Manually DHCP List and Domain Name Showing Unremovable Items

[kidd232]

I used WireGuard to connect two routers, RT-AX86U & GT-AX6600 running newest merlin firmware, and everything was working fine. However, over the past few days I noticed something strange:

．In both routers, the manual DHCP list and the domain name field started showing unusual entries that I cannot remove.

．In the Domain Name setting, asus.com keeps appearing. Even if I change it to another word or clear it completely, after clicking Apply it always reverts back to asus.com.

．In the DHCP list, three strange entries related to ASUS keep showing up. Just like the domain name issue, if I edit or delete them, they reappear shortly after. What’s odd is that these entries are on a different subnet — I’m not using the 192.168.1.0 network at all.

Does anyone know why this is happening?

 

[ColinTaylor]

What is the exact firmware version? "newest" could mean the current release version or latest beta version.

What scripts are you running on these routers, if any?

If you have JFFS custom scripts and configs enabled (Administration - System) I would temporarily disable that, reboot the router and see if the entries disappear.

You say these two routers are connected using WireGuard. The GT-AX6000's subnet is 192.168.0.0/24. What is the subnet of the RT-AX86U? They should be different if this is a LAN to LAN setup.

 

[dave14305]

To be cynical, I’d speculate some malware on the router wants to sinkhole any Asus update mechanism by redirecting the names to a local IP.

 

[ColinTaylor]

To be cynical, I’d speculate some malware on the router wants to sinkhole any Asus update mechanism by redirecting the names to a local IP.

I was thinking along the same lines (although there would be less obvious ways of achieving the same thing). Especially as his previous posts indicate that he was using AiCloud.

 

[kidd232]

What is the exact firmware version? "newest" could mean the current release version or latest beta version.

What scripts are you running on these routers, if any?

If you have JFFS custom scripts and configs enabled (Administration - System) I would temporarily disable that, reboot the router and see if the entries disappear.

You say these two routers are connected using WireGuard. The GT-AX6000's subnet is 192.168.0.0/24. What is the subnet of the RT-AX86U? They should be different if this is a LAN to LAN setup.

GT-AX6600: 3006_102.5_0, subnet: 192.168.0.0/24
RT-AX86U: 3004_388.9_2, subnet: 192.168.2.0/24

These two routers only have Skynet and Scribe installed via amtm.
I tried disabling JFFS custom scripts and configs, but the issue remains.

It seems like this is abnormal behavior, so I’ll need to do a reset.

 

[Poul Bak]

Do you use DDNS? That might explain the 'asus.com' thing.

Try checking the mac addresses here: https://maclookup.app/

Anyway, I would definitely do a factory reset.

 

[ppfoong]

Today I'm having the same issue as well after a router reboot.

Asus RT-AX86U, firmware 3004.388.9_2.

Nothing has been changed to the router settings and the firmware was updated since its official release here, quite some time ago.

All the while the router is OK, until today, after a manual reboot, the DHCP settings become like this. The router was rebooted last week too, by that time everything was still OK. This happened today, and despite multiple reboot, it behaves the same.

The "RT-AX86U's Domain Name" becomes "asus.com". After changing it to something else and applied the setting, it will revert back to "asus.com". It becomes unchangeable.

Also, all my static DHCP settings changed to only the 3 lines of setting, exactly the same as what kidd232 posted up here. The MAC address, IP address and Hostname of the 3 are exactly the same as his.

Manually change the DHCP list and save it, it will revert back to the 3 by itself. The DHCP list becomes unchangeable.

I SSH into the router and issued the "nvram show" command, I can see my previous DHCP settings are still in the "custom_clientlist" but the "dhcp_staticlist" has changed to this:
dhcp_staticlist=<00:0C:29:B6:9E:71>192.168.1.112>>dlcdnets<00:E0:4C:36:04:11>192.168.1.133>>routerahs<00:E0:4C:36:01:11>192.168.1.123>>routerfeedback

Anyone else facing the same issue? Anyone know what has happened?

