I think my router was hacked....

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Skeeter_Barnes

Occasional Visitor
I have an Asus ZenWIFI AX XT8. I'm not exactly an expert in networking and my router and/or connected HDD got hacked. I have a HDD connected to the router via USB. I use it for saving things like pics, music and videos. I don't access it daily and realized yesterday when I was saving some pics, all my pics were gone. There was a txt file in the folder. It was last modified March 3rd so I'm guessing that is when this happened. I scanned it before opening. It was titled "I was here and you should read this." Of course with that title, I knew nothing good was going to come of it. This is what it said:

"
Learn to lock your external HD from the Internet.

You are lucky I am a semi-nice guy and not going to worse things.

Hugs and Kisses XOXO,

Your friendly neighborhood Grayhat"

I immediately disconnected the HDD. All my stuff is backed up on another physical drive so I didn't lose anything. I use Bitwarden as a password manager and created a WIFI password that is 20 characters long using letters, numbers and special characters. The router password is different and 16 characters long (max allowed) of letters, numbers and special characters. I did enable AI Cloud and had the AI Cloud app on my phone to access the router remotely. I'm assuming this is how the hacker got in. I did a factory reset on the router and changed password. I did not activate any of the file sharing or remote access. I don't need to access it remotely. I'm wondering what I need to do to make sure it is secure and can only be accessed on my local network? How do you suspect they accessed my HDD? Here is the built in security checkup I did on the router:


Also, I cannot access the HDD on my laptop unless I enable guest login. It asks for a password and then says I'm not authorized.
 

bbunge

Part of the Furniture
Did you use the Asus Android or iOS app and enable access from the internet? Or enable a VPN without a user/password on a default port? Or enable SSH LAN and WAN? Is the firmware up to date with version Version 9.0.0.4.386.41994? Or give someone your WIFI log in info? Did you have a backup of the pictures?
 

Skeeter_Barnes

Occasional Visitor
I did use the Asus Android app and the AI Cloud app. I didn't enable AI Cloud when I factory reset the router and uninstalled the AI Cloud app. I never did touch LAN, WAN or SSH. Not sure if these are enabled by default? I did factory reset the router.

It said the firmware I had was up to date but it wasn't the one you listed. I went to Asus website and found that firmware and just updated in manually.

I've only had this router about 3 weeks and no one other than myself has ever had the log in info.

I do have a backup on another physical drive as well as Google Photos.
 

ColinTaylor

Part of the Furniture
It sounds like you enabled AiDisk and then set ftp access to allow anonymous login. That would have given everyone on the internet read/write access to the USB drive.
 

Treadler

Very Senior Member
I have an Asus ZenWIFI AX XT8. I'm not exactly an expert in networking and my router and/or connected HDD got hacked. I have a HDD connected to the router via USB. I use it for saving things like pics, music and videos. I don't access it daily and realized yesterday when I was saving some pics, all my pics were gone. There was a txt file in the folder. It was last modified March 3rd so I'm guessing that is when this happened. I scanned it before opening. It was titled "I was here and you should read this." Of course with that title, I knew nothing good was going to come of it. This is what it said:

"
Learn to lock your external HD from the Internet.

You are lucky I am a semi-nice guy and not going to worse things.

Hugs and Kisses XOXO,

Your friendly neighborhood Grayhat"

I immediately disconnected the HDD. All my stuff is backed up on another physical drive so I didn't lose anything. I use Bitwarden as a password manager and created a WIFI password that is 20 characters long using letters, numbers and special characters. The router password is different and 16 characters long (max allowed) of letters, numbers and special characters. I did enable AI Cloud and had the AI Cloud app on my phone to access the router remotely. I'm assuming this is how the hacker got in. I did a factory reset on the router and changed password. I did not activate any of the file sharing or remote access. I don't need to access it remotely. I'm wondering what I need to do to make sure it is secure and can only be accessed on my local network? How do you suspect they accessed my HDD? Here is the built in security checkup I did on the router:


Also, I cannot access the HDD on my laptop unless I enable guest login. It asks for a password and then says I'm not authorized.

