1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Firmware Changed

Discussion in 'ASUS AC Routers & Adapters' started by Tony Johnson, Feb 24, 2020.

  1. Tony Johnson

    Tony Johnson New Around Here

    Joined:
    Feb 24, 2020
    Messages:
    3
    I woke yesterday morning to find out my security cameras were not working. I logging in my RT-AC66U to see that my firmware had been changed to Merlin, I did not do that. Would someone remotely update my firmware? I took router offline and installed the latest ASUS firmware and disabled remote access. Was I hacked? And if so, what do I have to do to stop that from happening again?
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,994
    Location:
    UK
    When was the last time you updated the firmware? If you hadn't done that for a very long time then it's possible someone hacked into your router using one of the previously known vulnerabilities. Seems rather strange that they would then install a different version of the firmware, but I suppose anything is possible.
     
  3. Tony Johnson

    Tony Johnson New Around Here

    Joined:
    Feb 24, 2020
    Messages:
    3
    It had been a long time sine I update, at least a year. I tried a few times and it would fail. However, this time I hooked directly to router and was able to update. I was wondering if the Merlin firmware gave someone the ability to capture
    traffic.
     
  4. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,495
    It makes no sense for someone to gain access to your network, update the firmware (an obvious change to anyone) and then not change any of the access passwords?

    I think your past attempts just took a little time to brew and a possible reboot of the network (power surge/brownout, or instant loss) brought up the firmware you were trying to install so long ago.

    What version of RMerlin was installed?

    RMerlin, at defaults, is more secure than stock Asus firmware is ever delivered.

    Make sure to do a full reset to factory defaults including checking the 'Initialize all settings...) box before doing a minimal and manual configuration to secure the router and connect to your ISP.

    Look in my signature below for further details in the M&M Config to get your router to a good/known state once again. :)
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,994
    Location:
    UK
    Merlin's firmware adds the ability to create user scripts that persist after the router is rebooted. Such scripts would otherwise be lost if using the stock Asus firmware. So I suppose if a hacker really wanted to "own" your router he would need to install a firmware like Merlin's or DD-WRT.

    You said that you have disabled remote access. Does that mean that you had remote access to the router's GUI enabled? :eek: That was a known vulnerability in the older Asus firmware versions that was being actively exploited by hackers.
     
  6. wouterv

    wouterv Very Senior Member

    Joined:
    Aug 4, 2013
    Messages:
    1,057
    I like to add: how can you tell genuine Merlin WRT was installed?
    If the story is really true, which seems to be, there is good chance a manipulated or fork of Merlin WRT was installed with additional "features" to help the hacker.
    What is nicer then simply leave the login credentials the same, not many average users would even notice the difference between the Merlin WRT GUI or the stock version.
     
  7. Tony Johnson

    Tony Johnson New Around Here

    Joined:
    Feb 24, 2020
    Messages:
    3
    To answer a few questions here. Yes I had the remote web access enabled. and when you log in to the RT-AC66U at the top of the screen it shows the firmware version. I noticed right away that the graphic had changed and did not have the normal ASUS firmware numbering system like 3.0.0.4.
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,994
    Location:
    UK
    The moral of the story is to never enable remote web access to a router. If you need remote access use a VPN.

    As for what was happening exactly, it's impossible to know as you have reset the router.

    Just to reiterate @L&LD's point, after you reinstalled the stock Asus firmware make sure that you did a Factory default restore with the Initialise box checked. That will ensure that anything that was installed as part of the hack is wiped out.
     
    L&LD likes this.
  9. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    1,391
    No one is interested in capturing traffic. What most attackers do after getting access to the router is setting up quickly a VPN tunnel in order to get access to devices attached to the router. PCs with shared resources and attached storage devices are the most interesting. Then they don't just capture your traffic, they download your files.