What's new

Possibly been hacked. Need assistant from senior users.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The only confirmed reports I remember seeing so far are from people using 380.69 or earlier, although it's quite possible I missed some. Of course that doesn't mean that a different vulnerability will be discovered in the current firmware. It's a constant battle, but turning off all access from WAN will stop these sorts of attack.

It was Daspied's post with the newer firmware, but now that I look at the image included in the post, I don't see any indication of a successful attack. Hopefully, it was something in the older firmware that has been fixed, possibly in AiCloud.
 
Can't fully confirm, but with the latest firmware 384,4_2 i found 45 trials of accesing to my router from China and simultanously somehow Accet to webGUI from WAN has been enabled..weird as hell
from the other hand VPN was not fixed, GUI language also... somebody suggested to do Factory reset twice and is is already done.

Are you by chance a victim of the webUI being automatically enabled when using the ASUS router app?
 
Can't fully confirm, but with the latest firmware 384,4_2 i found 45 trials of accesing to my router from China and simultanously somehow Accet to webGUI from WAN has been enabled..weird as hell
from the other hand VPN was not fixed, GUI language also... somebody suggested to do Factory reset twice and is is already done.
OK. The "45 trials of accesing to my router" doesn't not mean you've been hacked, in fact it means the opposite. As for the WAN access being enabled, that might have been connected with the "issues" you were having with the Beta firmware. I see that 384.4_2 also has a security fix.
 
OK. The "45 trials of accesing to my router" doesn't not mean you've been hacked, in fact it means the opposite. As for the WAN access being enabled, that might have been connected with the "issues" you were having with the Beta firmware. I see that 384.4_2 also has a security fix.
Your answer makes me relaxed. Thanks! I should be more patient[emoji23]

Wysłane z mojego LG-H870 przy użyciu Tapatalka
 
Are you saying you got hacked on the latest firmware? I can't see anything you've posted that says that.:confused:

"Latest" is such a vague word... I can tell you that there is only one person here who can truly be running the "latest" :)

The most likely targeted exploit was only fixed in 384.4_2. People on 380.69_2 or 384.4 (some models only) were still vulnerable.
 
How do you flush out the jffs?
I have a USB drive running A-B Solution (or at least was running)
Also, I have a USB Western Digital Drive.
Anything I need to do to these drives?
Was looking for recovery instructions, prefer not to extrapolate and piecemeal from posts.

BTW, my two routers in the USA were hit but my one in Mexico was not.
Thanks
 
How do you flush out the jffs?
I have a USB drive running A-B Solution (or at least was running)
Also, I have a USB Western Digital Drive.
Anything I need to do to these drives?
Was looking for recovery instructions, prefer not to extrapolate and piecemeal from posts.

BTW, my two routers in the USA were hit but my one in Mexico was not.
Thanks
Administration-System-Persistent JFFS2 partition-Format JFFS partition at next boot. Reboot of coz. Then u can check the /jffs directory after the reboot.

Just imagine this is a pc and the OS is windows. Everytime boot up or some scheduled task auto start up. When u cleared your OS and using default setting, the “scheduled” task or auto start up app will be removed. But the malicious files loaded by the hacker may still present in some part of your external storage like your USB drives, waiting for you to accidentally click or execute them. So if u know what is in your drives . Then good for you. See before u open the files...


Good to see the thread is active... awareness is important... better to be safe than sorry. Especially randomware these days.

Today the internet world seems happening with lots of probing and ddos going on...
http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=2&time=17619&view=map
Maybe it is Good Friday... well.. enjoy your holiday and stay safe... :p
 
Last edited:
Administration-System-Persistent JFFS2 partition-Format JFFS partition at next boot. Reboot of coz. Then u can check the /jffs directory after the reboot.

Just imagine this is a pc and the OS is windows. Everytime boot up or some scheduled task auto start up. When u cleared your OS and using default setting, the “scheduled” task or auto start up app will be removed. But the malicious files loaded by the hacker may still present in some part of your external storage like your USB drives, waiting for you to accidentally click or execute them. So if u know what is in your drives . Then good for you. See before u open the files...


