Possibly been hacked. Need assistant from senior users.

DonnyJohnny

Very Senior Member
I wonder why would people want to leave your router with a single layer of simple password as line of defence from the internet. Be it GUI via WAN or Aicloud... minimum u need SSH key or ssl cert. the internet world is too scary.
Even those cloud storage, internet email or other internet plaform have 2fa other than password.

Be safe than sorry people..

For those who know they have already been compromised, please reflash and flush out everything to factory default then set thing back manually. Don’t be lazy. Lol..
 

KoloGit

New Around Here
The exact thing has happened to me. I discovered it this morning, when I tried to login to my rt-ac66u and the login screen was in korean. My OpenVPN server was shut down and PPTP were set up for an user "i1112670". I looked up at logs and there was something like this 3 days ago:

Mar 22 10:13:11 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 121.171.253.43 in login.
Mar 22 14:04:09 stop_nat_rules: apply the redirect_rules!
Mar 22 14:04:14 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 14:04:27 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 58.180.56.19 in login.
Mar 22 15:46:02 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:07 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:09 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.
Mar 22 15:46:11 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:16 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:24 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.


Yep, IPs from Korea.

I had WAN access and telnet turned off. The only thing active was DDNS and AiCloud. I had the newest firmware.

So I think there is a hole in asus routers security right now, as I see many similar entries on security forums across the Internet.
 

Rubenel

Occasional Visitor
The exact thing has happened to me. I discovered it this morning, when I tried to login to my rt-ac66u and the login screen was in korean. My OpenVPN server was shut down and PPTP were set up for an user "i1112670". I looked up at logs and there was something like this 3 days ago:

Mar 22 10:13:11 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 121.171.253.43 in login.
Mar 22 14:04:09 stop_nat_rules: apply the redirect_rules!
Mar 22 14:04:14 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 14:04:27 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 58.180.56.19 in login.
Mar 22 15:46:02 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:07 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:09 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.
Mar 22 15:46:11 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:16 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:24 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.


Yep, IPs from Korea.

I had WAN access and telnet turned off. The only thing active was DDNS and AiCloud. I had the newest firmware.

So I think there is a hole in asus routers security right now, as I see many similar entries on security forums across the Internet.
Thanks for posting.

I had SSH and WAN access turned off.

This is an exploit in the firmware.

Sent from my SM-G950U using Tapatalk
 

Rubenel

Occasional Visitor
I think it is a very large security hole that the ASUS app opens up WAN Access automatically without people necessarily being aware of how insecure this is.
ASUS should address it!

StephenH
It may be, but I did turn off this feature once I deleted the app.

This is an exploit in the firmware.

Sent from my SM-G950U using Tapatalk
 

Jack Yaz

Part of the Furniture
I think it is a very large security hole that the ASUS app opens up WAN Access automatically without people necessarily being aware of how insecure this is.
ASUS should address it!

StephenH
@arthurlien comments from Asus on this? We've had lots of reports that the Asus app enables access from WAN with no notice to the user.
 

DonnyJohnny

Very Senior Member
The exact thing has happened to me. I discovered it this morning, when I tried to login to my rt-ac66u and the login screen was in korean. My OpenVPN server was shut down and PPTP were set up for an user "i1112670". I looked up at logs and there was something like this 3 days ago:

Mar 22 10:13:11 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 121.171.253.43 in login.
Mar 22 14:04:09 stop_nat_rules: apply the redirect_rules!
Mar 22 14:04:14 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 14:04:27 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 58.180.56.19 in login.
Mar 22 15:46:02 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:07 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:09 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.
Mar 22 15:46:11 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:16 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:24 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.


Yep, IPs from Korea.

I had WAN access and telnet turned off. The only thing active was DDNS and AiCloud. I had the newest firmware.

So I think there is a hole in asus routers security right now, as I see many similar entries on security forums across the Internet.

Since router is already compromised, turning off the services in no longer effective!! You need to reflash and factory reset. The hacker could have install some malicious script or program to allow backdoor access...
 

KoloGit

New Around Here
Since router is already compromised, turning off the services in no longer effective!! You need to reflash and factory reset. The hacker could have install some malicious script or program to allow backdoor access...
Thank you for this advice. I will do it asap. Just to make sure - I should first reset the router to the factory settings and then download the firmware file from Asus site and 'flash' it from Administration/Firmware upgrade page? Is this sufficient?
 

KoloGit

New Around Here
It seems I really need to reinitialize the router. Here is a suspictious activity to some servers in Kazahstan, although currently all VPN services on my router appars to be disabled.

