What's new

Strange German URL Listening on 80+ Ports on RT-AC66U B1

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jenny5353

New Around Here
Recently my router was hacked and I have been trying to recover it, but I suspect that somehow there is malicious code lurking in there somewhere. I have factory reset, hard factory reset, re-initialized settings, re-flashed various versions of both stock and Merlin firmware what feels like a thousand times now.

(Before this process started I knew I was hacked because someone managed to get past my ISP gateway firewall set to high, past my Asus firewall with Ai Protection turned on, and then past a Qubes firewall and deleted client information from my primary workstation.)

Now I understand that doing a factory reset, re-initializing the settings, and flashing the firmware is supposed to erase everything on the router and return it to factory condition, but that is not what is happening for me. Is it possible that somehow code could be added somewhere that would prevent a full reset from occurring?

Right after I realized I was hacked I immediately upgraded to the latest version of stock firmware (beta 9) and enabled Ai Protection. The next morning when I tried to check the logs I was locked out of my router and had to factory reset just to access the backend. Then I tried to upgrade to Merlin but it wouldn't accept the firmware. I ended up having to re-flash the last stable Asus firmware before I could upgrade to Merlin. I upgraded to Merlin starting with 386.1_0, but JFFS would not mount at all. (Tried several fixes from the forums.)

Next I upgraded to 386.2_2 but I found (quite by accident) that even though I had set a custom LAN IP, the router backend could be accessed from the custom LAN IP and both of the default LAN IPs (192.168.0.1 and 192.168.50.1). Note however that JFFS did mount with this version.

So then I upgraded to 386.2_4 yesterday and found the exact same problem. Only this time I realized that not only would the custom LAN IP and default LAN IPs work, but ANY IP I typed into the address bar would redirect to my router. I tried several random IP addys that I have never set before and sure enough they redirected me to router.asus.com . . .

Redirect webUI to router.asus.com was disabled in my settings.

Across all of these reset, re-initialize, re-flash processes I have been using the instructions that L&LD set down here: https://www.snbforums.com/threads/ax88-packet-loss.62891/#post-563326. The only difference is I let it 'rest' longer.

With some of these updates I get 100% packet loss, sometimes I get 0% packet loss, but no matter what I can not access the internet from my Asus router. Sometimes I get connection time out issues and more frequently than not it loads 'partial pages'. I get text links and nothing else. Using a search engine is impossible. Due to the hack my ISP filtered port 49152 which is how they initially infiltrated my network, but that hasn't stopped anything. My last conversation with them they suggested that something on my network is calling out . . .

This morning I connected my Asus to my ISP gateway to run some tests and when I ran netstat from Asus I found that something like 80+ ports on my router are on a TIME WAIT for a German IP address.

tcp 0 0 hostname.:www p5dcf572b.dip0.t-ipconnect.de:52460 TIME_WAIT

I really want to nail these a$$holes to the wall. Even though I'm a complete noob at networking I can SSH into my router and if anyone could tell me where / what to look for . . .

I know a lot of people would just send the router back to the manufacturer to get a replacement, but I need to know how they did this so I can stop it from ever happening to me again. I'm fairly sure that this same hacker is the one hacking my business websites and clients, but I need some help figuring out what he did to my network and my systems.

Any assistance would be greatly appreciated! (I have logs and screenshots of issues backed up for over a month now.)
 
Unplug all LAN cables from the router. Do not reattach until you've completed the following at least once (some routers need more than once of the complete/full steps below).

Fully Reset Router and Network

When you are satisfied that the router is functioning properly after doing the above as many times as necessary, then the following link will get you back up and running.

Again, I recommend to not be connected to your ISP when doing the (initial) steps below.

Best Practice Update/Setup Router/AiMesh Node(s) 2021


If after doing the above the security issues persist? Then the malware is in your internal network already. More drastic steps are then required.
 
I have done that four times now at least over the last two weeks. Always without a connection to my ISP gateway. (I always configure my routers offline and then connect WAN after setup is complete and rebooted.)