 

[ppfoong]

Latest finding:

I can make the following change at SSH console:

nvram set dhcp_staticlist="<mac_address>192.168.0.2>>My_Computer"
nvram commit

But after I visit to this page from web browser, it will revert back to the 3 DHCP hosts:

https://192.168.0.1:8443/Advanced_DHCP_Content.asp

 

[ColinTaylor]

Thanks for the info @ppfoong. That effectively confirms that this is some kind of malware. Did/do you have any kind of remote access to the router enabled (AiCloud, HTTPS, SSH, etc)?

@kidd232 Can you confirm that factory resetting your router fixed this problem? Did you restore any of your router's information from backup or did you start afresh?

@ppfoong I suggest you do a factory reset and manual setup to try and get rid if this. Before you do that I'd ask you to collect some data that might help to identify the source of this problem.

Can you save your current settings and JFFS (Administration - Restore/Save/Upload Setting) and label them as potentially containing malware.

The output of these commands could prove useful:

ps T
netstat -nltp
find /jffs
ls -altr /tmp/

 

[ppfoong]

I have re-flash the firmware (same version) and done a factory reset.

Reapplied all the settings manually. It is working fine now.

I have AiCloud, Media Server and Samba on, sharing the content in an external SSD connected to the router's USB port. However, these accesses are restricted to LAN only. Smart Access and DDNS are disabled. SSH is LAN only. Web access from WAN is No. No UPnP function enabled.

I have 30+ devices in the DHCP manual assignment list. Could this issue be somehow triggered when the DHCP manual assignment list is long?

Or could this be caused by the Asus Router Android app in my phone? I noticed recently there is a new update of this Asus Router app pushed from Play Store.

 

[ColinTaylor]

I have AiCloud, Media Server and Samba on, sharing the content in an external SSD connected to the router's USB port. However, these accesses are restricted to LAN only. Smart Access and DDNS are disabled. SSH is LAN only. Web access from WAN is No. No UPnP function enabled.

What AiCloud services do you have enabled? Cloud Disk, by definition, allows remote access.

 

[ppfoong]

What AiCloud services do you have enabled? Cloud Disk, by definition, allows remote access.

Yes, it was Cloud Disk.

It needs to be on in order for the AiCloud mobile app to work. But I seldom use AiCloud in phone as well, so I have turned it off.

Thanks.

 

[ppfoong]

@ColinTaylor could be correct of the thought about possible malware.

I just checked that the following CVEs are related to AiCloud:
Source: https://www.asus.com/security-advisory

CVE-2025-2492, CVE-2024-12912, CVE-2024-13062

Although I always update my firmware to latest stable version, as I had done dirty update for the past few versions of firmware, if there was malware injected before the update, new firmware update through dirty update might not be able to cleaned up the injected codes.

 

[bennor]

@ColinTaylor could be correct of the thought about possible malware.

I just checked that the following CVEs are related to AiCloud:

There is a big discussion on the malware that possibly used AiCloud as it's entry point in the following topic:

Malware damaging ASUS routers?

This malware damaging Asus routers has to be described in a sticky thread with a warning sign! Update: Asus is releasing patched firmware for multiple models. Check for firmware updates! The changelog for most firmware releases contains the following: 1. Strengthened input validation and data...

www.snbforums.com

 

[kidd232]

I reflashed my RT-AX86U and enabled Smart Access, but I did not set up a WG VPN connection again. Everything is working fine now.

Here’s the output from my GT-AX6600 (still not reflashed and still having issues) using ColinTaylor’s command. Hopefully this helps.