Mar 25 14:12:45 openvpn[678]: TCP connection established with [AF_INET]95.57.241.69:57068
Mar 25 14:13:15 openvpn[678]: 95.57.241.69:57068 Connection reset, restarting [0]
Mar 25 14:13:15 openvpn[678]: 95.57.241.69:57068 SIGUSR1[soft,connection-reset] received, client-instance restarting
 

Wutikorn

Senior Member
Thank you for this advice. I will do it asap. Just to make sure - I should first reset the router to the factory settings and then download the firmware file from Asus site and 'flash' it from Administration/Firmware upgrade page? Is this sufficient?
I was wondering the same, so what I did was reset, flash, reset. Not sure which way is optimal.
 

noworries

Occasional Visitor
Within the last day or so I've noticed a flood of inbound requests from "xxx.asuscloud.com" via an Android APP, apparently. The source IPs range from 210.65.113.167-170. (These IPs resolve back to asuscloud.com according to):
Code:
https://www.virustotal.com/en/ip-address/210.65.113.169/information/
The connections are attempting to hit a variety of ports in the mid-30K to mid-50K range.

I don't have any cloud services enabled in my 88U nor do I have the the app on my devices. I do have an ASUS DDNS set up.

Fortunately, I have Taiwan, from which these probing IPs originate, in my extensive Skynet blocked-countries list.
 

Bass A

New Around Here
FYI : My AI IPS logged a known Exploit for ASUSWRT.
 

Attachments

  • Unbenannt.png
    Unbenannt.png
    316.7 KB · Views: 1,151
Last edited:

RMerlin

Asuswrt-Merlin dev
Yep, IPs from Korea.

One user mentioned that his GUI had been switched to Korean, so there's a good chance this is about a specific attacker doing this.

It seems I really need to reinitialize the router. Here is a suspictious activity to some servers in Kazahstan, although currently all VPN services on my router appars to be disabled.

Mar 25 14:12:45 openvpn[678]: TCP connection established with [AF_INET]95.57.241.69:57068
Mar 25 14:13:15 openvpn[678]: 95.57.241.69:57068 Connection reset, restarting [0]
Mar 25 14:13:15 openvpn[678]: 95.57.241.69:57068 SIGUSR1[soft,connection-reset] received, client-instance restarting

Those could just be random port scanning on port 1194, they don't necessarily mean you are targeted by the same issue discussed here.
 

vango44

Occasional Visitor
I use the Asus App from Lan -side only but I've seen the app automatically turn on remote connections several times now after app updates.
After reading this thread I also checked to make sure DDNS and AI-Cloud services were still disabled.
I also disabled the "asusnat tunnel" option for good measure.
I recently spent some time cleaning BTC-mining malware from my Qnap NAS so I take this more seriously now.
 

DonnyJohnny

Very Senior Member
Thank you for this advice. I will do it asap. Just to make sure - I should first reset the router to the factory settings and then download the firmware file from Asus site and 'flash' it from Administration/Firmware upgrade page? Is this sufficient?
If you have jffs enable. Ensure you format it and if you have thumb drive plug, better to format too.. of coz you can see thru those files and selectively back them up.

For factory reset... just in case... I would shut down the router and unplug power cable for 2min, hold then wps button and power up to do a factory reset. Then I will do a extra step by a software reset to Factory Defaults via Initialise button under the Administration, Restore/Save/Upload Setting.
 

sfx2000

Part of the Furniture
One user mentioned that his GUI had been switched to Korean, so there's a good chance this is about a specific attacker doing this.

Yep ;)

The DPRK has gotten very smart these days - much of their haxxor traffic is reflected against CN and JP domains, but they are pretty adept across the world.
 

sfx2000

Part of the Furniture
I recently spent some time cleaning BTC-mining malware from my Qnap NAS so I take this more seriously now.

You should not have any BTC mining on your QNAP NAS unless it's facing the outside world - which is a really bad idea...
 

Treadler

Very Senior Member
Thank you for this advice. I will do it asap. Just to make sure - I should first reset the router to the factory settings and then download the firmware file from Asus site and 'flash' it from Administration/Firmware upgrade page? Is this sufficient?

Yes. ‘Initialize’ if you have the option.
Otherwise, reset to factory defaults.

Don’t restore your configuration from a file, reconfigure manually.
 

Treadler

Very Senior Member
Please, I am no expert, but just quickly running the AiProtect scan in our devices is so simple.
Then taking a few seconds to fix any issues highlighted.

&

Keeping up to date with firmware. A firmware update isn’t rocket science.
Merlin is working away furiously in the background to give us great firmware, take advantage!

Seems to me, prevention is way more pleasant than cure.......
 

vango44

Occasional Visitor
You should not have any BTC mining on your QNAP NAS unless it's facing the outside world - which is a really bad idea...
I used to have all the "cool" Qnap cloud apps enabled to share photos etc... I thought non-windows boxes were relatively secure. Those days are over now unfortunately. Now I'm forced to use VPN if I temporarily need access. Not as convenient as it used to be but I now understand how easy it is to break in with all those services enabled.
btw, it was the q-photo service that was compromised but no reason to trust any of these other services are invulnerable.
 

Odkrys

Senior Member
Did you enable 'Enable Password Protection Feature' for Aicloud ?

If you didn't turn on this feature, anybody could try brute force without restriction
I don't know why this feature is not default.

Wan Access + Aicloud without Protection + your admin name is admin lol.
This is meaning WELCOME.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top