I do not use wifi or bluetooth. I go so far as to completely disable both in my workstations via system configuration files and I have removed all wireless/bluetooth adapters from my motherboards. I only use ethernet with firewalls always set to maximum. I have some limited knowledge of how to block IPs and ports in UFW. I only run Linux boxes. When I configure my routers I disable all NAT passthroughs. Never once have I found an extraneous device connected to my network. I don't play games and I don't use social media anymore.

I don't just want to recover from this. I want to report them to the authorities and know how to stop it in the future.

What would be the more drastic steps please?
 
Can you SSH into your router and post the output of these two commands please:
Code:
netstat -nlp
ps w
 
Colin here's the output from the SSH command line:


ASUSWRT-Merlin RT-AC68U 386.2_4 Fri Apr 30 21:00:24 UTC 2021
pr1nc3ss@princeling:/tmp/home/root# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:18017 0.0.0.0:* LISTEN 159/wanduck
tcp 0 0 0.0.0.0:7788 0.0.0.0:* LISTEN 727/cfg_server
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 258/httpd
tcp 0 0 93.207.87.37:80 0.0.0.0:* LISTEN 258/httpd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 241/dnsmasq
tcp 0 0 93.207.87.37:53 0.0.0.0:* LISTEN 241/dnsmasq
tcp 0 0 93.207.87.37:63485 0.0.0.0:* LISTEN 490/dropbear
udp 0 0 0.0.0.0:9999 0.0.0.0:* 259/infosvr
udp 0 0 127.0.0.1:53 0.0.0.0:* 241/dnsmasq
udp 0 0 93.207.87.37:53 0.0.0.0:* 241/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 241/dnsmasq
udp 0 0 0.0.0.0:18018 0.0.0.0:* 159/wanduck
udp 0 0 0.0.0.0:7788 0.0.0.0:* 727/cfg_server
udp 0 0 127.0.0.1:38032 0.0.0.0:* 217/nas
udp 0 0 127.0.0.1:59032 0.0.0.0:* 215/wlceventd
udp 0 0 0.0.0.0:51359 0.0.0.0:* 365/avahi-daemon: r
udp 0 0 127.0.0.1:47032 0.0.0.0:* 372/roamast
udp 0 0 0.0.0.0:5353 0.0.0.0:* 365/avahi-daemon: r
udp 0 0 127.0.0.1:61689 0.0.0.0:* 349/mastiff
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 767 203/nt_center /var/run/nt_center_socket
unix 2 [ ACC ] STREAM LISTENING 1046 386/conn_diag /var/run/conndiag_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 1057 397/amas_lib /var/run/amas_lib_socket
unix 2 [ ACC ] STREAM LISTENING 569 168/lldpd /var/run/lldpd.socket
unix 2 [ ACC ] STREAM LISTENING 876 247/nt_actMail /var/run/nt_actMail_socket
unix 2 [ ACC ] STREAM LISTENING 638 185/netool /var/run/netool_socket
unix 2 [ ACC ] STREAM LISTENING 384 100/PS_pod /tmp/ps_sock
unix 2 [ ACC ] STREAM LISTENING 2472 727/cfg_server /var/run/cfgmnt_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 971 365/avahi-daemon: r /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 730 193/wlc_nt /var/run/wlcnt_socket
unix 2 [ ACC ] STREAM LISTENING 2526 372/roamast /var/run/rast_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 734 184/protect_srv /var/run/protect_srv_socket
unix 2 [ ACC ] STREAM LISTENING 2531 372/roamast /var/run/rast_internal_ipc_socket
pr1nc3ss@princeling:/tmp/home/root# ps w
PID USER VSZ STAT COMMAND
1 pr1nc3ss 8320 S /sbin/preinit
2 pr1nc3ss 0 SW [kthreadd]
3 pr1nc3ss 0 SW [ksoftirqd/0]
4 pr1nc3ss 0 SW [kworker/0:0]
5 pr1nc3ss 0 SW [kworker/u:0]
6 pr1nc3ss 0 SW [migration/0]
7 pr1nc3ss 0 SW [migration/1]
