Firmware Changed

[Tony Johnson]

I woke yesterday morning to find out my security cameras were not working. I logging in my RT-AC66U to see that my firmware had been changed to Merlin, I did not do that. Would someone remotely update my firmware? I took router offline and installed the latest ASUS firmware and disabled remote access. Was I hacked? And if so, what do I have to do to stop that from happening again?

 

[ColinTaylor]

When was the last time you updated the firmware? If you hadn't done that for a very long time then it's possible someone hacked into your router using one of the previously known vulnerabilities. Seems rather strange that they would then install a different version of the firmware, but I suppose anything is possible.

 

[Tony Johnson]

It had been a long time sine I update, at least a year. I tried a few times and it would fail. However, this time I hooked directly to router and was able to update. I was wondering if the Merlin firmware gave someone the ability to capture
traffic.

 

[L&LD]

It makes no sense for someone to gain access to your network, update the firmware (an obvious change to anyone) and then not change any of the access passwords?

I think your past attempts just took a little time to brew and a possible reboot of the network (power surge/brownout, or instant loss) brought up the firmware you were trying to install so long ago.

What version of RMerlin was installed?

RMerlin, at defaults, is more secure than stock Asus firmware is ever delivered.

Make sure to do a full reset to factory defaults including checking the 'Initialize all settings...) box before doing a minimal and manual configuration to secure the router and connect to your ISP.

Look in my signature below for further details in the M&M Config to get your router to a good/known state once again.

 

[ColinTaylor]

It had been a long time sine I update, at least a year. I tried a few times and it would fail. However, this time I hooked directly to router and was able to update. I was wondering if the Merlin firmware gave someone the ability to capture
traffic.

Merlin's firmware adds the ability to create user scripts that persist after the router is rebooted. Such scripts would otherwise be lost if using the stock Asus firmware. So I suppose if a hacker really wanted to "own" your router he would need to install a firmware like Merlin's or DD-WRT.

You said that you have disabled remote access. Does that mean that you had remote access to the router's GUI enabled? That was a known vulnerability in the older Asus firmware versions that was being actively exploited by hackers.

 

[wouterv]

I like to add: how can you tell genuine Merlin WRT was installed?
If the story is really true, which seems to be, there is good chance a manipulated or fork of Merlin WRT was installed with additional "features" to help the hacker.
What is nicer then simply leave the login credentials the same, not many average users would even notice the difference between the Merlin WRT GUI or the stock version.

 

[Tony Johnson]

To answer a few questions here. Yes I had the remote web access enabled. and when you log in to the RT-AC66U at the top of the screen it shows the firmware version. I noticed right away that the graphic had changed and did not have the normal ASUS firmware numbering system like 3.0.0.4.

 

[ColinTaylor]

The moral of the story is to never enable remote web access to a router. If you need remote access use a VPN.

As for what was happening exactly, it's impossible to know as you have reset the router.

Just to reiterate @L&LD's point, after you reinstalled the stock Asus firmware make sure that you did a Factory default restore with the Initialise box checked. That will ensure that anything that was installed as part of the hack is wiped out.

 

[Val D.]

I was wondering if the Merlin firmware gave someone the ability to capture
traffic.

No one is interested in capturing traffic. What most attackers do after getting access to the router is setting up quickly a VPN tunnel in order to get access to devices attached to the router. PCs with shared resources and attached storage devices are the most interesting. Then they don't just capture your traffic, they download your files.