Spoiler: ls -altr /tmp/

drwxr-xr-x    3 kidd     root            60 Jan  1  1970 confmtd
drwxr-xr-x    4 kidd     root            80 Jan  1  1970 var
drwxr-xr-x    2 kidd     root            40 Jan  1  1970 share
-rw-r--r--    1 kidd     root             0 Jan  1  1970 settings
drwxr-xr-x    3 kidd     root            60 Jan  1  1970 notify
drwxr-xr-x    2 kidd     root            40 Jan  1  1970 inadyn.cache
drwxr-xr-x    3 kidd     root            60 Jan  1  1970 home
-rw-rw-rw-    1 kidd     root         53027 Jan  1  1970 boot_dmesg.log
-rw-r--r--    1 kidd     root             9 Jan  1  1970 misc.json
lrwxrwxrwx    1 kidd     root            18 Jan  1  2024 syslog.log-1 -> /jffs/syslog.log-1
lrwxrwxrwx    1 kidd     root            16 Jan  1  2024 syslog.log -> /jffs/syslog.log
drwxrwxrwx    2 kidd     root            40 Jan  1  2024 netool
drwxrwxrwx    2 kidd     root           140 Jan  1  2024 nc
-rw-rw-rw-    1 kidd     root             0 Jan  1  2024 .web_aus
lrwxrwxrwx    1 kidd     root             8 Jan  1  2024 ipsec_updown -> /sbin/rc
drwxrwxrwx    3 kidd     root            80 Jan  1  2024 avahi
drwxrwxrwx    2 kidd     root            40 Jan  1  2024 asusfbsvcs
-rw-rw-rw-    1 kidd     root          4291 Jan  1  2024 lighttpd.conf
-rw-rw-rw-    1 kidd     root          1071 Jan  1  2024 nat_rules__eth0
-rw-rw-rw-    1 kidd     root           384 Jan  1  2024 run_lldpd.sh
-rw-rw-rw-    1 kidd     root            52 Jan  1  2024 lldpd_bind_ifnames
drwxr-xr-x    2 kidd     root            40 Jan  1  2024 cfg_mnt
-rw-rw-rw-    1 kidd     root           202 Jan  1  2024 chanspec_avbl.txt
-rw-r--r--    1 kidd     root            31 Jan  1  2024 04:42:1A:5F:0B:F0.bi
drwxrwxrwx    2 kidd     root           100 Jan  1  2024 asusdebuglog
drwxrwxrwx   21 kidd     root           394 Aug  4 00:57 ..
drwxrwxrwx    4 kidd     root           100 Sep 22 10:28 mnt
-rwxrwxrwx    1 kidd     root             0 Sep 22 10:28 webs_upgrade.sh
lrwxrwxrwx    1 kidd     root            21 Sep 22 10:28 opt -> /tmp/mnt/sda1/entware
-rwxrwxrwx    1 kidd     root       2430916 Sep 22 10:28 rc
-rw-rw-rw-    1 kidd     root            34 Sep 22 10:28 usb_err
-rw-rw-rw-    1 kidd     root        761903 Sep 22 10:28 httpd.json
drw-------    2 kidd     root            60 Sep 22 10:28 bwdpi
drwxrwxrwx    5 kidd     root           240 Sep 22 10:28 lighttpd
-rwS-w---T    1 kidd     root             0 Sep 22 11:46 ebtables.lock
lrwxrwxrwx    1 kidd     root             8 Sep 22 11:46 zcip -> /sbin/rc
lrwxrwxrwx    1 kidd     root             8 Sep 22 11:46 wpa_cli -> /sbin/rc
-rw-------    1 kidd     root           232 Sep 22 11:46 wan0_ppp.env
lrwxrwxrwx    1 kidd     root             8 Sep 22 11:46 udhcpc_wan -> /sbin/rc
drwxrwxrwx    3 kidd     root           300 Sep 22 11:46 ppp
lrwxrwxrwx    1 kidd     root             8 Sep 22 11:46 dhcp6c -> /sbin/rc
-rwxrwxrwx    1 kidd     root          1204 Sep 22 11:46 ipsec_iptables_rules
-rw-rw-rw-    1 kidd     root           684 Sep 22 11:46 wl0_hapd.conf
-rw-rw-rw-    1 kidd     root           684 Sep 22 11:46 wl1_hapd.conf
drwxrwxrwx    2 kidd     root            80 Sep 22 11:46 dm
srwxrwxrwx    1 kidd     root             0 Sep 22 11:46 wpa_ctrl_29869-2