8 pr1nc3ss 0 SW [kworker/1:0]
9 pr1nc3ss 0 SW [ksoftirqd/1]
10 pr1nc3ss 0 SW< [khelper]
11 pr1nc3ss 0 SW [sync_supers]
12 pr1nc3ss 0 SW [bdi-default]
13 pr1nc3ss 0 SW< [kblockd]
14 pr1nc3ss 0 SW [kswapd0]
15 pr1nc3ss 0 SW [fsnotify_mark]
16 pr1nc3ss 0 SW< [crypto]
24 pr1nc3ss 0 SW [mtdblock0]
25 pr1nc3ss 0 SW [mtdblock1]
26 pr1nc3ss 0 SW [mtdblock2]
27 pr1nc3ss 0 SW [mtdblock3]
28 pr1nc3ss 0 SW [kworker/u:1]
35 pr1nc3ss 0 SW [kworker/0:1]
36 pr1nc3ss 0 SW [kworker/1:1]
37 pr1nc3ss 0 SW [mtdblock4]
38 pr1nc3ss 0 SW [mtdblock5]
40 pr1nc3ss 668 S hotplug2 --persistent --no-coldplug
46 pr1nc3ss 0 SWN [jffs2_gcd_mtd4]
97 pr1nc3ss 7632 S console
100 pr1nc3ss 7632 S /sbin/PS_pod
104 pr1nc3ss 1440 S /sbin/syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 7
106 pr1nc3ss 1440 S /sbin/klogd -c 5
159 pr1nc3ss 7640 S /sbin/wanduck
164 pr1nc3ss 1484 S lldpd -L /usr/sbin/lldpcli -I vlan1,eth1,eth2,wds0.*,wds1.*,wds2.* -s RT-AC68U
168 nobody 1456 S lldpd -L /usr/sbin/lldpcli -I vlan1,eth1,eth2,wds0.*,wds1.*,wds2.* -s RT-AC68U
177 pr1nc3ss 812 S /usr/sbin/jitterentropy-rngd -p /var/run/jitterentropy-rngd.pid
178 pr1nc3ss 5236 S asd
183 pr1nc3ss 6512 S nt_monitor
184 pr1nc3ss 2724 S protect_srv
185 pr1nc3ss 7672 S /sbin/netool
189 pr1nc3ss 7672 S /sbin/netool
190 pr1nc3ss 7672 S /sbin/netool
192 pr1nc3ss 7636 S wpsaide
193 pr1nc3ss 2708 S /usr/sbin/wlc_nt
200 pr1nc3ss 6512 S nt_monitor
201 pr1nc3ss 6512 S nt_monitor
203 pr1nc3ss 6808 S nt_center
208 pr1nc3ss 2724 S protect_srv
210 pr1nc3ss 2724 S protect_srv
215 pr1nc3ss 2852 S /usr/sbin/wlceventd
217 pr1nc3ss 1884 S nas
218 pr1nc3ss 6808 S nt_center
219 pr1nc3ss 6808 S nt_center
236 pr1nc3ss 6512 S nt_monitor
241 nobody 3220 S dnsmasq --log-async
242 pr1nc3ss 3216 S dnsmasq --log-async
247 pr1nc3ss 2164 S nt_actMail
257 pr1nc3ss 1444 S crond -l 9
258 pr1nc3ss 6944 S httpd -i br0
259 pr1nc3ss 1316 S /usr/sbin/infosvr br0
264 pr1nc3ss 2164 S nt_actMail
265 pr1nc3ss 2164 S nt_actMail
266 pr1nc3ss 1320 S sysstate
267 pr1nc3ss 7636 R watchdog
268 pr1nc3ss 7632 S check_watchdog
293 pr1nc3ss 2904 S rstats
343 pr1nc3ss 1360 S lld2d br0
345 pr1nc3ss 6840 S networkmap --bootwait
349 pr1nc3ss 6648 S mastiff
350 pr1nc3ss 7636 S bwdpi_check
356 pr1nc3ss 7636 S pctime
365 nobody 1536 S avahi-daemon: running [princeling.local]
372 pr1nc3ss 7712 S roamast
386 pr1nc3ss 7876 S conn_diag
397 pr1nc3ss 7644 S amas_lib
416 pr1nc3ss 7876 S conn_diag
418 pr1nc3ss 7876 S conn_diag
490 pr1nc3ss 1116 S dropbear -p 93.207.87.37:63485 -j -k
559 pr1nc3ss 6648 S mastiff
560 pr1nc3ss 6648 S mastiff
561 pr1nc3ss 6648 S mastiff
617 pr1nc3ss 0 SW [khubd]
727 pr1nc3ss 6056 S cfg_server
763 pr1nc3ss 0 SW [flush-mtd-unmap]
978 pr1nc3ss 7636 S usbled
990 pr1nc3ss 6056 S cfg_server
991 pr1nc3ss 6056 S cfg_server
1008 pr1nc3ss 7712 S roamast
1009 pr1nc3ss 7712 S roamast
1012 pr1nc3ss 7712 S roamast
1013 pr1nc3ss 7712 S roamast
1702 pr1nc3ss 1460 S /usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.org
1710 pr1nc3ss 1456 S /sbin/udhcpc -i eth0 -p /var/run/udhcpc0.pid -s /tmp/udhcpc -O33 -O249
1725 pr1nc3ss 7636 S disk_monitor
1772 pr1nc3ss 7644 S amas_lib
2089 pr1nc3ss 1136 S dropbear -p 93.207.87.37:63485 -j -k
2090 pr1nc3ss 1452 S -sh
2129 pr1nc3ss 1444 R ps w
pr1nc3ss@princeling:/tmp/home/root#
 
