Hacked asus ax-6000 - Webui access locked

[francisport]

Hi guys,

I have an ASUS ROG GT AX-6000 running the official latest firmware. No access is granted outside internal lan, ddns is enabled and openvpn+wiregard vpn were active.

2 weeks ago I've detected that my Webui access didn't work, but luckily I have ssh-keys still operational. I did a research here how I could reset my http access, and I found: nvram set http_password=admin might help but also I detected that nvram save/commit commands didn't work either.... Something was really strange. No logs since the day before.

I reboot the router and this time nvram command worked, so I thought I was a lucky clever guy restoring Webui access..... however, the day after, Webui was locked again!! but this time nvram set http_password=admin didn't work at all, the variable was there, save/commit work also but without any effect. I started a long journey to recover it but lot of problems, never had such amount of "misfortune"

Restore from fabric didn't work --> webui was still locked and now without my ssh-keys but finally, after a long journey I could restore it.

But something I want to share in case someone could validate or help; below is a bunch of nvram variables I've never seen and I think they should not be there:

1:dot11agofdmhrbw202gpo=0x1000
2a5g160a0=0x27c7,0xb2c3,0x0000,0x168b,0x27c7,0xb2c3,0x0000,0x168b,0x26e5,0xb2f1,0xffff,0x1066,0x2671,0xb805,0xff2b,0x1d62​

2a5g160a1=0x2cef,0xa9bc,0xffff,0x183d,0x2cef,0xa9bc,0xffff,0x183d,0x2ccd,0xa85b,0x0000,0x0f91,0x2b14,0xb03b,0xfcf8,0x091​

2a5g160a2=0x28b6,0xb1ff,0x0000,0x13f0,0x28b6,0xb1ff,0x0000,0x13f0,0x27ca,0xb287,0x0000,0x10e5,0x2646,0xb872,0xfe5d,0x1be8​

2a5g160a3=0x2734,0xb4cc,0x0000,0x1b83,0x2734,0xb4cc,0x0000,0x1b83,0x264d,0xb431,0x0000,0x112b,0x261e,0xb756,0xff85,0x17aa​

2a5g40a0=0x2730,0xb372,0xff0e,0x0000,0x276d,0xb131,0x0000,0x0000,0x266a,0xb261,0x0000,0x0000,0x25e7,0xb2f2,0x0000,0x02a3,0x2590,0xb​

436,0x0000,0x003d​

2a5g40a1=0x2c7d,0xa949,0x0000,0x0dc3,0x2c74,0xa8fb,0x0000,0x0d28,0x2c01,0xa906,0x0000,0x07cc,0x2b81,0xa994,0xff9c,0x0000,0x2b56,0xa​

881,0x0000,0x0000​

2a5g40a2=0x27bb,0xb2b6,0x0000,0x0ba0,0x279d,0xb2c5,0x0000,0x0934,0x26ad,0xb443,0x0000,0x0c10,0x2640,0xb3f8,0x0000,0x067b,0x2608,0xb​

367,0x0000,0x0025​

2a5g40a3=0x2652,0xb591,0x0000,0x1238,0x26a5,0xb46a,0x0000,0x0ce4,0x2586,0xb4aa,0x0000,0x0658,0x24f0,0xb5b8,0x0000,0x09df,0x2447,0xb​

86c,0xffff,0x1157​

2:maxp5gb0a0=0x6E​

2:maxp5gb0a1=0x6E​

2:maxp5gb0a2=0x6E​

2:maxp5gb0a3=0x6E​

...​

2:maxp5gb4a1=0x6E​

2:mcsbw205ghpo=0xBA976420​

2:mcsbw205glpo=0xBA976420​

2:mcsbw205gmpo=0xBA976420​

2:mcsbw205gx1po=0xBA976420​

2:mcsbw205gx2po=0xBA976420​

.....​

chilli_authport=http​

chilli_protocol=http​

chilli_url=https://192.168.1.1/Uam​

It's quite sure that someone has hacked it, and now I have doubts that those nvram variables should be there. Any idea how to compare or validate if those nvram variables are really needed?


