamo, down she goes. At first thought Merlin and addons blew up or maybe the USB swap file corrupted. When that was ruled out, I refreshed only to find a damaged and corrupted Merlin GUI plus bizzare entware behavior, at first blaming it until that no long made sense after repeated uninstalling, reinstalling, and configuring. This being classic and persistent rootkit behavior by definition occurred this morning. This kind of pervasive and persistent behavior at the base level does not likely come from a few odd configuration files being off in stable software of the quality of Asuswrt-merlin and entware. The system has been had, persistently at a very low level.

 

[OzarkEdge]

As reported, yesterday night when I stumbled upon the open Guest Pro Portal configuration. I immediately established an access code. A blamo, down she goes. At first thought Merlin and addons blew up or maybe the USB swap file corrupted. When that was ruled out, I refreshed only to find a damaged and corrupted Merlin GUI plus bizzare entware behavior, at first blaming it until that no long made sense after repeated uninstalling, reinstalling, and configuring. This being classic and persistent rootkit behavior by definition occurred this morning. This kind of pervasive and persistent behavior at the base level does not likely come from a few odd configuration files being off in stable software of the quality of Asuswrt-merlin and entware. The system has been had, persistently at a very low level.

So, you don't think your malvertising-sounding post has anything to do with this hack? Who did you pay $5 to for SNBForums tech consulting?

OE

 

[CornfieldWin]

As reported, yesterday night when I stumbled upon the open Guest Pro Portal configuration. I immediately established an access code. A blamo, down she goes. At first thought Merlin and addons blew up or maybe the USB swap file corrupted. When that was ruled out, I refreshed only to find a damaged and corrupted Merlin GUI plus bizzare entware behavior, at first blaming it until that no long made sense after repeated uninstalling, reinstalling, and configuring. This being classic and persistent rootkit behavior by definition occurred this morning. This kind of pervasive and persistent behavior at the base level does not likely come from a few odd configuration files being off in stable software of the quality of Asuswrt-merlin and entware. The system has been had, persistently at a very low level.

Access code to what? The router? The Guest Network Pro profile Guest Portal? Or something else? How exactly did you create the "access code" on the GUI or via SSH?

Based on your many recent posts, including the various scripts you have indicated you were running (including Unbound) in other posts, it is more likely you introduced a script or modified a setting or left the WiFi unsecured, and which lead to either being hacked or more likely a corrupted firmware. There is a specific malware attack recently (see this link) but the latest Asus and Asus-Merlin firmware address the vulnerabilities that were discovered from that attack. There are unsupported addon scripts that won't operate properly on Asus-Merlin 3006.102.x firmware. Installing one or more of those unsupported scripts may introduce issues. At least one addon script (scMerlin if I remember right) will modify the router GUI layout. It is possible an incomplete removal of scMerlin is interfering with the router GUI.

Do what others have suggested:
Disconnect the USB hard drive.
Disconnect all other network clients but one single wired computer connected direct to the router (don't use an extender or the like).
Download the very latest Asus firmware to the computer.
Perform a hard factory reset on the router.
Perform the router Quick Internet Setup (QiS) just enough to gain access to the GUI. DO NOT flash/import a previously saved router.cfg file.
Flash the very latest Asus firmware to the router and then reboot the router.
Perform another hard factory reset on the router.
Once again perform a basic QiS setup just enough to gain access to the GUI. DO NOT connect the USB drive to the router. If you choose to flash Asus-Merlin firmware DO NOT install any addon scripts. DO NOT flash/import a previously saved router.cfg file.
Verify the router is working properly at its most basic reset configuration without any user modifications and without attaching a USB drive to the router.
Only then, after verifying its working properly, should you proceed to modifying the router manually to suit your use case by connecting a USB drive, or installing Addon scripts in Asus-Merlin firmware. Checking along the way to ensure those changes are not causing problems. DO NOT flash/import a previously saved router.cfg file.

If you choose to use the Asus firmware recovery tool, make sure to follow it's steps exactly using the latest stock Asus firmware.