srwxrwxrwx    1 kidd     root             0 Sep 22 11:46 wpa_ctrl_29869-1
-rw-rw-rw-    1 kidd     root            30 Sep 22 11:46 resolv.dnsmasq.sdn0
srwxrwxrwx    1 kidd     root             0 Sep 22 11:46 mcpd_mcpctl_addr
-rw-rw-rw-    1 kidd     root             0 Sep 22 11:46 lld2d.conf
-rw-rw-rw-    1 kidd     root            17 Sep 22 11:46 resolv.dnsmasq
-rw-rw-rw-    1 kidd     root            38 Sep 22 11:46 resolv.conf
drwxrwxrwx    2 kidd     root           200 Sep 22 11:46 .sdn
-rw-rw-rw-    1 kidd     root            16 Sep 22 11:46 hw_auth_clm
-rw-r--r--    1 kidd     root           263 Sep 22 11:46 wchannel.json
-rw-r--r--    1 kidd     root           143 Sep 22 11:46 nbr_list.json
-rw-r--r--    1 kidd     root           397 Sep 22 11:46 chanspec_private.json
-rw-r--r--    1 kidd     root           262 Sep 22 11:46 chanspec_avbl.json
-rw-r--r--    1 kidd     root           445 Sep 22 11:46 chanspec_all.json
-rw-r--r--    1 kidd     root          1420 Sep 22 11:46 04:42:1A:5F:0B:F0.cap
-rw-r--r--    1 kidd     root             2 Sep 22 11:46 relist.json
-rw-r--r--    1 kidd     root            12 Sep 22 11:46 private.ft
-rw-rw-rw-    1 kidd     root           144 Sep 22 11:46 obvsie
-rw-rw-rw-    1 kidd     root             1 Sep 22 11:46 obstatus
-rw-rw-rw-    1 kidd     root           144 Sep 22 11:46 guest_vsie
-rw-r--r--    1 kidd     root         31724 Sep 22 11:46 common.json
-rw-r--r--    1 kidd     root            12 Sep 22 11:46 common.ft
-rw-r--r--    1 kidd     root            28 Sep 22 11:46 cap.json
-rw-r--r--    1 kidd     root            93 Sep 22 11:46 aplist.json
-rw-rw-rw-    1 kidd     root         65730 Sep 25 15:46 ce0.log.bak
-rw-r--r--    1 kidd     root            61 Sep 25 16:09 wiredclientlist.json
-rw-r--r--    1 kidd     root            21 Sep 25 16:09 current_wired_client_list.json
-rw-r--r--    1 kidd     root             2 Sep 25 16:09 current_wired_client_info.json
-rw-rw-rw-    1 kidd     root         48929 Sep 25 20:16 ce0.log
-rw-rw-rw-    1 kidd     root           996 Sep 25 20:43 filter.default
-rw-rw-rw-    1 kidd     root          1297 Sep 25 20:43 redirect_rules
-rw-------    1 kidd     root          1127 Sep 25 20:43 nat_rules_ppp0_eth0
lrwxrwxrwx    1 kidd     root            24 Sep 25 20:43 nat_rules -> /tmp/nat_rules_ppp0_eth0
-rw-rw-rw-    1 kidd     root          5601 Sep 25 20:43 filter_rules
-rw-rw-rw-    1 kidd     root           411 Sep 25 20:43 filter_ipv6.default
-rw-r--r--    1 kidd     root          8795 Sep 25 20:43 nmp_cache.js
-rw-rw-rw-    1 kidd     root          1170 Sep 25 20:43 usb.log
drwxrwxrwx    3 kidd     root            60 Sep 25 20:43 skynet
drwxr-xr-x   12 kidd     root          1820 Sep 25 20:43 etc
-rw-rw-rw-    1 kidd     root          2696 Sep 25 20:43 diag_port_status.json
-rw-r--r--    1 kidd     root           422 Sep 25 20:43 allwclientlist.json
-rwxr-xr-x    1 kidd     root       3363632 Sep 25 20:44 wred
drw-rw-rw-    2 kidd     root           280 Sep 25 20:44 .diag
-rw-r--r--    1 kidd     root           368 Sep 25 20:44 clientlist.json
-rw-rw-rw-    1 kidd     root          3633 Sep 25 20:45 dev
drwxrwxrwx   23 kidd     root          1820 Sep 25 20:45 .

