Mirai - my RT-AC66U?

Mpuk7

Regular Contributor
Hi all,

My ISP alerted me to an instance of Mirai on at least one device on my network on Saturday. I'm now acting to secure things more and also with a number of Linux devices including Raspberry Pis, thermostat and IP cameras I'm trying to figure out what is infected.
I do fear my RT-AC66U as I have a Virginmedia Hub in router mode and my router is no longer supported and on the last version of the firmware.
A port scan shows 22 and 23 open but filtered. I have 21 forwarded to a Pi but restricted to one external IP. My router now has external management disabled so I have to use OpenVPN to connect in and access it on the LAN. Any help much appreciated.

Many thanks
 

ColinTaylor

Part of the Furniture
If your Virginmedia Hub is in router mode how have you configured your AC66U? As a router or an access point?

I note that your AC66U was previously hacked back in 2018.
 

Mpuk7

Regular Contributor
If your Virginmedia Hub is in router mode how have you configured your AC66U? As a router or an access point?

I note that your AC66U was previously hacked back in 2018.
Hi Colin,
Sorry for the delay, I didn't get a notification of your reply for some reason.
I have the Virgin hub in modem only mode and ac66u as the router. I was thinking as there aren't any updates for that model now I'll have to try and block the ports used by Mirai as they seem quite specific to it and it's quite an old threat I think?
 

ColinTaylor

Part of the Furniture
If Virgin said that one or more of your devices are infected it would have been helpful if they had specified exactly what ports they were talking about. While the original Mirai used telnet on ports 23 and 2323 other Mirai variants used different ports. For example, Wicked uses ports 8080, 8443, 80, and 81 and targets routers as well as IoT devices. So it's possible Virgin were seeing a router infection via port 80/8443 (as appears to have happened to you in 2018).

Check that your router doesn't have any unexpected ports being forwarded by looking at System Log - Port Forwarding.

In any case it's a bit late trying to lock down external ports now if one of your devices is already infected. Presumably Virgin noticed the outgoing traffic from your IP address.

We have already seen new malware attempting to infect Asus routers, mostly targeting older MIPS models (like your RT-AC66U). The method of the infection is unknown but it seems likely it was from inside the local network rather than a direct connection from outside.

At the end of the day you're likely going to be playing whack-a-mole with such an old model of router with so many known security issues. I suggest it's time to replace it with something more recent that receives security updates. Any current model would be an improvement. Something like the RT-AC66U B1 (same as the RT-AC68U) or RT-AX68U. Those models also come with AiProtection, so that's an additional layer of security if you choose to use it.
 

Mpuk7

Regular Contributor
Thanks very much for the advice, much appreciated. I did worry it might be time for an upgrade. A shame as my rt-ac66u has been very reliable over the years.
It is a bit annoying that Virgin don't indicate the port they're seeing the traffic coming from. I checked the ports used by the original Mirai and checked netstat on the router etc.
In response to previous issues I closed remote management of the router and all my port forwarding is to older webcams and devices with non default passwords etc.
I used OpenVPN if I want to access my router remotely but am concerned in the OpenVPN entries in the log to see what appears to be attempts at access but appear to fail:
openvpn[4338]: 66.81.184.221 TLS Error: TLS handshake failed
Oct 15 21:35:52 openvpn[4338]: 66.81.184.221 SIGUSR1[soft,tls-error] received, client-instance restarting
Oct 15 21:35:53 openvpn[4338]: 66.81.184.221 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 15 21:35:53 openvpn[4338]: 66.81.184.221 TLS Error: TLS handshake failed
Oct 15 21:35:53 openvpn[4338]: 66.

I may go for the B1 as the AX68U looks a bit pricey but will see.
 

