Strange German URL Listening on 80+ Ports on RT-AC66U B1

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

jenny5353

New Around Here
Recently my router was hacked and I have been trying to recover it, but I suspect that somehow there is malicious code lurking in there somewhere. I have factory reset, hard factory reset, re-initialized settings, re-flashed various versions of both stock and Merlin firmware what feels like a thousand times now.

(Before this process started I knew I was hacked because someone managed to get past my ISP gateway firewall set to high, past my Asus firewall with Ai Protection turned on, and then past a Qubes firewall and deleted client information from my primary workstation.)

Now I understand that doing a factory reset, re-initializing the settings, and flashing the firmware is supposed to erase everything on the router and return it to factory condition, but that is not what is happening for me. Is it possible that somehow code could be added somewhere that would prevent a full reset from occurring?

Right after I realized I was hacked I immediately upgraded to the latest version of stock firmware (beta 9) and enabled Ai Protection. The next morning when I tried to check the logs I was locked out of my router and had to factory reset just to access the backend. Then I tried to upgrade to Merlin but it wouldn't accept the firmware. I ended up having to re-flash the last stable Asus firmware before I could upgrade to Merlin. I upgraded to Merlin starting with 386.1_0, but JFFS would not mount at all. (Tried several fixes from the forums.)

Next I upgraded to 386.2_2 but I found (quite by accident) that even though I had set a custom LAN IP, the router backend could be accessed from the custom LAN IP and both of the default LAN IPs (192.168.0.1 and 192.168.50.1). Note however that JFFS did mount with this version.

So then I upgraded to 386.2_4 yesterday and found the exact same problem. Only this time I realized that not only would the custom LAN IP and default LAN IPs work, but ANY IP I typed into the address bar would redirect to my router. I tried several random IP addys that I have never set before and sure enough they redirected me to router.asus.com . . .

Redirect webUI to router.asus.com was disabled in my settings.

Across all of these reset, re-initialize, re-flash processes I have been using the instructions that L&LD set down here: https://www.snbforums.com/threads/ax88-packet-loss.62891/#post-563326. The only difference is I let it 'rest' longer.

With some of these updates I get 100% packet loss, sometimes I get 0% packet loss, but no matter what I can not access the internet from my Asus router. Sometimes I get connection time out issues and more frequently than not it loads 'partial pages'. I get text links and nothing else. Using a search engine is impossible. Due to the hack my ISP filtered port 49152 which is how they initially infiltrated my network, but that hasn't stopped anything. My last conversation with them they suggested that something on my network is calling out . . .

This morning I connected my Asus to my ISP gateway to run some tests and when I ran netstat from Asus I found that something like 80+ ports on my router are on a TIME WAIT for a German IP address.

tcp 0 0 hostname.:www p5dcf572b.dip0.t-ipconnect.de:52460 TIME_WAIT

I really want to nail these a$$holes to the wall. Even though I'm a complete noob at networking I can SSH into my router and if anyone could tell me where / what to look for . . .

I know a lot of people would just send the router back to the manufacturer to get a replacement, but I need to know how they did this so I can stop it from ever happening to me again. I'm fairly sure that this same hacker is the one hacking my business websites and clients, but I need some help figuring out what he did to my network and my systems.

Any assistance would be greatly appreciated! (I have logs and screenshots of issues backed up for over a month now.)
 

L&LD

Part of the Furniture
Unplug all LAN cables from the router. Do not reattach until you've completed the following at least once (some routers need more than once of the complete/full steps below).

Fully Reset Router and Network

When you are satisfied that the router is functioning properly after doing the above as many times as necessary, then the following link will get you back up and running.

Again, I recommend to not be connected to your ISP when doing the (initial) steps below.

Best Practice Update/Setup Router/AiMesh Node(s) 2021


If after doing the above the security issues persist? Then the malware is in your internal network already. More drastic steps are then required.
 

jenny5353

New Around Here
I have done that four times now at least over the last two weeks. Always without a connection to my ISP gateway. (I always configure my routers offline and then connect WAN after setup is complete and rebooted.)