FrancisP

 

[bennor]

Did you, or have you in the past, enabled AiCloud (or its subfeatures) on the router? If so see the following discussion:

Malware damaging ASUS routers?

This malware damaging Asus routers has to be described in a sticky thread with a warning sign! Update: Asus is releasing patched firmware for multiple models. Check for firmware updates! The changelog for most firmware releases contains the following: 1. Strengthened input validation and data...

www.snbforums.com

There were several users in later posts of that Malware discussion who were helping people recover their routers affected by that specific malware.

 

[ColinTaylor]

But something I want to share in case someone could validate or help; below is a bunch of nvram variables I've never seen and I think they should not be there:

1:dot11agofdmhrbw202gpo=0x1000​

2a5g160a0=0x27c7,0xb2c3,0x0000,0x168b,0x27c7,0xb2c3,0x0000,0x168b,0x26e5,0xb2f1,0xffff,0x1066,0x2671,0xb805,0xff2b,0x1d62​

2a5g160a1=0x2cef,0xa9bc,0xffff,0x183d,0x2cef,0xa9bc,0xffff,0x183d,0x2ccd,0xa85b,0x0000,0x0f91,0x2b14,0xb03b,0xfcf8,0x091​

2a5g160a2=0x28b6,0xb1ff,0x0000,0x13f0,0x28b6,0xb1ff,0x0000,0x13f0,0x27ca,0xb287,0x0000,0x10e5,0x2646,0xb872,0xfe5d,0x1be8​

2a5g160a3=0x2734,0xb4cc,0x0000,0x1b83,0x2734,0xb4cc,0x0000,0x1b83,0x264d,0xb431,0x0000,0x112b,0x261e,0xb756,0xff85,0x17aa​

2a5g40a0=0x2730,0xb372,0xff0e,0x0000,0x276d,0xb131,0x0000,0x0000,0x266a,0xb261,0x0000,0x0000,0x25e7,0xb2f2,0x0000,0x02a3,0x2590,0xb​

436,0x0000,0x003d​

2a5g40a1=0x2c7d,0xa949,0x0000,0x0dc3,0x2c74,0xa8fb,0x0000,0x0d28,0x2c01,0xa906,0x0000,0x07cc,0x2b81,0xa994,0xff9c,0x0000,0x2b56,0xa​

881,0x0000,0x0000​

2a5g40a2=0x27bb,0xb2b6,0x0000,0x0ba0,0x279d,0xb2c5,0x0000,0x0934,0x26ad,0xb443,0x0000,0x0c10,0x2640,0xb3f8,0x0000,0x067b,0x2608,0xb​

367,0x0000,0x0025​

2a5g40a3=0x2652,0xb591,0x0000,0x1238,0x26a5,0xb46a,0x0000,0x0ce4,0x2586,0xb4aa,0x0000,0x0658,0x24f0,0xb5b8,0x0000,0x09df,0x2447,0xb​

86c,0xffff,0x1157​

2:maxp5gb0a0=0x6E​

2:maxp5gb0a1=0x6E​

2:maxp5gb0a2=0x6E​

2:maxp5gb0a3=0x6E​

...​

2:maxp5gb4a1=0x6E​

2:mcsbw205ghpo=0xBA976420​

2:mcsbw205glpo=0xBA976420​

2:mcsbw205gmpo=0xBA976420​

2:mcsbw205gx1po=0xBA976420​

2:mcsbw205gx2po=0xBA976420​

.....​

chilli_authport=http​

chilli_protocol=http​

chilli_url=https://192.168.1.1/Uam​

It's quite sure that someone has hacked it, and now I have doubts that those nvram variables should be there. Any idea how to compare or validate if those nvram variables are really needed?

Those are all perfectly normal variables for your model of router.