ColinTaylor

Part of the Furniture
I used OpenVPN if I want to access my router remotely but am concerned in the OpenVPN entries in the log to see what appears to be attempts at access but appear to fail:
openvpn[4338]: 66.81.184.221 TLS Error: TLS handshake failed
Oct 15 21:35:52 openvpn[4338]: 66.81.184.221 SIGUSR1[soft,tls-error] received, client-instance restarting
Oct 15 21:35:53 openvpn[4338]: 66.81.184.221 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 15 21:35:53 openvpn[4338]: 66.81.184.221 TLS Error: TLS handshake failed
Oct 15 21:35:53 openvpn[4338]: 66.
That's to be expected if you're running your VPN server on the standard port (UDP 1194), or any of the "common" ports. It's normal port scanning/hacking attempts. You should use a non-standard port in the range 5001 and 32767.

 

Mpuk7

Regular Contributor
Great, thanks. I've disabled it for now but will change the port asap. Useful to have the reporting link as have seen a couple of other IPs on there as well this evening and was alarmed when I checked and it looked like connections had been made although no data transferred as attached.
 

Attachments

  • Screenshot_20221015-230721_Samsung Internet.jpg
    Screenshot_20221015-230721_Samsung Internet.jpg
    44.4 KB · Views: 53

Mpuk7

Regular Contributor
Hi Colin,

Sorry just considering upgrade options after you mentioned a couple of alternatives with the Aiprotection. This might be going off track a bit and more for another thread but with the AC66U B1 being the same as the AC68U I was considering also the actual AC68U but also the AC86U as I think 2nd hand at least the prices have dropped a fair bit now as they're older and the AX models are preferred more. I don't know if I'd have any true benefit from AX as many of my devices are older. Below is my device list:
2 small managed hubs
7 IP cameras (sometimes 9)
3 raspberry Pis
3 laptops
1 PC
2 mobile phones
NAS
Switch
TiVo
VOIP phone
Work phone (PoE) with powerline adapters
Smart TV
Blu ray player
Chromecast
Roku
Approx 5 smart plugs
Thermostat
Google hub & display
Wifi repeater
On occasion another NAS, 3 other game consoles, other tablets and phones e.g. old ones or visitors.

Only a handful use 5Ghz:
Mobile phones
Laptop
Google devices
 

Tech9

Part of the Furniture
but also the AC86U as I think 2nd hand

Don't buy this router second hand. If you want a new one - get the longest warranty possible.


Hunt for good deals on RT-AX86S around holidays instead. This model is equivalent to RT-AC86U, but with AX radio and better support. No AX86 series hardware failures reported so far, so perhaps better reliability too. It's safer to get it second hand too, if you find one.
 

Mpuk7

Regular Contributor
Don't buy this router second hand. If you want a new one - get the longest warranty possible.


Hunt for good deals on RT-AX86S around holidays instead. This model is equivalent to RT-AC86U, but with AX radio and better support. No AX86 series hardware failures reported so far, so perhaps better reliability too. It's safer to get it second hand too, if you find one.
Thanks Tech9, might go to explain the number on eBay sold as "parts only"
I'll have a look at new deals, I take it thr AC68U has proven a safe bet along with the AC66U B1?
 

Tech9

Part of the Furniture
RT-AC68U and variants (like your AC66U B1) are very reliable routers, but showing their age. The technology used is from around 2012 - 10 years old already. There is no much of a choice in Asus AC-class routers. Avoid RT-AX68U as well - cheap, but with reported connectivity issues. RT-AX58U is entry-level model, but usually overpriced for what it is. I've seen RT-AX86S for $140 on sale around, new. It's good up to Gigabit ISP line.

What's your ISP line speed and do you have channels 149-161 available in your country?
 

Tech9

Part of the Furniture
The reason I asked this question is because I found AX86 series routers have differently tuned radios and work better on higher channels, but it also depends on region power regulations. It won't be worse than AC66U B1 though. You have both AC68U and AX86U to compare in UK region. I'm careful recommending models for range and performance because I know there are differences. I own places in North America and Europe and know from experience. Different building materials as well. What works in North America for entire home may be just enough for 2 rooms in Europe.