I do not use wifi or bluetooth. I go so far as to completely disable both in my workstations via system configuration files and I have removed all wireless/bluetooth adapters from my motherboards. I only use ethernet with firewalls always set to maximum. I have some limited knowledge of how to block IPs and ports in UFW. I only run Linux boxes. When I configure my routers I disable all NAT passthroughs. Never once have I found an extraneous device connected to my network. I don't play games and I don't use social media anymore.

I don't just want to recover from this. I want to report them to the authorities and know how to stop it in the future.

What would be the more drastic steps please?
 

ColinTaylor

Part of the Furniture
Can you SSH into your router and post the output of these two commands please:
Code:
netstat -nlp
ps w
 

jenny5353

New Around Here
Colin here's the output from the SSH command line:


ASUSWRT-Merlin RT-AC68U 386.2_4 Fri Apr 30 21:00:24 UTC 2021
[email protected]:/tmp/home/root# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:18017 0.0.0.0:* LISTEN 159/wanduck
tcp 0 0 0.0.0.0:7788 0.0.0.0:* LISTEN 727/cfg_server
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 258/httpd
tcp 0 0 93.207.87.37:80 0.0.0.0:* LISTEN 258/httpd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 241/dnsmasq
tcp 0 0 93.207.87.37:53 0.0.0.0:* LISTEN 241/dnsmasq
tcp 0 0 93.207.87.37:63485 0.0.0.0:* LISTEN 490/dropbear
udp 0 0 0.0.0.0:9999 0.0.0.0:* 259/infosvr
udp 0 0 127.0.0.1:53 0.0.0.0:* 241/dnsmasq
udp 0 0 93.207.87.37:53 0.0.0.0:* 241/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 241/dnsmasq
udp 0 0 0.0.0.0:18018 0.0.0.0:* 159/wanduck
udp 0 0 0.0.0.0:7788 0.0.0.0:* 727/cfg_server
udp 0 0 127.0.0.1:38032 0.0.0.0:* 217/nas
udp 0 0 127.0.0.1:59032 0.0.0.0:* 215/wlceventd
udp 0 0 0.0.0.0:51359 0.0.0.0:* 365/avahi-daemon: r
udp 0 0 127.0.0.1:47032 0.0.0.0:* 372/roamast
udp 0 0 0.0.0.0:5353 0.0.0.0:* 365/avahi-daemon: r
udp 0 0 127.0.0.1:61689 0.0.0.0:* 349/mastiff
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 767 203/nt_center /var/run/nt_center_socket
unix 2 [ ACC ] STREAM LISTENING 1046 386/conn_diag /var/run/conndiag_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 1057 397/amas_lib /var/run/amas_lib_socket
unix 2 [ ACC ] STREAM LISTENING 569 168/lldpd /var/run/lldpd.socket
unix 2 [ ACC ] STREAM LISTENING 876 247/nt_actMail /var/run/nt_actMail_socket
unix 2 [ ACC ] STREAM LISTENING 638 185/netool /var/run/netool_socket
unix 2 [ ACC ] STREAM LISTENING 384 100/PS_pod /tmp/ps_sock
unix 2 [ ACC ] STREAM LISTENING 2472 727/cfg_server /var/run/cfgmnt_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 971 365/avahi-daemon: r /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 730 193/wlc_nt /var/run/wlcnt_socket
unix 2 [ ACC ] STREAM LISTENING 2526 372/roamast /var/run/rast_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 734 184/protect_srv /var/run/protect_srv_socket
unix 2 [ ACC ] STREAM LISTENING 2531 372/roamast /var/run/rast_internal_ipc_socket
pr1nc3ss[email protected]:/tmp/home/root# ps w
PID USER VSZ STAT COMMAND
1 pr1nc3ss 8320 S /sbin/preinit
2 pr1nc3ss 0 SW [kthreadd]
3 pr1nc3ss 0 SW [ksoftirqd/0]
4 pr1nc3ss 0 SW [kworker/0:0]
5 pr1nc3ss 0 SW [kworker/u:0]
6 pr1nc3ss 0 SW [migration/0]
