Possibly been hacked. Need assistant from senior users.

RMerlin

Asuswrt-Merlin dev
Asus recently fixed a number of issues in AiCloud.
 

Samosa

Regular Contributor
I recently switched WAN access on as thought it was safe when 384.4 was released. I've now switched it the setting off, I will perform update to 384.4_2 and a wipe.
 

Colin1313

New Around Here
Happened to me too. Like a dope I had been using the Asus app for iPhone to manage my router remotely. Only discovered problem when app would no longer connect. I logged into router and saw all in Korean. So far I have updated the firmware but haven't factory reset.
 

Rubenel

Occasional Visitor
Happened to me too. Like a dope I had been using the Asus app for iPhone to manage my router remotely. Only discovered problem when app would no longer connect. I logged into router and saw all in Korean. So far I have updated the firmware but haven't factory reset.
Thanks Collin for the post.

Sent from my SM-G950U using Tapatalk
 

Daspied

New Around Here
I believe I was recently compromised as well.
My settings were as follows:
Firmware version: 384.3_0
Web UI Disabled
Remote web services Disabled
SSH Disabled
DDNS: Active
100 bit strength password Alpha, Numeric, symbol password. With default login changed.
DMZ Disabled
UPnP Disabled

No active VPN's PPTP or L2TP clients were observed.

I've attached a picture of the Firewall Notifications; the newest notifications were from the 28th but they are just repeating previous attacks.

I combed through my log file and wasn't able to find anything of value. The only thing I could find was information related to the initial setup of the new 384 version type in early Feb. I'll attach the code for good measure.
https://pastebin.com/57p5LKYX

I'm honestly pretty baffled. Is the most likely attack vector an infected computer at this point, or has a vulnerability been established for the 384 firmware?

I may migrate my Firewall setup onto a dedicated Ubiquity or Cisco unit.
 

Attachments

  • 2018-03-28.png
    2018-03-28.png
    378.2 KB · Views: 647
Last edited:

sfx2000

Part of the Furniture
100 bit strength password Alpha, Numeric, symbol password. With default login changed.

How do you know that PW is strong? You'd be surprised there...

Here's a few samples of strong passwords... they're broken since I'm publishing them now, but they were robust until now...

What I worry is that some think that a non-A thru Z, 0-9, is not strong enough, and this forces folks into a habit - because we run out of space to remember things.

Code:
Hoo6Faixoo7ein3c saaj4eiYi9Ezoolo eethaemae3OZ1ome ieGeeh7eeca2aaru
PePh2way2shoNgeb ooceisheuthuDah9 ach7ji5eP3eisohf Chei2chohreehur9
osaegaiX6Raipooh nui7fiik6etaChei Dai5dae4aephahgh engoob5ashop4Ouf
ATaeth6ohlaeKieg Aquuvaiya3xooD5l oobas8soo3Si3mei zooh5ChaeSi0Phoh
oemieGae2Fohsiqu thoh9naTimei3aep foo9eeMae0quie8l NaePh7eiluaz0haf
loosoo2doo4ien9C nai6Einoweelae9b ohkohgieNgae0lee muo8Tahx9iesePh7
ahlaeD5lohchaiBe cei6ChohGhoox9oz EeQuai3Bie9phae9 Ieher8fee9ho8epe
ieBeigaing8kiur2 aeweekae2maiF5Po ich0ahwuiN4Xepah iud1eiphe0Cooche
beefoh7ich7uQua1 AhmeiS0IdoosaeYu eiyaiT3uSayeig9n TuiSh4Ooro7gie6s
veiPeebouqu6oul1 jailohng6taBo4zo ebeivoCh1waiT9ki oereipheiV5aif2g
uGeuCo9eiw3Ieph3 ooShoipeeZaex1ei yu7shahh6pohShei aiph2Fohvee9chi7
bohZae1Aagoo3ahd fiuH4Chue3phicee ooNohw8fi6eugh3J gi1maedaXoiz6iuz
jieth6aePie3vah9 auw6tohsee9teeCh AiMaeg4Xoofoon1w aeshoh2iBah9Shoh
Ohc7pahsh3doPeeT ahrook3Niak2theu Ha6eeyoomurahs2d ieloh1iopieyeeQu
TheiZei1ziukebeo oz4niemo7haiLeek Ja7Eish8aiquoZ6e Eow0Chaecae2ohgi
Uo5aida6eengiuth oGhua7paeNao3wei eenaeChah5ohghei oteoXa6yu0xeipai
Ait7cheibo4AeNg2 ojaikaequosei8uH ohmieJi1emium5oo Eehauz1joogheiwi
ahze9eeD2ohngoo4 Hoax3roosh2Ahz0I Ne9vuquuvai6aeTh iochoo8Quoo0Poh5
Sae0reevo2yo3xel Xudae1gu1yaeNgul eethi4aiKi1aFevu eat7ieWohhughoht
bee9ietheeTaepai phomaLeirohf0ohc EB2yohetoiGhaega eicah1Ohthahx3iu
 
