I think my RT-AC86U has a backdoor virus, how do i get rid of it? Please help

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Smakced

New Around Here
I posted on reddit about this issue, I was told to post here for further assistance. Here's my post:

I'm having a security issue with my Asus RT-AC86U, The issue is that the names of some devices on my network keep getting changed to mostly Asian and sometimes English names, I am the only one that has the user and pass to my router and I have never given this info to anyone. Sometimes there's up to 20 unidentified devices connected that have mostly Asain names. The Asain names are usually called Hui Zhou Gaoshengda Technology, Hon Hai or something in Asain characters, the English names are always called Netcore Technology. I think my router has a backdoor virus on it.

I have factory reset and changed the user and pass on the router about 10 times and it keeps coming back. I called my ISP about this and they have no idea how to fix it, neither did Asus when I contacted them. I have the latest version of the merlin firmware on it as well.
 
Last edited:

JSinFCVA

Regular Contributor
These "20 unidentified devices connected" are wifi devices ??? Just curious. Quick google search of the asian company you mentioned seems to be a producer of Wifi and bluetooth chips. Netcore Technology likewise is a producer of WiFi modules. I assume your WiFi SSID's on the router have passwords (WPA Keys) set.
 
Last edited:

Smakced

New Around Here
It says they're connected via Ethernet. The strange part is that theyre not always there. Sometimes it'll just show my devices, then for a few second it'll show 20 random devices all called foreign names connected with ethernet, then it'll go away for a couple seconds then reappear again. And yes my router it set to WPA2-Personal.

When I change the devices name back to normal they just get changed again. This has been happening for about a month. Before that I never noticed this strange activity and I've had this routed for about 2 years.

For example my iPhone will get changed to Hui Zhou Gaoshengda Technology, then I'll change it back to iPhone, then I'll log in a couple hours later see see it has been changed again along with other devices like my PC.
 
Last edited:

Tech9

Part of the Furniture
All default network names of different devices. Hon Hai is the name of my Brother printer before I change it, for example. Your problem is the router doesn’t retain custom names. You’re not hacked. Don’t trust network map, it’s not accurate. Sometimes wireless devices are shown as wired.
 

Smakced

New Around Here
All default network names of different devices. Hon Hai is the name of my Brother printer before I change it, for example. Your problem is the router doesn’t retain custom names. You’re not hacked. Don’t trust network map, it’s not accurate. Sometimes wireless devices are shown as wired.
I've had this router for a few years and have never noticed this before until about a month ago. How does that explain the many unidentified devices that are there sometimes. It'll go from about 8 devices connected to 18 or 23. I don't even have that many devices, I have no neighbors so it can't be their devices.
 

JSinFCVA

Regular Contributor
Appearing/Disappearing seems a bit odd. I do occasionally see some of my wireless devices (valid authenticated connections) listed as hardwired (ethernet), so I don't assume all client device types are reported accurately in the GUI. You might need to login to the router and look closely at the system logs to see if these are real devices trying to connect to the WiFi bands. Definitely sounds strange though.

I would probably reset the router to factory defaults... then re-download and re-flash the latest firmware (To be absolutely sure the firmware is pristine), then do a bare-bones config and see if the oddball connections return.
 

Sanna1967

Senior Member
Simple question,
did you played with this ?:

1619666244537.png
 

Smakced

New Around Here
Appearing/Disappearing seems a bit odd. I do occasionally see some of my wireless devices (valid authenticated connections) listed as hardwired (ethernet), so I don't assume all client device types are reported accurately in the GUI. You might need to login to the router and look closely at the system logs to see if these are real devices trying to connect to the WiFi bands. Definitely sounds strange though.