7 pr1nc3ss 0 SW [migration/1]
8 pr1nc3ss 0 SW [kworker/1:0]
9 pr1nc3ss 0 SW [ksoftirqd/1]
10 pr1nc3ss 0 SW< [khelper]
11 pr1nc3ss 0 SW [sync_supers]
12 pr1nc3ss 0 SW [bdi-default]
13 pr1nc3ss 0 SW< [kblockd]
14 pr1nc3ss 0 SW [kswapd0]
15 pr1nc3ss 0 SW [fsnotify_mark]
16 pr1nc3ss 0 SW< [crypto]
24 pr1nc3ss 0 SW [mtdblock0]
25 pr1nc3ss 0 SW [mtdblock1]
26 pr1nc3ss 0 SW [mtdblock2]
27 pr1nc3ss 0 SW [mtdblock3]
28 pr1nc3ss 0 SW [kworker/u:1]
35 pr1nc3ss 0 SW [kworker/0:1]
36 pr1nc3ss 0 SW [kworker/1:1]
37 pr1nc3ss 0 SW [mtdblock4]
38 pr1nc3ss 0 SW [mtdblock5]
40 pr1nc3ss 668 S hotplug2 --persistent --no-coldplug
46 pr1nc3ss 0 SWN [jffs2_gcd_mtd4]
97 pr1nc3ss 7632 S console
100 pr1nc3ss 7632 S /sbin/PS_pod
104 pr1nc3ss 1440 S /sbin/syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 7
106 pr1nc3ss 1440 S /sbin/klogd -c 5
159 pr1nc3ss 7640 S /sbin/wanduck
164 pr1nc3ss 1484 S lldpd -L /usr/sbin/lldpcli -I vlan1,eth1,eth2,wds0.*,wds1.*,wds2.* -s RT-AC68U
168 nobody 1456 S lldpd -L /usr/sbin/lldpcli -I vlan1,eth1,eth2,wds0.*,wds1.*,wds2.* -s RT-AC68U
177 pr1nc3ss 812 S /usr/sbin/jitterentropy-rngd -p /var/run/jitterentropy-rngd.pid
178 pr1nc3ss 5236 S asd
183 pr1nc3ss 6512 S nt_monitor
184 pr1nc3ss 2724 S protect_srv
185 pr1nc3ss 7672 S /sbin/netool
189 pr1nc3ss 7672 S /sbin/netool
190 pr1nc3ss 7672 S /sbin/netool
192 pr1nc3ss 7636 S wpsaide
193 pr1nc3ss 2708 S /usr/sbin/wlc_nt
200 pr1nc3ss 6512 S nt_monitor
201 pr1nc3ss 6512 S nt_monitor
203 pr1nc3ss 6808 S nt_center
208 pr1nc3ss 2724 S protect_srv
210 pr1nc3ss 2724 S protect_srv
215 pr1nc3ss 2852 S /usr/sbin/wlceventd
217 pr1nc3ss 1884 S nas
218 pr1nc3ss 6808 S nt_center
219 pr1nc3ss 6808 S nt_center
236 pr1nc3ss 6512 S nt_monitor
241 nobody 3220 S dnsmasq --log-async
242 pr1nc3ss 3216 S dnsmasq --log-async
247 pr1nc3ss 2164 S nt_actMail
257 pr1nc3ss 1444 S crond -l 9
258 pr1nc3ss 6944 S httpd -i br0
259 pr1nc3ss 1316 S /usr/sbin/infosvr br0
264 pr1nc3ss 2164 S nt_actMail
265 pr1nc3ss 2164 S nt_actMail
266 pr1nc3ss 1320 S sysstate
267 pr1nc3ss 7636 R watchdog
268 pr1nc3ss 7632 S check_watchdog
293 pr1nc3ss 2904 S rstats
343 pr1nc3ss 1360 S lld2d br0
345 pr1nc3ss 6840 S networkmap --bootwait
349 pr1nc3ss 6648 S mastiff
350 pr1nc3ss 7636 S bwdpi_check
356 pr1nc3ss 7636 S pctime
365 nobody 1536 S avahi-daemon: running [princeling.local]
372 pr1nc3ss 7712 S roamast
386 pr1nc3ss 7876 S conn_diag
397 pr1nc3ss 7644 S amas_lib
416 pr1nc3ss 7876 S conn_diag
418 pr1nc3ss 7876 S conn_diag
490 pr1nc3ss 1116 S dropbear -p 93.207.87.37:63485 -j -k
559 pr1nc3ss 6648 S mastiff
560 pr1nc3ss 6648 S mastiff
561 pr1nc3ss 6648 S mastiff
617 pr1nc3ss 0 SW [khubd]
727 pr1nc3ss 6056 S cfg_server
763 pr1nc3ss 0 SW [flush-mtd-unmap]
978 pr1nc3ss 7636 S usbled
990 pr1nc3ss 6056 S cfg_server
991 pr1nc3ss 6056 S cfg_server
1008 pr1nc3ss 7712 S roamast
1009 pr1nc3ss 7712 S roamast
1012 pr1nc3ss 7712 S roamast
1013 pr1nc3ss 7712 S roamast
1702 pr1nc3ss 1460 S /usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.org
1710 pr1nc3ss 1456 S /sbin/udhcpc -i eth0 -p /var/run/udhcpc0.pid -s /tmp/udhcpc -O33 -O249
1725 pr1nc3ss 7636 S disk_monitor
1772 pr1nc3ss 7644 S amas_lib
2089 pr1nc3ss 1136 S dropbear -p 93.207.87.37:63485 -j -k
2090 pr1nc3ss 1452 S -sh
2129 pr1nc3ss 1444 R ps w
[email protected]:/tmp/home/root#
 