 

[ColinTaylor]

I reflashed my RT-AX86U and enabled Smart Access, but I did not set up a WG VPN connection again. Everything is working fine now.

I strongly suggest you don't enable Smart Access or any other AiCloud services.

Here’s the output from my GT-AX6600 (still not reflashed and still having issues) using ColinTaylor’s command. Hopefully this helps.

Thanks for the info. There are some things that I'm not familiar with, probably because they're new to the 3006.102 branch. Maybe someone like @dave14305 can give the output a quick check.

Can you confirm that you have intentionally installed vlmcsd and xray on this router?

My main concern is the presence of the rc executable in /tmp. This is a red flag to me.

-rwxrwxrwx 1 kidd root 2430916 Sep 22 10:28 rc

Can you provide the output of this command:

df -a

I suggest that you disable AiCloud on this router also.

 

[kidd232]

I strongly suggest you don't enable Smart Access or any other AiCloud services.


Thanks for the info. There are some things that I'm not familiar with, probably because they're new to the 3006.102 branch. Maybe someone like @dave14305 can give the output a quick check.

Can you confirm that you have intentionally installed vlmcsd and xray on this router?

My main concern is the presence of the rc executable in /tmp. This is a red flag to me.

Can you provide the output of this command:

df -a

I suggest that you disable AiCloud on this router also.

Yes, I installed vlmcsd and xray myself. Here’s the output of the df command:

Spoiler: df

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                57088     57088         0 100% /
devtmpfs                418916         4    418912   0% /dev
tmpfs                   509252       440    508812   0% /var
tmpfs                   509252     12616    496636   2% /tmp/mnt
ubi:data                 17200       124     16164   1% /data
ubi:defaults              5848       384      5132   7% /tmp/mnt/defaults
ubi:jffs2                45528      2376     40792   6% /jffs
tmpfs                   509252     12616    496636   2% /tmp/mnt
ubi:defaults              5848       384      5132   7% /tmp/mnt/defaults
tmpfs                   509252     12616    496636   2% /tmp
ubi:defaults              5848       384      5132   7% /tmp/mnt/defaults
/dev/sda1              7621860   2216648   4998324  31% /tmp/mnt/sda1
tmpfs                   509252     12616    496636   2% /usr/sbin/webs_update.sh
tmpfs                   509252     12616    496636   2% /sbin/rc
ubi:jffs2                45528      2376     40792   6% /www/Main_LogStatus_Content.asp
tmpfs                   509252     12616    496636   2% /jffs/usericon/asd_kkoS
tmpfs                   509252     12616    496636   2% /usr/sbin/wred

I’ve already disabled AiCloud now, thanks for pointing it out.

 

[dave14305]

This thing is hacked to hell with the bind mounts of rc and wred and the update script.

 

[ColinTaylor]

Yes, I installed vlmcsd and xray myself. Here’s the output of the df command:

Spoiler: df

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                57088     57088         0 100% /
devtmpfs                418916         4    418912   0% /dev
tmpfs                   509252       440    508812   0% /var
tmpfs                   509252     12616    496636   2% /tmp/mnt
ubi:data                 17200       124     16164   1% /data
ubi:defaults              5848       384      5132   7% /tmp/mnt/defaults
ubi:jffs2                45528      2376     40792   6% /jffs
tmpfs                   509252     12616    496636   2% /tmp/mnt
ubi:defaults              5848       384      5132   7% /tmp/mnt/defaults
tmpfs                   509252     12616    496636   2% /tmp
ubi:defaults              5848       384      5132   7% /tmp/mnt/defaults
/dev/sda1              7621860   2216648   4998324  31% /tmp/mnt/sda1
tmpfs                   509252     12616    496636   2% /usr/sbin/webs_update.sh
tmpfs                   509252     12616    496636   2% /sbin/rc
ubi:jffs2                45528      2376     40792   6% /www/Main_LogStatus_Content.asp
tmpfs                   509252     12616    496636   2% /jffs/usericon/asd_kkoS
tmpfs                   509252     12616    496636   2% /usr/sbin/wred

I’ve already disabled AiCloud now, thanks for pointing it out.

Thanks for that. This shows that the router has been severely compromised.

There's no obvious indication to how it was compromised. Although I'm always suspicious of AiCloud given its history. That said, it's always possible it was hacked from the LAN side.

I think all you can do now is a hard factory reset and manual setup like you did on your other router.

 

[dave14305]

I’m suspicious of the /jffs/usericon/asd_kkoS file and its bind mount.