What good price/performance model would you recommend in the UK?
 

Mpuk7

Regular Contributor
RT-AC68U and variants (like your AC66U B1) are very reliable routers, but showing their age. The technology used is from around 2012 - 10 years old already. There is no much of a choice in Asus AC-class routers. Avoid RT-AX68U as well - cheap, but with reported connectivity issues. RT-AX58U is entry-level model, but usually overpriced for what it is. I've seen RT-AX86S for $140 on sale around, new. It's good up to Gigabit ISP line.

What's your ISP line speed and do you have channels 149-161 available in your country?

Thanks, my line speed is 200mbps, I tend to get around 215 on speed tests consistently.
 

ColinTaylor

Part of the Furniture
@Tech9 The UK models are still using the EU WiFi region settings. So channels 100 to 140 are preferred as they operate at significantly more power than the lower channels. My RT-AC68U didn't offer channels 120 to 128 (that may have changed in later firmware versions) but my RT-AX86U does.
 

Mpuk7

Regular Contributor
I think I'll keep an eye out for a good bargain AX model and in the interim change the port on my OpenVPN as Colin suggested. I've seen AC86U and AC66U available cheap so did consider one to at least tinker with the Aiprotection features and later Merlin firmware to feel like I have more control over what traffic and activity there is as I'm getting increasingly worried about the vulnerabilities with the AC66U where I'm fighting a losing battle I fear.
 

Tech9

Part of the Furniture
Thanks, my line speed is 200mbps, I tend to get around 215 on speed tests consistently.

Let @ColinTaylor recommend you a good upgrade router. Honestly, if you have no issues with your router in terms of speed, stability and coverage - continue using it. You have most of your devices on 2.4GHz and newer routers will improve very little.

at least tinker with the Aiprotection features

You have AiProtection available on your RT-AC66U B1, no? Or yours is the original MIPS RT-AC66U?

The UK models are still using the EU WiFi region settings.

Yes, I have the same in Spain. Using 36-48 there with access points.
 

Tech9

Part of the Furniture
You have AiProtection available on your RT-AC66U B1, no? Or yours is the original MIPS RT-AC66U?

Found the answer - upgrade. :)

But keep in mind RT-AC68U variants slow down a lot with TrendMicro components enabled. The exception is RT-AC68U V4 with ARMv8 CPU.
 

Mpuk7

Regular Contributor
Thanks :) sorry yes mine is an old RT-AC66U
Broadcom BCM5300 chip rev 1
CPU Frequency600 MHz
, had it a good few years now. Been very reliable and has worked great, just thr concerns over security and vulnerabilities as it's no longer supported by Merlin although did notice mention of a fork supporting that model still?
Good to know about the vc4 ac68U, does the AC66U B1 have any performance issues with TrendMicro?
 

Tech9

Part of the Furniture
did notice mention of a fork supporting that model still?

Yes, John's Fork based on 374 code base. The issue with AC66U is weak hardware - single core 600MHz MIPS CPU. The moment you activate something NAT acceleration incompatible on it WAN-LAN performance drops to about 150Mbps.

does the AC66U B1 have any performance issues with TrendMicro?

It does work with TrendMicro components (AiProtection, AdaptiveQoS, Web History, Traffic Analyzer, Parental Controls), but becomes less responsive. The reason is BCM4360 radios don't have own processing units and rely on main CPU. Increased CPU load has negative impact on overall performance. RT-AC68U V4 is the latest AC68U variant based on newer HND platform with dual-core ARMv8 1.8GHz CPU and 512MB RAM. It also uses the same radios, but the CPU can handle much more load. I would say upgrade to AX86S, if the budget allows. It will have longer firmware support for sure. Along with his older brother AX86U, it's one of the first routers to get 388 code base firmware with VPN Fusion (simple selective routing) and WireGuard support. You may not need 3rd party firmware on it. Many Asuswrt-Merlin features are included in stock 388 code firmware now.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top