Your router's LAN IP address appears to be 93.207.87.37 (p5dcf5725.dip0.t-ipconnect.de). What address are you using to connect to the router?
 
Yes, that is my custom LAN ip for the Asus router, but I am in Texas. There is no VPN setup right now.

I am not familiar enough with the processes that run in the router to know which ones should be there and which ones shouldn't.
 
Yes, that is my custom LAN ip for the Asus router, but I am in Texas. There is no VPN setup right now.
Then this is a red herring. Nobody is hacking you.

You should not use public IP addresses (that belong to other people) for your internal private network. It leads to this kind of confusion.
 
Last edited:
I was hacked. I may not be able to prove it, but my workstation was hacked. I understand what you are saying though and will adjust it and reset my network.
 
However, would that prevent webpages from loading properly? I was using custom IP addys outside the reserved private network addresses prior to the compromise and I never had a problem accessing the internet before. Please forgive me I really don't know much about networking and I'm trying to protect myself from someone that has compromised my cell, network, workstations and websites over and over again. When I ran nmap just a few minutes ago ports 80 and 53 were open but it did not show 443 as open. I certainly didn't block it on my workstation or the router.
 
Without being able to go back in time and look at your router/network as it was then it's impossible to speculate what was happening. All I can say at the moment is your router looks normal. Ports 80 and 53 are open because they are the router's HTTP web interface and DNS server. Port 443 isn't open because you're not currently using the router's HTTPS web interface.
 
Hi everyone,. I have been hacked exactly the same as what's been written here, that's how I found it by googling some terms.

I don't use any VPN from the router, I've done a million reflash even ASUS recovery flashing, both the latest firmware for Merlin and ASUS stock

I think they got into my network via a phone and Bluetooth to some smart lights and then to the Android TV or even my Samsung phone and used internet tethering to retain an internet connection, that's my guess based on what I saw before resetting