I would probably reset the router to factory defaults... then re-download and re-flash the latest firmware (To be absolutely sure the firmware is pristine), then do a bare-bones config and see if the oddball connections return.
I tried resetting the router about 10 times and this still is happening . I even flashed to the original firmware then when I tried to change back to Merlin it said upgrade failed . a few weeks later I called my ISP and they reset my modem, only then I was finally able to go back to merlin but these issues are still happening.
 

kernol

Very Senior Member
The RT-AC86U had issues upgrading from earlier versions to Merlinware 384.19 or any later versions including the latest 386 code.
This was because Asus changed the size of the JFFS partition at that time [August 2020] - and as per Changelog it was necessary to backup JFFS before upgrades - then format the JFFS partition on next boot - before restoring the JFFS backup.
Failure to do so most often led to corrupt data with strange consequences - some not unlike what you are experiencing.

Please advise what firmware you currently have installed? Did you backup and format the JFFS partition as described above?
 
Last edited:

Smakced

New Around Here
The RT-AC86U had issues upgrading from earlier versions to Merlinware 384.19 or any later versions including the latest 386 code.
This was because Asus changed the size if the JFFS partition at that time [August 2020] - and as per Changelog it was necessary to backup JFFS before upgrades - then format the JFFS partition on next boot - before restoring the JFFS backup.
Failure to do so most often led to corrupt data with strange consequences - some not unlike what you are experiencing.

Please advise what firmware you currently have installed? Did you backup and format the JFFS partition as described above?
I currently have 386.2 installed . I did not mess with the JFFS partition. I switched to the original firmware when these issues started happening because I thought it was an issue with merlin, then when I tried to switch back to merlin it said upgrade failed. Then when I called my ISP about this they reset the modem, after that I tried to switch back to merlin again and it finally worked but I'm still having this issue. I've had this router with merlin firmware for about 2 years and have never noticed this weird acitivty before.
 

kernol

Very Senior Member
Since you don't have a lot of devices - I suggest you have a look at this post and follow the advice given by @L&LD.
Make sure you NEVER open access to your Router to the Internet [WAN].

http://www.snbforums.com/threads/major-issues-w-rt-ac86u.56342/post-495710

In the end result I would install 386.2.2 after following the above guides - it is incredibly stable!

EDIT: Its very easy to format the JFFS partition on reboot - just go to the Administration Tab and in the Persistent JFFS2 partition section - just select Yes to format on next boot, NB - you will lose whatever settings etc. are in the JFFS partition - so best to rebuild all settings from scratch.

format-jffs.JPG
 
Last edited:

kernol

Very Senior Member

Smakced

New Around Here
Since you don't have a lot of devices - I suggest you have a look at this post and follow the advice given by @L&LD.
Make sure you NEVER open access to your Router to the Internet [WAN].

http://www.snbforums.com/threads/major-issues-w-rt-ac86u.56342/post-495710

In the end result I would install 386.2.2 after following the above guides - it is incredibly stable!

EDIT: Its very easy to format the JFFS partition on reboot - just go to the Administration Tab and in the Persistent JFFS2 partition section - just select Yes to format on next boot, NB - you will lose whatever settings etc. are in the JFFS partition - so best to rebuild all settings from scratch
Thank you very much for this info! I am going to follow the guide then upgrade to the newest version tomorrow morning. I will post back here with the results and see if this weird activity stops.
 

kernol

Very Senior Member
Thank you for that info as well! I will also follow those instructions and post back here in the morning.
You are welcome ... I used an RT-AC86U for several years - awesome router ... here's hoping you get it back on track :).
 

dosborne

Very Senior Member
*some* of the extra devices *could* be caused if random mac addresses are enabled. You could disable wifi to verify if the devices still connect, then enable .band at a time to help determine what is connecting. Do the system logs provide more insight as to what may be happening?
 

XIII

Very Senior Member
some* of the extra devices *could* be caused if random mac addresses are enabled
But not if they are running iOS and don’t get reset:

 

Centrifuge

Senior Member
Hmm, hope it didn't brick on him.
 

kernol

Very Senior Member
I like to think the OP is fully sorted and busy unleashing all those goodies available under amtm [which it seems he had not exploited before :cool:).
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top