Possibly been hacked. Need assistant from senior users.

[SMS786]

Fail2ban - and UFW is running (UFW is a front-end to iptables)

I don't run an outward facing sshd on my gateway, I have a jumpbox that is port forwarded to the outside world...

Thanks

 

[DonnyJohnny]

Yeah router didn't have that stuff on & was running OpenVPN. Would you have a link for Skynet? Google only spitting out terminator movie links & other software that doesn't seem right like what you're describing.

lol.. skynet is in this forum... see the first page and find out yourself.. u will need a 1gb above flash drive for it.

 

[Jack Yaz]

Yeah router didn't have that stuff on & was running OpenVPN. Would you have a link for Skynet? Google only spitting out terminator movie links & other software that doesn't seem right like what you're describing.

lol.. skynet is in this forum... see the first page and find out yourself.. u will need a 1gb above flash drive for it.

https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/

 

[dlandiss]

there is only one person here who can truly be running the "latest"

Would you please not say such things when I have a mouth full of coffee? I nearly snorted it all over!

 

[OOo]

Looking hard at my security since being hacked...
Should my Amazon Alexa device be attached to a Guest Network with no intranet access? Maybe I answered my own question, if I did that then I couldn't tell Alexa to turn on the lights, etc. unless those other devices were also on the guest network, right? but then I can't see what is connected, right?
How about my SmartThings hub? (connected by wire)
How about my cameras?
What is the proper way to setup IoT (internet of things)?

 

[OOo]

Administration-System-Persistent JFFS2 partition-Format JFFS partition at next boot. Reboot of coz. Then u can check the /jffs directory after the reboot.

Just imagine this is a pc and the OS is windows. Everytime boot up or some scheduled task auto start up. When u cleared your OS and using default setting, the “scheduled” task or auto start up app will be removed. But the malicious files loaded by the hacker may still present in some part of your external storage like your USB drives, waiting for you to accidentally click or execute them. So if u know what is in your drives . Then good for you. See before u open the files...


Good to see the thread is active... awareness is important... better to be safe than sorry. Especially randomware these days.

Today the internet world seems happening with lots of probing and ddos going on...
http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=2&time=17619&view=map
Maybe it is Good Friday... well.. enjoy your holiday and stay safe... [/QUOTE

You wrote "Then u can check the /jffs directory after the reboot"
Searched around....how can I check the jffs and what is it I am looking for? thx

 

[AndreiV]

Ok so I've updated, rebooted & factory defaulted the crap outta my router.

Now have the following showing up as External Attacks;
EXPLOIT Netcore Router back door Access
EXPLOIT Remote Command Execution via Shell Script-2

Those "attacks" are items blocked by AiProtection , in other words nothing to worry about.
They are the result of bots looking for unpatched systems , most people running AiProtection will be seeing them every day. Previously stuff like that was blocked but there was no GUI entry to scare you.

 

[JaimeZX]

Looking hard at my security since being hacked...
Should my Amazon Alexa device be attached to a Guest Network with no intranet access? Maybe I answered my own question, if I did that then I couldn't tell Alexa to turn on the lights, etc. unless those other devices were also on the guest network, right? but then I can't see what is connected, right?
How about my SmartThings hub? (connected by wire)
How about my cameras?
What is the proper way to setup IoT (internet of things)?

Annoyingly, my smartplugs need access to the internet for the scheduling to work. If I turn off their internet access in the GUI then I can still use Alexa and the phone app to control them... most of the time. Sometimes they don't work, but usually they do. I'd like to be able to set them up to operate per-MAC-address whitelist-only, but there doesn't seem to be a good solution for that yet. If Alexa doesn't have internet access, she won't work at all since your voice and everything gets processed on Amazon servers.

 

[JaimeZX]

Attacks have really dropped off today. (Just 1!) Will be interesting to watch next week and see if it has a similar "busy during the work-week" pattern. That would imply that it's somebody's M-F job to get in other peoples' business.

 

[xtropodx]

It's safe to say that passwords have probably been comprised & now changed. But what about;
-inbuilt VPNServer certificates?
-DDNS address?
-IP address/es?
Should I change these now too?

Thanks for Skynet link, will have read of that. Didn't realise it was right here in this forum haha .

 

[58chev]

How about my cameras?

@OOo ,
If you are worried about your cameras, there is a lot of good info here = https://ipcamtalk.com/

The one thing with your cameras is to make sure you are NOT using uPNP

 

[JaimeZX]

It's safe to say that passwords have probably been comprised & now changed. But what about;
-inbuilt VPNServer certificates?
-DDNS address?
-IP address/es?
Should I change these now too?

Thanks for Skynet link, will have read of that. Didn't realise it was right here in this forum haha .

I would change your subnet. (If you had 192.168.1.x, change to 192.168.130.x or something...)
Couldn't hurt to generate new VPN certs as well.
Not sure what you mean about generating new DDNS addresses... I guess it wouldn't hurt, but Skynet should help keep the BGs out.

 

[JemTheWire]

Attacks have really dropped off today. (Just 1!) Will be interesting to watch next week and see if it has a similar "busy during the work-week" pattern. That would imply that it's somebody's M-F job to get in other peoples' business.

If the attacks are showing as red in the AIProtection graph, doesn’t that mean the attacks have been blocked from getting through?

 

[OOo]

how do you generate new vpn certificates?

 

[M@rco]

@RMerlin, does this effectively mean that sticking with the 380 branch is no longer a safe option? That would mean that I have to, regardless of not getting QoS ever back up again on anything higher than the 380 branch, update to the 384.x branch anyway.

 

[JaimeZX]

If the attacks are showing as red in the AIProtection graph, doesn’t that mean the attacks have been blocked from getting through?

Yes, that's my interpretation. Anything 'getting through' wouldn't show up at all since there wouldn't be a signature to register.

What I was suggesting is my AIProtection graph showed no "hits" last Sunday, or Saturday. All during the work week. Suspicious, no? I will watch it again this week.

 

[penguin22]

I just read through this thread after finding that Web access from WAN had become enabled on my AC86U running 384.4.2 after knowing it was disabled previously. I posted about this in the PixelServ thread here.

After testing, it is indeed the ASUS mobile app that is enabling WAN access and DDNS. Considering the security implications and several reports of compromised routers, perhaps it's worth having a sticky post warning that the mobile app enabled these services without user consent?

 

[RMerlin]

@RMerlin, does this effectively mean that sticking with the 380 branch is no longer a safe option? That would mean that I have to, regardless of not getting QoS ever back up again on anything higher than the 380 branch, update to the 384.x branch anyway.

Or switch to John's fork, which remains actively maintained.

 

[AndreiV]

What I was suggesting is my AIProtection graph showed no "hits" last Sunday, or Saturday. All during the work week. Suspicious, no? I will watch it again this week.

Watch what? The "attacks" are not aimed at you in person, it is bots searching the net , these things bounce off systems that are properly secured.

Everyone on the net gets these "attacks" , just keep your router firmware up to date.

Before Trend Micro added the hit list to the GUI were you being hacked/compromised every day?

If you are genuinely attacked you'll know about it.

 

[xtropodx]

Can someone please help with following;
Under the AiProtection->Security Event section it lists a MAC address. This same address is listed under Tools->Sysinfo on the WAN port (it says there's 2 there on VLAN). But I can't determine what device this is as it doesn't show under NetworkMap->ClientList or anywhere else in the router. I've checked all other devices too & it's nowhere else, so I'm at a loss .