  • Like
Reactions: Sky

Wutikorn

Senior Member
@Daspied Factory reset, flash to 384.4_2,(possibly another factory reset) restart, and then manually config everything again. 384.4_2 contains some security fixes over 384.3
 

OOo

Regular Contributor
I got hacked, language changed, WAN access was off although I think it was ON prior to hack.
I am on 380.69 Merlin version
Does anyone know if 380.69 _2 is good to flash too?
Also, be great if there was an email list to get a heads up on something like this. I was hacked last night but it seems it started Saturday. With some warning I could have stopped my hack.
Also, I have a thumb drive attached to my router running AB Solution and a Western Digital Drive with personal stuff. How do I know if they got my stuff?
Do I need to do anything to my drives in case they put a back door on them?
thanks
 

rtn66uftw

Senior Member
I got hacked, language changed, WAN access was off although I think it was ON prior to hack.
I am on 380.69 Merlin version
Does anyone know if 380.69 _2 is good to flash too?
Also, be great if there was an email list to get a heads up on something like this. I was hacked last night but it seems it started Saturday. With some warning I could have stopped my hack.
Also, I have a thumb drive attached to my router running AB Solution and a Western Digital Drive with personal stuff. How do I know if they got my stuff?
Do I need to do anything to my drives in case they put a back door on them?
thanks
Update to the latest firmware. There are tons of security fixes after 380.69_2
 

ColinTaylor

Part of the Furniture
Also, I have a thumb drive attached to my router running AB Solution and a Western Digital Drive with personal stuff. How do I know if they got my stuff?
My guess, and it's just a guess, is that the perpetrator is using a vulnerability to "force" configuration changes onto the router without actually logging in. The main purpose appears to be the setting up of the VPN and associated login details. This would allow them to return at a later date and login through the VPN giving them full access to the router and LAN.

If this is the case then I would expect to see the normal PPTP VPN login entries in the syslog (not the failed ones from port scanners).
 

OzarkEdge

Part of the Furniture
Noob question... please enlighten me...

If the router is fully locked down on a trusted LAN... all known attack vectors disabled... how is retaining the default admin name and a simple password (for convenience) a security risk?

Perhaps the keyword is 'known'.

OE
 

DonnyJohnny

Very Senior Member
Noob question... please enlighten me...

If the router is fully locked down on a trusted LAN... all known attack vectors disabled... how is retaining the default admin name and a simple password (for convenience) a security risk?

Perhaps the keyword is 'known'.

OE
How would you know it is fully locked down? There is such thing known as vulnerabilities and you never know when it will happen..

Question is security risk vs convenience. I would have chosen security. Even most applications/service have 2fa. The more layer of security the better?

To those who has been compromised. Please ensure you flushed out the jffs and do a factory reset. Imagine they may have some auto start up script somewhere during reboot. Back to square one.

Those who have yet to be compromised but have been having Wan GUI access. I recommend doing the above step and off WAN GUI access. Better to be safe than sorry.

I really hope more people is aware of how crazy the internet world is and don’t be part of the bonnet used to hack/Attack others. Please spread the awareness....
 

gpz1100

Regular Contributor
Been running various versions of this firmware for a long time. Had issues about 8 months ago with trying to do too many things on the router ultimately slowing everything down.

Figured it was time for something with more horsepower. Picked up a laptop in a box (qotom q355g4) which is an i5 5250u based box with 4 intel nics, 8gb ram. Goal was to install pfsense, but in the course of reading about it, came across sophos utm. The latter's UI made more sense to this novice. Been running it since the end of last summer.

The firewall logs are insane. Between 3000-5000 entries a day of inbound attempts. Upgrading firewall to this came to fruition when I got gigabit installed. L2TP/ipsec vpn is good for about 250 mbps, more than most cable connections I use to connect to it. No way would the rt-ac68u be able to handle that. The rt-ac68u's and r7000 have been relegated to AP duty.

I'm not saying everyone should replace their routers with a firewall appliance but incidents like this make me question just how secure they are. Wonder if there are similar instances with tomato/ddwrt....?
 

det721

Part of the Furniture
I don't understand. 384.4_2 is also a stable release from your screenshot

There both stable releases. 380 code has been replaced with 384 code. 380 code is being phased out by Merlin and 380.70 will be the last release. I recommend going to the 384 branch of code your going to have to sooner or later anyway.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top