rt-ac5300 hacked with a persistent hack. how do i go about nuking the flash and starting over?

haxorflakes

New Around Here
as the title says, my rt-ac5300 got hacked and no amount of firmware updates, factory restores or nvram clearing will get rid of the hack.

the behavior it is exhibiting that makes me think it is hacked is it is accessing several suspicious websites while no one is accessing anything, as well as when a user connected to the router tries to navigate to myavista.com, it first tries to load a website called canarytokens.com at an ip address of 52.18.63.80. doing a nslookup for that domain gives me a different ip address.

my question is, is there a way of completely clearing the flash and all partitions and then reinstalling the firmware back to stock/merlin?
 

Attachments

  • outbound blocked connection.png
    outbound blocked connection.png
    18.4 KB · Views: 212

learning_curve

Regular Contributor
...the behavior it is exhibiting that makes me think it is hacked is it is accessing several suspicious websites while no one is accessing anything, as well as when a user connected to the router tries to navigate to myavista.com, it first tries to load a website called canarytokens.com at an ip address of 52.18.63.80. doing a nslookup for that domain gives me a different ip address...
Two simple advance questions:

Have you completely removed ALL of your devices from the LAN provided by your Router (Wifi / Ethernet etc) and then re-examined the logs on the Router over a period of time, NOT any of the device logs? (You can re-boot first, too, if you want to go the full examination distance)

Have you then used any of your devices that were previously on your own LAN, on another, totally separate LAN and/or Connection (other than your own Router / IP etc) and if so, what was the sequence of events then - device logs / app reports etc?

It's quite easy for malware that's present in a device, to function remotely, even when "no one is accessing anything.." (sic) so those 2 questions were only to establish where the source is, first of all...
 

dosborne

Very Senior Member
Isn't your attachment showing that one of your PCs is the culprits causing the activity and not

Unless a virus gets into the bootloader (of pretty much any device, not just a router) then it is basically impossible to remain there after a firmware flash and full reset, particularly of you use one of the recovery tools.

But, without more info or proof, I would be blaming the router based on what I read above.
 

haxorflakes

New Around Here
those are good points, however, i have failed to mention that i have taken steps to make sure it was the router and not issues with a device on the network. the outgoing connection that was blocked by malwarebytes happened on multiple computers, and i tested with a different router in place to see if i get the same result, and i do not get the same result.

i also took my router over to my brothers, and hooked it up behind his router with his router logging all websites trying to be accessed from lan side, with nothing connected to the hacked router we were seeing bogus websites being accessed from the hacked routers assigned ip address from the good router. this seems pretty definitive that it is the router that got hacked and not a device on the network.
 

learning_curve

Regular Contributor
those are good points, however, i have failed to mention that i have taken steps to make sure it was the router and not issues with a device on the network. the outgoing connection that was blocked by malwarebytes happened on multiple computers, and i tested with a different router in place to see if i get the same result, and i do not get the same result.

i also took my router over to my brothers, and hooked it up behind his router with his router logging all websites trying to be accessed from lan side, with nothing connected to the hacked router we were seeing bogus websites being accessed from the hacked routers assigned ip address from the good router. this seems pretty definitive that it is the router that got hacked and not a device on the network.
Hmmmm A Sub-Optimal position then... :confused:

The only oddity is, that in the image you posted, both the domain and the IP address are NOT malware / virus / hackfest locations etc so there's definitely something askew somewhere in your setup.

Re: The router itself, these two previous posts by @L&LD may be of help as he has posted lots of helpful stuff previously on full resets etc


 

learning_curve

Regular Contributor
thanks, ill try all that, but it sounds pretty close to everything ive tried already.
Close... but no cigar hopefully... ;)
Post full details on here, when you have run all of those different procedures etc and IF you're still unsuccessful, then @L&LD and/or others, may well post in this thread to assist you further.
 

haxorflakes

New Around Here
okay, reporting back. I think my original problem with why the hack was persistent was because I never actually completed a full nvram reset like i thought I did. This time i kept the button held down until the power light started rapidly flashing. I then followed the guide found under that other forum post that was linked and my issue seems to have been resolved. I am no longer getting the security message from my antivirus software like i was getting originally.

thanks all for everyone's help and suggestions. going to take extra precautions to make sure my router is secure and that nothing is turned on that makes it easy for someone to gain unauthorized access. I'm still not fully sure what i had enabled that allowed it, but i suspect i might have had aicloud turned on, and the ddns service was also turned on. going to make sure these are not on and im going to set a longer more complicated password for the admin account too.
 

kernol

Very Senior Member
@haxorflakes - take care if you use the Asus Router App on Android or IOS ... it "likes" to enable external access to the router - a "click" in the wrong place enabling external access could open Pandora's Box for the bad guys to infect the router. Use a secure VPN Server setup if you want access to the router or your LAN from outside - plus different ports and strong passwords. ;)
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top