Good to see the thread is active... awareness is important... better to be safe than sorry. Especially randomware these days.

Today the internet world seems happening with lots of probing and ddos going on...
http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=2&time=17619&view=map
Maybe it is Good Friday... well.. enjoy your holiday and stay safe... :p

Thanks for response. So I guess this means I have to reinstall AB-Solution?
 
Thanks for response. So I guess this means I have to reinstall AB-Solution?
If you have a lot of whitelist or blacklist stuff, u can backup and restore with ab-solution. And yes, by formatting jffs, all stuff like entware, ab-solution, Skynet, etc will be removed.

My advise is do it once and do it right... maybe within 1hr with all those manual setting?
 
My router was hacked as well 3.80 like every one elses. rouge vpn and Korean language. What is interesting is that it would not let me reset my password. I have upgraded the firmware to 3.84 and will factory reset, clearout jfs and start from scratch. I just want to say thanks to everyone here for discussing the issue. Lots of good info and best practices.
 
Posting as I have/had same issue.

Rubenel,

my router language page didn't change to chinese until relatively recently (last week or so).

I concur. I've been mucking around with my router for the last month on & off, & it's only just happened recently. I've recently setup & connected some IP cameras to my network, via VPN server, so my concern is around whether they're the cause. I've also downloaded some stuff recently that Norton has also flagged & removed so that could be another factor & I've been using the ASUS Router app on my smartphone too. :eek:

RT-AC3200 currently on FW: 380.69.
My observations after checking all my settings etc, some of which I don't remember what they were;
AiCloud 2.0 -> Cloud Disk & Smart Access were on. Pretty sure they weren't on previously.
PING from WAN disabled: No.
Malicious website blocking enabled: No.
Vulnerability Protection enabled: No.
Infected Device Prevention & Blocking: No.
HTTP/S: both - could have sworn I had this setup for HTTPS only.
Enable SSH: no.
Enable Telnet: no.
Enable web access from WAN: No.
VPN Server PPTP: thought I had this disabled but it was enabled.


About a week (maybe 2) ago my outbound connection stopped working. This despite everything showing 'ok' ie modem & router. I was able to connect to my home network cameras & the router itself via my smartphone via the net, so I temporarily disabled the firewall & re-enabled it, & my outbound internet worked fine. My internet connection has done this before & usually I reboot modem & router, but this was the first time I've tested incoming connection & seen a problem like this, thus temporarily disabling firewall.
 
Just a thought, the RT-AC3200 now has merlin 384.4_2 FW available.
 
Ok so I've updated, rebooted & factory defaulted the crap outta my router.

Now have the following showing up as External Attacks;
EXPLOIT Netcore Router back door Access
EXPLOIT Remote Command Execution via Shell Script-2


Pretty sure I've gone through all settings etc made sure everything is proper.
 
AFAIK that's stuff bouncing off the firewall. If you see it on the list, that means it should be stopped there. It's what you DON'T see that could be getting through.

Go to routersecurity.org to review security settings.
 
Is there any website that tests your network ie like ShieldsUp but more comprehensive?
just ensure you don't open unnecessary services facing WAN like WAN GUI access, AiCloud, ftp, etc. Basic password used in Aicloud is may be crackable via vulnerability or brute-force so not recommended. If really need to open them, ensure to access via SSH or OpenVPN (recommended).

Basic built in firewall would have drop probe when meet with closed port or port guarded by SSH/SSL authentication.

Skynet is recommended if you want to block off common IPs used by hackers before they reach your door. They will be blocked the moment they enter the router wan port.
 
j

Skynet is recommended if you want to block off common IPs used by hackers before they reach your door. They will be blocked the moment they enter the router wan port.

Yeah router didn't have that stuff on & was running OpenVPN. Would you have a link for Skynet? Google only spitting out terminator movie links & other software that doesn't seem right like what you're describing.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top