What's new

I think my RT-AC86U has a backdoor virus, how do i get rid of it? Please help

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Smakced

New Around Here
I posted on reddit about this issue, I was told to post here for further assistance. Here's my post:

I'm having a security issue with my Asus RT-AC86U, The issue is that the names of some devices on my network keep getting changed to mostly Asian and sometimes English names, I am the only one that has the user and pass to my router and I have never given this info to anyone. Sometimes there's up to 20 unidentified devices connected that have mostly Asain names. The Asain names are usually called Hui Zhou Gaoshengda Technology, Hon Hai or something in Asain characters, the English names are always called Netcore Technology. I think my router has a backdoor virus on it.

I have factory reset and changed the user and pass on the router about 10 times and it keeps coming back. I called my ISP about this and they have no idea how to fix it, neither did Asus when I contacted them. I have the latest version of the merlin firmware on it as well.
 
Last edited:
These "20 unidentified devices connected" are wifi devices ??? Just curious. Quick google search of the asian company you mentioned seems to be a producer of Wifi and bluetooth chips. Netcore Technology likewise is a producer of WiFi modules. I assume your WiFi SSID's on the router have passwords (WPA Keys) set.
 
Last edited:
It says they're connected via Ethernet. The strange part is that theyre not always there. Sometimes it'll just show my devices, then for a few second it'll show 20 random devices all called foreign names connected with ethernet, then it'll go away for a couple seconds then reappear again. And yes my router it set to WPA2-Personal.

When I change the devices name back to normal they just get changed again. This has been happening for about a month. Before that I never noticed this strange activity and I've had this routed for about 2 years.

For example my iPhone will get changed to Hui Zhou Gaoshengda Technology, then I'll change it back to iPhone, then I'll log in a couple hours later see see it has been changed again along with other devices like my PC.
 
Last edited:
All default network names of different devices. Hon Hai is the name of my Brother printer before I change it, for example. Your problem is the router doesn’t retain custom names. You’re not hacked. Don’t trust network map, it’s not accurate. Sometimes wireless devices are shown as wired.
 
All default network names of different devices. Hon Hai is the name of my Brother printer before I change it, for example. Your problem is the router doesn’t retain custom names. You’re not hacked. Don’t trust network map, it’s not accurate. Sometimes wireless devices are shown as wired.
I've had this router for a few years and have never noticed this before until about a month ago. How does that explain the many unidentified devices that are there sometimes. It'll go from about 8 devices connected to 18 or 23. I don't even have that many devices, I have no neighbors so it can't be their devices.
 
Appearing/Disappearing seems a bit odd. I do occasionally see some of my wireless devices (valid authenticated connections) listed as hardwired (ethernet), so I don't assume all client device types are reported accurately in the GUI. You might need to login to the router and look closely at the system logs to see if these are real devices trying to connect to the WiFi bands. Definitely sounds strange though.

I would probably reset the router to factory defaults... then re-download and re-flash the latest firmware (To be absolutely sure the firmware is pristine), then do a bare-bones config and see if the oddball connections return.
 
Simple question,
did you played with this ?:

1619666244537.png
 
Appearing/Disappearing seems a bit odd. I do occasionally see some of my wireless devices (valid authenticated connections) listed as hardwired (ethernet), so I don't assume all client device types are reported accurately in the GUI. You might need to login to the router and look closely at the system logs to see if these are real devices trying to connect to the WiFi bands. Definitely sounds strange though.

I would probably reset the router to factory defaults... then re-download and re-flash the latest firmware (To be absolutely sure the firmware is pristine), then do a bare-bones config and see if the oddball connections return.
I tried resetting the router about 10 times and this still is happening . I even flashed to the original firmware then when I tried to change back to Merlin it said upgrade failed . a few weeks later I called my ISP and they reset my modem, only then I was finally able to go back to merlin but these issues are still happening.
 
The RT-AC86U had issues upgrading from earlier versions to Merlinware 384.19 or any later versions including the latest 386 code.
This was because Asus changed the size of the JFFS partition at that time [August 2020] - and as per Changelog it was necessary to backup JFFS before upgrades - then format the JFFS partition on next boot - before restoring the JFFS backup.
Failure to do so most often led to corrupt data with strange consequences - some not unlike what you are experiencing.

Please advise what firmware you currently have installed? Did you backup and format the JFFS partition as described above?
 
Last edited:
The RT-AC86U had issues upgrading from earlier versions to Merlinware 384.19 or any later versions including the latest 386 code.
This was because Asus changed the size if the JFFS partition at that time [August 2020] - and as per Changelog it was necessary to backup JFFS before upgrades - then format the JFFS partition on next boot - before restoring the JFFS backup.
Failure to do so most often led to corrupt data with strange consequences - some not unlike what you are experiencing.

Please advise what firmware you currently have installed? Did you backup and format the JFFS partition as described above?
I currently have 386.2 installed . I did not mess with the JFFS partition. I switched to the original firmware when these issues started happening because I thought it was an issue with merlin, then when I tried to switch back to merlin it said upgrade failed. Then when I called my ISP about this they reset the modem, after that I tried to switch back to merlin again and it finally worked but I'm still having this issue. I've had this router with merlin firmware for about 2 years and have never noticed this weird acitivty before.
 
Since you don't have a lot of devices - I suggest you have a look at this post and follow the advice given by @L&LD.
Make sure you NEVER open access to your Router to the Internet [WAN].

http://www.snbforums.com/threads/major-issues-w-rt-ac86u.56342/post-495710

In the end result I would install 386.2.2 after following the above guides - it is incredibly stable!

EDIT: Its very easy to format the JFFS partition on reboot - just go to the Administration Tab and in the Persistent JFFS2 partition section - just select Yes to format on next boot, NB - you will lose whatever settings etc. are in the JFFS partition - so best to rebuild all settings from scratch.

format-jffs.JPG
 
Last edited:
Since you don't have a lot of devices - I suggest you have a look at this post and follow the advice given by @L&LD.
Make sure you NEVER open access to your Router to the Internet [WAN].

http://www.snbforums.com/threads/major-issues-w-rt-ac86u.56342/post-495710

In the end result I would install 386.2.2 after following the above guides - it is incredibly stable!

EDIT: Its very easy to format the JFFS partition on reboot - just go to the Administration Tab and in the Persistent JFFS2 partition section - just select Yes to format on next boot, NB - you will lose whatever settings etc. are in the JFFS partition - so best to rebuild all settings from scratch
Thank you very much for this info! I am going to follow the guide then upgrade to the newest version tomorrow morning. I will post back here with the results and see if this weird activity stops.
 
Thank you for that info as well! I will also follow those instructions and post back here in the morning.
You are welcome ... I used an RT-AC86U for several years - awesome router ... here's hoping you get it back on track :).
 
*some* of the extra devices *could* be caused if random mac addresses are enabled. You could disable wifi to verify if the devices still connect, then enable .band at a time to help determine what is connecting. Do the system logs provide more insight as to what may be happening?
 
some* of the extra devices *could* be caused if random mac addresses are enabled
But not if they are running iOS and don’t get reset:

 
Hmm, hope it didn't brick on him.
 
I like to think the OP is fully sorted and busy unleashing all those goodies available under amtm [which it seems he had not exploited before :cool:).
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top