[Wireless Router] How to use Rescue Mode (Firmware Restoration)? | Official Support | ASUS Global

Thank you, will follow the exact instructions. The majority of addons modify the Merlin Gui or add a whole new .asp page. I have done everything except the ASUS update with a new asuswrt download and will now do that. I never use any quick set up, I did everything with minimal manual setup because I dislike opaque wizards as much as hallucinating AI. On reflash I did not use any form of config or backup file before trying Backmon under Merlin which I actually loaded initially by itself. I will try the asuswrt refresh but strongly suspect that the rootkit lives far below it somewhere in nvram which means below the Linux kernel. We'll see. P.S. At the time of the initial crash I was tracing config files solely with more or less (used interchangeable) with zero modifications to any of them.

 

[dave14305]

I don’t think this guy can be helped. He’s already got it all figured out before he even asks for help.

 

[CornfieldWin]

Thank for your perspective. Perhaps your can point to the configuration error to resolve the entire issue or share why the kernel could not be involved with such certainty. Constructive contribution always appreciated to converge on answers to difficult questions that may not be complete at the start.

 

[dave14305]

Thank for your perspective. Perhaps your can point to the configuration error to resolve the entire issue or share why the kernel could not be involved with such certainty. Constructive contribution always appreciated to converge on answers to difficult questions that may not be complete at the start.

In the absence of any evidence from the router (system logs, mount output, ps output), the most likely explanation is that the PC you are working from is infected from your $5 ad-click and interfering with the GUI page loading. Anything is possible however.

Factory restore the firmware while disconnected from the internet, setup from scratch, avoid any of your prior backups and see if the device behaves. Post screenshots to accompany your reports. Pictures are worth a lot more to understand what you are trying to say.

 

[CornfieldWin]

Thank for your perspective. Perhaps your can point to the configuration error to resolve the entire issue or share why the kernel could not be involved with such certainty. Constructive contribution always appreciated.

I would immediately try flashing fresh firmware using the recovery method with latest asus firmware. I believe that would remove anything malignant.

https://www.asus.com/supportonly/rt-ax88u pro/helpdesk_dow

http://

In the absence of any evidence from the router (system logs, mount output, ps output), the most likely explanation is that the PC you are working from is infected from your $5 ad-click and interfering with the GUI page loading. Anything is possible however.

Factory restore the firmware while disconnected from the internet, setup from scratch, avoid any of your prior backups and see if the device behaves. Post screenshots to accompany your reports. Pictures are worth a lot more to understand what you are trying to say.

How's that? Bare metal, no usb. No third party asuswrt-Merlin, no entware, just the latest verified asuswrt March release.

--------

History:
ASUS RT-AX88U Pro Firmware version 3.0.0.6.102_33352
Version 3.0.0.6.102_33352
67.93 MB
2025/03/19
SHA-256 ：12073EB924C6034843ADB05BBABF9F20D78A66955CBF62750AD68A8E7536D648
1. Fixed the UI issue in Chrome.
2. Fixed client binding issues in Mesh scenarios.
3. Enhanced input parameter handling techniques to improve data processing stability and system security.
4. Enhance system access control mechanisms.
From <https://www.asus.com/us/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax88u-pro/helpdesk_bios/?model2Name=RT-AX88U-Pr

C:\Users\rjduw\Downloads\ASUS\AX88U PRO\Asuswrt>certutil -hashfile "C:\Users\rjduw\Downloads\ASUS\AX88U PRO\Asuswrt\FW_RT_AX88U_PRO_300610233352 (1).zip" sha256
SHA256 hash of C:\Users\rjduw\Downloads\ASUS\AX88U PRO\Asuswrt\FW_RT_AX88U_PRO_300610233352 (1).zip:
12073eb924c6034843adb05bbabf9f20d78a66955cbf62750ad68a8e7536d648
CertUtil: -hashfile command completed successfully.
--------
Let's take another look to troubleshoot. Note that previously configured two SSIDs are still current. What does that tell us? We now know at least and no more that the nrvam (NAND/NOR) rewritable physical memory on the SOS chip has not cleared out properly. We also know that modern routers don't use PROMs and that all "factory resets" are just reboots of what last loaded into the nvram with the latest file or OTA upgrade. All the "hard reset" does is clear out configuration parameters (they are not hard resets at all in the traditional sense) as clearly seen here to be in error. What COULD CREDIBLY explain this: tampering with the nvram interrupt loop, tampering with however that interacts with the kernels innermost scheduler loop, tampering with machine instructions that remap memory and/or modify permission effecting kernel and or userland behavior. Configuration file, syslogs, and like are a thousand miles after that. I ask again if there is a known way to clear the nram completely and reload as "system reset" is just a suggestion to the already massively loaded and possibly tampered machine code. We need to get the boot loader, whatever the equivalent, to step in or just consider the rooter to be bricked.

