What's new

Possibly been hacked. Need assistant from senior users.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I wonder why would people want to leave your router with a single layer of simple password as line of defence from the internet. Be it GUI via WAN or Aicloud... minimum u need SSH key or ssl cert. the internet world is too scary.
Even those cloud storage, internet email or other internet plaform have 2fa other than password.

Be safe than sorry people..

For those who know they have already been compromised, please reflash and flush out everything to factory default then set thing back manually. Don’t be lazy. Lol..
 
The exact thing has happened to me. I discovered it this morning, when I tried to login to my rt-ac66u and the login screen was in korean. My OpenVPN server was shut down and PPTP were set up for an user "i1112670". I looked up at logs and there was something like this 3 days ago:

Mar 22 10:13:11 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 121.171.253.43 in login.
Mar 22 14:04:09 stop_nat_rules: apply the redirect_rules!
Mar 22 14:04:14 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 14:04:27 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 58.180.56.19 in login.
Mar 22 15:46:02 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:07 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:09 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.
Mar 22 15:46:11 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:16 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:24 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.


Yep, IPs from Korea.

I had WAN access and telnet turned off. The only thing active was DDNS and AiCloud. I had the newest firmware.

So I think there is a hole in asus routers security right now, as I see many similar entries on security forums across the Internet.
 
The exact thing has happened to me. I discovered it this morning, when I tried to login to my rt-ac66u and the login screen was in korean. My OpenVPN server was shut down and PPTP were set up for an user "i1112670". I looked up at logs and there was something like this 3 days ago:

Mar 22 10:13:11 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 121.171.253.43 in login.
Mar 22 14:04:09 stop_nat_rules: apply the redirect_rules!
Mar 22 14:04:14 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 14:04:27 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 58.180.56.19 in login.
Mar 22 15:46:02 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:07 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:09 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.
Mar 22 15:46:11 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:16 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:24 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.


Yep, IPs from Korea.

I had WAN access and telnet turned off. The only thing active was DDNS and AiCloud. I had the newest firmware.

So I think there is a hole in asus routers security right now, as I see many similar entries on security forums across the Internet.
Thanks for posting.

I had SSH and WAN access turned off.

This is an exploit in the firmware.

Sent from my SM-G950U using Tapatalk
 
I think it is a very large security hole that the ASUS app opens up WAN Access automatically without people necessarily being aware of how insecure this is.
ASUS should address it!

StephenH
It may be, but I did turn off this feature once I deleted the app.

This is an exploit in the firmware.

Sent from my SM-G950U using Tapatalk
 
The exact thing has happened to me. I discovered it this morning, when I tried to login to my rt-ac66u and the login screen was in korean. My OpenVPN server was shut down and PPTP were set up for an user "i1112670". I looked up at logs and there was something like this 3 days ago:

Mar 22 10:13:11 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 121.171.253.43 in login.
Mar 22 14:04:09 stop_nat_rules: apply the redirect_rules!
Mar 22 14:04:14 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 14:04:27 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 58.180.56.19 in login.
Mar 22 15:46:02 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:07 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:09 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.
Mar 22 15:46:11 stop_nat_rules: apply the redirect_rules!
Mar 22 15:46:16 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Mar 22 15:46:24 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 14.47.235.248 in login.


Yep, IPs from Korea.

I had WAN access and telnet turned off. The only thing active was DDNS and AiCloud. I had the newest firmware.

So I think there is a hole in asus routers security right now, as I see many similar entries on security forums across the Internet.

Since router is already compromised, turning off the services in no longer effective!! You need to reflash and factory reset. The hacker could have install some malicious script or program to allow backdoor access...
 
Since router is already compromised, turning off the services in no longer effective!! You need to reflash and factory reset. The hacker could have install some malicious script or program to allow backdoor access...
Thank you for this advice. I will do it asap. Just to make sure - I should first reset the router to the factory settings and then download the firmware file from Asus site and 'flash' it from Administration/Firmware upgrade page? Is this sufficient?
 
It seems I really need to reinitialize the router. Here is a suspictious activity to some servers in Kazahstan, although currently all VPN services on my router appars to be disabled.

Mar 25 14:12:45 openvpn[678]: TCP connection established with [AF_INET]95.57.241.69:57068
Mar 25 14:13:15 openvpn[678]: 95.57.241.69:57068 Connection reset, restarting [0]
Mar 25 14:13:15 openvpn[678]: 95.57.241.69:57068 SIGUSR1[soft,connection-reset] received, client-instance restarting
 
Thank you for this advice. I will do it asap. Just to make sure - I should first reset the router to the factory settings and then download the firmware file from Asus site and 'flash' it from Administration/Firmware upgrade page? Is this sufficient?
I was wondering the same, so what I did was reset, flash, reset. Not sure which way is optimal.
 