ColinTaylor

Part of the Furniture
Your router's LAN IP address appears to be 93.207.87.37 (p5dcf5725.dip0.t-ipconnect.de). What address are you using to connect to the router?
 

jenny5353

New Around Here
Yes, that is my custom LAN ip for the Asus router, but I am in Texas. There is no VPN setup right now.

I am not familiar enough with the processes that run in the router to know which ones should be there and which ones shouldn't.
 

ColinTaylor

Part of the Furniture
Yes, that is my custom LAN ip for the Asus router, but I am in Texas. There is no VPN setup right now.
Then this is a red herring. Nobody is hacking you.

You should not use public IP addresses (that belong to other people) for your internal private network. It leads to this kind of confusion.
 
Last edited:

jenny5353

New Around Here
I was hacked. I may not be able to prove it, but my workstation was hacked. I understand what you are saying though and will adjust it and reset my network.
 

jenny5353

New Around Here
However, would that prevent webpages from loading properly? I was using custom IP addys outside the reserved private network addresses prior to the compromise and I never had a problem accessing the internet before. Please forgive me I really don't know much about networking and I'm trying to protect myself from someone that has compromised my cell, network, workstations and websites over and over again. When I ran nmap just a few minutes ago ports 80 and 53 were open but it did not show 443 as open. I certainly didn't block it on my workstation or the router.
 

ColinTaylor

Part of the Furniture
Without being able to go back in time and look at your router/network as it was then it's impossible to speculate what was happening. All I can say at the moment is your router looks normal. Ports 80 and 53 are open because they are the router's HTTP web interface and DNS server. Port 443 isn't open because you're not currently using the router's HTTPS web interface.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top