Click on the one that says “No” & fix it. :p
 

Skeeter_Barnes

Occasional Visitor
It sounds like you enabled AiDisk and then set ftp access to allow anonymous login. That would have given everyone on the internet read/write access to the USB drive.
I do believe that is what happened. I did enable the AiDisk but not sure what I set the ftp to. In my haste I just reset the router to undo anything I enabled so I didn't remember what all was enabled. Judging by the message they left, it sounds like they accessed the HDD and didn't actually access my network? I can confirm now the ftp is not enabled now. I also saw that SSH and WAN are not enabled either.
 

Skeeter_Barnes

Occasional Visitor
Click on the one that says “No” & fix it. :p
I did, and when I go to access the HDD in windows explorer, it asks for a password and I enter it and it denies me. It only allows me to access the drive when I allow guest login under the Samba share option. I'm assuming that means anyone connected to my network can access it?
 

Skeeter_Barnes

Occasional Visitor
I seemed to have everything going good and now the router does not show under network in windows explorer. I tried rebooting the router and the laptop and none of the setting change. It also randomly disconnects and I have to reconnect and re-enter the wifi password. The interesting part, under quick access, the folders on the HDD show up and I can click on them and access them but the router and HDD are not showing under network.

It only stays connected for like a minute. I had to reconnect twice just typing this. It doesn't seem to disconnect on other devices.
 

Skeeter_Barnes

Occasional Visitor
I seemed to have everything going good and now the router does not show under network in windows explorer. I tried rebooting the router and the laptop and none of the setting change. It also randomly disconnects and I have to reconnect and re-enter the wifi password. The interesting part, under quick access, the folders on the HDD show up and I can click on them and access them but the router and HDD are not showing under network.

It only stays connected for like a minute. I had to reconnect twice just typing this. It doesn't seem to disconnect on other devices.
Well it just showed up for about 15 seconds and then the WIFI disconnected.
 

ColinTaylor

Part of the Furniture
The folders not showing up under Network is expected behaviour if you have not enabled SMBv1 on both the router and your Windows 10 PC (assuming you're using Windows 10). IIRC it explains this on the router's Samba page.
 

Skeeter_Barnes

Occasional Visitor
The folders not showing up under Network is expected behaviour if you have not enabled SMBv1 on both the router and your Windows 10 PC (assuming you're using Windows 10). IIRC it explains this on the router's Samba page.
SMBv1 is enabled on both. It was working fine for about 24 hours and for no reason it doesn't show up anymore and disconnects frequently. When I input the password to reconnect to WIFI, it says some information has changed. I don't even stay connected for 5 minutes now.
 

ColinTaylor

Part of the Furniture
SMBv1 is enabled on both. It was working fine for about 24 hours and for no reason it doesn't show up anymore and disconnects frequently. When I input the password to reconnect to WIFI, it says some information has changed. I don't even stay connected for 5 minutes now.
It sounds like the Samba issue is just a consequence of your disconnection problem. I can't really offer any suggestions for that other than looking for clues in the router's System Log.
 

Skeeter_Barnes

Occasional Visitor
I have no idea how to decipher a system log. This is the last entry before it disconnected:

Mar 10 20:41:03 kernel: not mesh client, can't update it's ip

That's shown up a couple times recently.
 

Skeeter_Barnes

Occasional Visitor
Factory reset and same issues. I had manually updated the firmware to the beta version so I went back to the previous version. The router shows up now in windows explorer but won't accept my password. The disconnections are still happening but not as frequently. I've only had this router three weeks. Just going to go back to my Google WIFI and find another solution for my HDD.
 

Skeeter_Barnes

Occasional Visitor
Looks like I got this error in the system log right before it disconnected:

Mar 10 22:10:52 wlceventd: wlceventd_proc_event(490): eth5: Deauth_ind B0:7D:64:AC:80:B9, status: 0, reason: Unspecified reason (1), rssi:0

No idea what this means.
 

Skeeter_Barnes

Occasional Visitor
Now it's staying connected. Still won't accept my password to access the HDD. I know I'm rambling at this point, but the router is frustrating me. I'm still within the return period so I'll probably just return it and get something else. I have a Google WIFI router in the meantime.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top