RT-N16 am I hacked?

[stemar]

Hi,
I would like to take this opportunity to share my strange experience and also, hopefully to gain some hints.
I run the ASUS RT-N16 wireless router using the geniune ASUS firmware, recently upgraded just a few months ago to version 3.0.0.4.376.2678, downloaded from this link, which I believe is the ASUS official source. Recently, just by chance, I realized that the router has established and maintain a TCP connection to 91.200.42.46:1176. During further investigation I have found that:

1. My router actively tries to establish this socket immediately after any restart, upon success maintain this connection forever
2. This address and port seems to be a server of eMule P2P filesharing network
3. Preventing the router from connecting to this server by blocking any connection to that addres on the superior border firewall does not affect router functionality, yet the router keeps trying to connect there again and again

It worth to mention that this my router has never had public IP address (it is part of my home network), has never been accessible from the Internet, has been since the begin connected exclusively to this my home network, separated from the Internet by linuxbox-based firewall configured to discard any new connection incoming from the Internet. WPA-2 PSK applied for WiFi. I am mentioning that just to explain why I am suspecting that whatever is connecting to eMule from my Asus router, it had to come with the firmware upgrade.
I tried to find out any relationship between Asus and eMule on the Internet but was not successful.
Had anybody similar observations? What did you do? or, eventually, what would you do? I feel quite awkward if a box from my living room, routing a majority of my home traffic is magically trying to speak with a server somewhere on Ukraine and nobody is able to explain why and how to stop it.

Thank you.

 

[wh7qq]

Not sure where you got the url you used to get your firmware but the official Asus site is:
http://www.service.asus.com/#!downloads/c1wax. Here you can select your product and OS and it will give you a selection of firmware versions up to the latest available. I'd be suspicious of anything else.

As I run the RT-N66U, I can't tell you the best version to be using for the 16 but generally the latest will have the most recent security updates. In an abundance of paranoia, I would reset the router to factory defaults before doing anything else. When you do load new firmware, be sure to erase your old NVRAM contents and DO NOT use a saved configuration file...reload your settings manually as you need them.

Also, see http://forums.smallnetbuilder.com/showthread.php?t=21774 for information and mitigation steps on the recent vulnerability that effects all Asus routers that run Asuswrt based firmwares.

 

[stemar]

wh7qq: Just for information, FW from server you suggested is binary identical to what I actually upgraded.

 

[RMerlin]

Not sure how you are determining that there's an emule connection, but double check that the source IP is actually your router, and not one of your computers.

The only way an eMule client can run on the RT-N16 is if you installed the Download Master applet, under USB Applications.

 

[stemar]

I am not hacked!

Just in case anybody will be looking for something similar, I am not hacked! Only it somehow happened, that there was installed a strange piece of software, called Download master.
I am not aware I ever installed it but obviously it is a standard ASUS tool and even uncofigured it keeps trying to connect to its server. God knows why? Uninstalling Download master via router's control web page solved the issue and router is not connecting to eMule anymore.