Menu
What's new
By:
Filters Better Search

Possibly been hacked. Need assistant from senior users.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rubenel

Rubenel

Occasional Visitor
Hey guys, I'm using my Asus AC68u with 380.69 firmware.

I've logged on today and noticed my language was changed to the Asian region.
Someone also set up a PPTP and a DDNS.

I have the router offline, but I haven't altered anything.
Can someone assist me. I can send logs and other info to help chase this issue.
b94d40f1b40f9a5492031af6b6112bdb.jpg
9f1254c2a870eaf707c146f02c11c2a5.jpg


Sent from my SM-G950U using Tapatalk
 
Admins, can we move the thread to Asus Merlin.

Thanks.

Sent from my SM-G950U using Tapatalk
 
Update to 384.4 - Factory reset - Disable SSH access from WAN
 
And use a better password possibly. When you are done configuring the router, turn off SSH and telnet for added measure.
 
@Rubenel If you could post the complete syslogs that you have to somewhere like pastebin we could have a look and try and determine what happened. After preserving a copy of your logs do as the others have said and factory reset the router and set it up again manually. Don't enable router access from the WAN.

What is interesting is your WAN address is 192.168.100.1, so unless that is something you have just changed it would imply that your router is behind another NAT device. This is not a problem, but usually that would make it a lot harder for someone to hack your router from the internet. Unless you had enabled WAN access on the router and setup port forwarding on the other device. Did you do that?

If you didn't already have WAN access working on the router that might suggest that your router was hacked from inside your network.:eek:

EDIT: Also notice how you also have a DDNS account setup on the WAN page (and the "!" indicating that you are behind a NAT). Did you setup that DDNS account?
 
Last edited:
I made an account today to say that Ive just seen the same thing. I had some issues with internet connections going very slow, so after logging into the router and looking at a few things I noticed a VPN username I didn't recognize. It was very suspect, but I wasn't sure if the router was just going 'wonky'. I deleted the VPN user and a few days later we are still having connection issues and when I login I see that the language has been set to chinese. Still not sure if this is an intrusion or just a reversion to factory default mode, I set the language back and updated the firmware and started researching. Then I found this.

Before I updated the firmware, I did not check to see if telnet access had been granted (I hadn't turned it on) but after updating firmware, it is not enabled. Also, HTTP access (vs HTTPS) has been disabled. I suspect this is a known issue.
 
@hoorah Did you buy your router from China? If you didn't the default language should match your region (i.e. English probably).

What router model and firmware version did you have?
 
No, didn't buy router from china. Don't remember where actually but probably amazon or newegg.

In retrospect, it doesnt look like a 'factory default' mode, now it looks more like a hack, I just wasnt suspecting it at the time.

Since I've updated the firmware, I don't recall what the firmware version was that was running when it happened, but I will admit I had not updated it in quite some time. So....old.

Even though I've updated the firmware, there is old data in the system log. I saved it, but I don't see anything in the logs about logins, access, etc. Not sure Im looking in the right place.
 
ColinTaylor said:
Did you previously have HTTP/S access from the WAN enabled?
Click to expand...

*hangs head in shame*. Yes. I was not aware of the vulnerabilities (no excuse, I know). I wasn't using the default password (not that it makes it much better), just giving you all the info.
 
Adamm said:
Update to 384.4 - Factory reset - Disable SSH access from WAN
Click to expand...
Thanks for the contribution. I'll grab the system logs and all valuable info and post it on here for analysis.

Sent from my SM-G950U using Tapatalk
 
hoorah said:
*hangs head in shame*. Yes. I was not aware of the vulnerabilities (no excuse, I know). I wasn't using the default password (not that it makes it much better), just giving you all the info.
Click to expand...
It's not your fault, blame Asus.
Also bear in mind that HTTPS is equally as vulnerable as HTTP.
 
ColinTaylor said:
@Rubenel If you could post the complete syslogs that you have to somewhere like pastebin we could have a look and try and determine what happened. After preserving a copy of your logs do as the others have said and factory reset the router and set it up again manually. Don't enable router access from the WAN.

What is interesting is your WAN address is 192.168.100.1, so unless that is something you have just changed it would imply that your router is behind another NAT device. This is not a problem, but usually that would make it a lot harder for someone to hack your router from the internet. Unless you had enabled WAN access on the router and setup port forwarding on the other device. Did you do that?

If you didn't already have WAN access working on the router that might suggest that your router was hacked from inside your network.:eek:

EDIT: Also notice how you also have a DDNS account setup on the WAN page (and the "!" indicating that you are behind a NAT). Did you setup that DDNS account?
Click to expand...
Hey Collin,

I did setup the router to be behind my FiOS router, so I am operating behind a NAT.

My other issue is that I placed the Asus IP address in the DMZ of the FiOS router.

I did not setup the DDNS, or the PPTP account, that was setup by the intruder.


I have the system logs preserved.
What else should I provide to better help chase the issue.

Thanks for your contribution and time.

Sent from my SM-G950U using Tapatalk
 
@Rubenel Thanks for the clarification about your NAT and DMZ settings. That explains how you could be attacked from the WAN-side.

TBH I doubt that the syslog will show much but it's the only thing we've got to look at. At least it should show the date/time of the intrusion (because it should show the VPN starting up;)).

Did you have HTTP or HTTPS access from WAN enabled? Firmware version 380.69_2 fixed some vulnerabilities there.
 
Rubenel,

I'm far from an expert, but what I did was did a search on the username created in the VPN access list in the system logs. From there you should see login attempts and from which IP addresses they came from (mine were from China).

All I see is one relatively short login and nothing after that, however, that login was from back in early Feb, and my router language page didn't change to chinese until relatively recently (last week or so). So possibly they were accessing via telnet, not really sure. Do telnet logins show in the logs?
 
ColinTaylor said:
@Rubenel Thanks for the clarification about your NAT and DMZ settings. That explains how you could be attacked from the WAN-side.

TBH I doubt that the syslog will show much but it's the only thing we've got to look at. At least it should show the date/time of the intrusion (because it should show the VPN starting up;)).

Did you have HTTP or HTTPS access from WAN enabled? Firmware version 380.69_2 fixed some vulnerabilities there.
Click to expand...
Hi colin,

The access from WAN was enabled automatically because I used the app on my smartphone to access the router.

I'll have system logs ready in 15 minutes.

Thanks.

Sent from my SM-G950U using Tapatalk
 
hoorah said:
Rubenel,

I'm far from an expert, but what I did was did a search on the username created in the VPN access list in the system logs. From there you should see login attempts and from which IP addresses they came from (mine were from China).

All I see is one relatively short login and nothing after that, however, that login was from back in early Feb, and my router language page didn't change to chinese until relatively recently (last week or so). So possibly they were accessing via telnet, not really sure. Do telnet logins show in the logs?
Click to expand...
My logs show Feb 11 too.....
Logs will be posted.

Sent from my SM-G950U using Tapatalk
 
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
randomName Possibly in the market for a new router Asuswrt-Merlin 27
R My whole network has been randomly freezing up and when it does the log sayes this: Asuswrt-Merlin 4
M Has Killswitch Been 100% Fixed for 2024? Asuswrt-Merlin 5
E [HACKED?] SSH not working all of a sudden (and strange log lines) - RTAC87U Asuswrt-Merlin 17

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 795 (members: 16, guests: 779)
Top