Within the last day or so I've noticed a flood of inbound requests from "xxx.asuscloud.com" via an Android APP, apparently. The source IPs range from 210.65.113.167-170. (These IPs resolve back to asuscloud.com according to):
Code:
https://www.virustotal.com/en/ip-address/210.65.113.169/information/
The connections are attempting to hit a variety of ports in the mid-30K to mid-50K range.

I don't have any cloud services enabled in my 88U nor do I have the the app on my devices. I do have an ASUS DDNS set up.

Fortunately, I have Taiwan, from which these probing IPs originate, in my extensive Skynet blocked-countries list.
 
FYI : My AI IPS logged a known Exploit for ASUSWRT.
 

Attachments

  • Unbenannt.png
    Unbenannt.png
    316.7 KB · Views: 1,226
Last edited:
Yep, IPs from Korea.

One user mentioned that his GUI had been switched to Korean, so there's a good chance this is about a specific attacker doing this.

It seems I really need to reinitialize the router. Here is a suspictious activity to some servers in Kazahstan, although currently all VPN services on my router appars to be disabled.

Mar 25 14:12:45 openvpn[678]: TCP connection established with [AF_INET]95.57.241.69:57068
Mar 25 14:13:15 openvpn[678]: 95.57.241.69:57068 Connection reset, restarting [0]
Mar 25 14:13:15 openvpn[678]: 95.57.241.69:57068 SIGUSR1[soft,connection-reset] received, client-instance restarting

Those could just be random port scanning on port 1194, they don't necessarily mean you are targeted by the same issue discussed here.
 
I use the Asus App from Lan -side only but I've seen the app automatically turn on remote connections several times now after app updates.
After reading this thread I also checked to make sure DDNS and AI-Cloud services were still disabled.
I also disabled the "asusnat tunnel" option for good measure.
I recently spent some time cleaning BTC-mining malware from my Qnap NAS so I take this more seriously now.
 
Thank you for this advice. I will do it asap. Just to make sure - I should first reset the router to the factory settings and then download the firmware file from Asus site and 'flash' it from Administration/Firmware upgrade page? Is this sufficient?
If you have jffs enable. Ensure you format it and if you have thumb drive plug, better to format too.. of coz you can see thru those files and selectively back them up.

For factory reset... just in case... I would shut down the router and unplug power cable for 2min, hold then wps button and power up to do a factory reset. Then I will do a extra step by a software reset to Factory Defaults via Initialise button under the Administration, Restore/Save/Upload Setting.
 
One user mentioned that his GUI had been switched to Korean, so there's a good chance this is about a specific attacker doing this.

Yep ;)

The DPRK has gotten very smart these days - much of their haxxor traffic is reflected against CN and JP domains, but they are pretty adept across the world.
 
I recently spent some time cleaning BTC-mining malware from my Qnap NAS so I take this more seriously now.

You should not have any BTC mining on your QNAP NAS unless it's facing the outside world - which is a really bad idea...
 
Thank you for this advice. I will do it asap. Just to make sure - I should first reset the router to the factory settings and then download the firmware file from Asus site and 'flash' it from Administration/Firmware upgrade page? Is this sufficient?

Yes. ‘Initialize’ if you have the option.
Otherwise, reset to factory defaults.

Don’t restore your configuration from a file, reconfigure manually.
 
Please, I am no expert, but just quickly running the AiProtect scan in our devices is so simple.
Then taking a few seconds to fix any issues highlighted.

&

Keeping up to date with firmware. A firmware update isn’t rocket science.
Merlin is working away furiously in the background to give us great firmware, take advantage!

Seems to me, prevention is way more pleasant than cure.......
 
You should not have any BTC mining on your QNAP NAS unless it's facing the outside world - which is a really bad idea...
I used to have all the "cool" Qnap cloud apps enabled to share photos etc... I thought non-windows boxes were relatively secure. Those days are over now unfortunately. Now I'm forced to use VPN if I temporarily need access. Not as convenient as it used to be but I now understand how easy it is to break in with all those services enabled.
btw, it was the q-photo service that was compromised but no reason to trust any of these other services are invulnerable.
 
Did you enable 'Enable Password Protection Feature' for Aicloud ?

If you didn't turn on this feature, anybody could try brute force without restriction
I don't know why this feature is not default.

Wan Access + Aicloud without Protection + your admin name is admin lol.
This is meaning WELCOME.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top