 

[bennor]

I will try the asuswrt refresh but strongly suspect that the rootkit lives far below it somewhere in nvram which means below the Linux kernel.

So far you have posted zero evidence of a router based root kit. No system logs, no screen capture, no router based information dump of any kind that would indicate the router being compromised or infected.

Perform the hard reset steps indicated above after flashing the latest Asus firmware.

On a side note, I assume you have scanned all your other router connected computers and devices for malware/root kits if you feel your router was infected somehow. If not, you should scan the PC first for any malware or rootkits.

PS: And make sure to temporarily disable any web browser addons, security software browser addins, and try different web browsers if the router GUI isn't being displayed properly.

 

[dave14305]

How's that? Bare metal, no usb. No third party asuswrt-Merlin, no entware, just the latest verified asuswrt March release.

In the browser, open the F12 developer tools and monitor the console tab while refreshing the page. There’s a lot of potential problems with Chrome and the router’s httpd daemon when using https. Try http for comparison.

 

[CornfieldWin]

http://

How's that? Bare metal, no usb. No third party asuswrt-Merlin, no entware, just the latest verified asuswrt March release.

--------

History:
ASUS RT-AX88U Pro Firmware version 3.0.0.6.102_33352
Version 3.0.0.6.102_33352
67.93 MB
2025/03/19
SHA-256 ：12073EB924C6034843ADB05BBABF9F20D78A66955CBF62750AD68A8E7536D648
1. Fixed the UI issue in Chrome.
2. Fixed client binding issues in Mesh scenarios.
3. Enhanced input parameter handling techniques to improve data processing stability and system security.
4. Enhance system access control mechanisms.
From <https://www.asus.com/us/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax88u-pro/helpdesk_bios/?model2Name=RT-AX88U-Pr

C:\Users\rjduw\Downloads\ASUS\AX88U PRO\Asuswrt>certutil -hashfile "C:\Users\rjduw\Downloads\ASUS\AX88U PRO\Asuswrt\FW_RT_AX88U_PRO_300610233352 (1).zip" sha256
SHA256 hash of C:\Users\rjduw\Downloads\ASUS\AX88U PRO\Asuswrt\FW_RT_AX88U_PRO_300610233352 (1).zip:
12073eb924c6034843adb05bbabf9f20d78a66955cbf62750ad68a8e7536d648
CertUtil: -hashfile command completed successfully.
--------
Let's take another look to troubleshoot. Note that previously configured two SSIDs are still current. What does that tell us? We now know at least and no more that the nrvam (NAND/NOR) rewritable physical memory on the SOS chip has not cleared out properly. We also know that modern routers don't use PROMs and that all "factory resets" are just reboots of what last loaded into the nvram with the latest file or OTA upgrade. All the "hard reset" does is clear out configuration parameters (they are not hard resets at all in the traditional sense) as clearly seen here to be in error. What could does explain this: tampering with the nvram interrupt loop, tampering with however that interacts with the kernels innermost scheduler loop, tampering with machine instructions that remap memory and/or modify permission effecting kernel and or userland behavior. Configuration file, syslogs, and like are a thousand miles after that. I ask again if there is a known way to clear the nram completely and reload as "system reset" is just a suggestion to the already massively loaded and possibly tampered machine code. We need to get the boot loader, whatever the equivalent, to step in or just consider the rooter to be bricked.

Possibly that $5 advice site did pollute my PC (but I didn't pay). Shame on you if you fool me once, shame on me if twice.

 

[ColinTaylor]

Can you state clearly whether or not you have done a hard factory reset of the router (using the WPS button)?

[Wireless Router] ASUS router Hard Factory Reset - Method 2 | Official Support | ASUS Global