I have some logs I can attached before I reset
And current netstat


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:18017 0.0.0.0:* LISTEN 247/wanduck
tcp 0 0 0.0.0.0:7788 0.0.0.0:* LISTEN 1169/cfg_server
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 1094/httpd
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 22025/stubby
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1084/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 1084/dnsmasq
tcp 0 0 192.168.101.1:53 0.0.0.0:* LISTEN 1084/dnsmasq
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN 1093/httpds
tcp 4 0 192.168.1.1:8443 0.0.0.0:* LISTEN 1093/httpds
tcp 517 0 192.168.1.1:8443 192.168.1.215:56054 ESTABLISHED -
tcp 0 0 58.136.66.162:37569 104.111.165.166:443 ESTABLISHED 22363/wred
tcp 0 0 58.136.66.162:53544 104.111.165.166:443 ESTABLISHED 22363/wred
tcp 0 0 58.136.66.162:53547 104.111.165.166:443 ESTABLISHED 22363/wred
tcp 0 0 58.136.66.162:53546 104.111.165.166:443 ESTABLISHED 22363/wred
tcp 0 0 192.168.1.1:8443 192.168.1.215:56040 TIME_WAIT -
tcp 1 1 58.136.66.162:53549 104.111.165.166:443 LAST_ACK -
tcp 517 0 192.168.1.1:8443 192.168.1.215:56056 ESTABLISHED -
tcp 0 0 58.136.66.162:47909 94.140.15.15:853 ESTABLISHED 22025/stubby
tcp 1 1 58.136.66.162:53548 104.111.165.166:443 LAST_ACK -
tcp 0 0 58.136.66.162:53553 104.111.165.166:443 ESTABLISHED 22363/wred
tcp 517 0 192.168.1.1:8443 192.168.1.215:56052 ESTABLISHED -
tcp 0 0 192.168.1.1:8443 192.168.1.215:56048 ESTABLISHED 1093/httpds
tcp 517 0 192.168.1.1:8443 192.168.1.215:56058 ESTABLISHED -
tcp 1 1 58.136.66.162:53550 104.111.165.166:443 LAST_ACK -
tcp 0 0 58.136.66.162:53545 104.111.165.166:443 ESTABLISHED 22363/wred
tcp 0 0 192.168.1.1:8443 192.168.1.215:56032 TIME_WAIT -
tcp 0 0 58.136.66.162:47907 94.140.15.15:853 TIME_WAIT -
tcp 0 0 192.168.1.1:8443 192.168.1.215:56018 TIME_WAIT -
tcp 0 0 58.136.66.162:50693 94.140.14.14:853 TIME_WAIT -
tcp 0 0 192.168.1.1:8443 192.168.1.215:55928 TIME_WAIT -
tcp 0 0 58.136.66.162:37568 104.111.165.166:443 ESTABLISHED 22363/wred
tcp 0 0 58.136.66.162:37567 104.111.165.166:443 ESTABLISHED 22363/wred
tcp 0 0 58.136.66.162:50695 94.140.14.14:853 ESTABLISHED 22025/stubby
tcp 517 0 192.168.1.1:8443 192.168.1.215:56050 ESTABLISHED -
tcp 0 0 192.168.1.1:8443 192.168.1.215:55948 TIME_WAIT -
udp 0 0 0.0.0.0:9999 0.0.0.0:* 1095/infosvr
udp 0 0 0.0.0.0:42000 0.0.0.0:* 312/eapd
udp 0 0 127.0.0.1:42032 0.0.0.0:* 1057/acsd
udp 0 0 127.0.1.1:53 0.0.0.0:* 22025/stubby
udp 0 0 127.0.0.1:53 0.0.0.0:* 1084/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 1084/dnsmasq
udp 0 0 192.168.101.1:53 0.0.0.0:* 1084/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1084/dnsmasq
udp 0 0 0.0.0.0:18018 0.0.0.0:* 247/wanduck
udp 0 0 0.0.0.0:7788 0.0.0.0:* 1169/cfg_server
udp 0 0 0.0.0.0:38000 0.0.0.0:* 312/eapd
udp 0 0 0.0.0.0:59000 0.0.0.0:* 312/eapd
udp 0 0 127.0.0.1:38032 0.0.0.0:* 357/nas
udp 0 0 127.0.0.1:59032 0.0.0.0:* 390/wlceventd
udp 0 0 0.0.0.0:47000 0.0.0.0:* 312/eapd
udp 0 0 127.0.0.1:47032 0.0.0.0:* 1148/roamast
udp 0 0 0.0.0.0:45795 0.0.0.0:* 1135/avahi-daemon:
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1135/avahi-daemon:
udp 0 0 0.0.0.0:43000 0.0.0.0:* 312/eapd
udp 0 0 127.0.0.1:61689 0.0.0.0:* 1127/mastiff
udp 0 0 :::123 :::* 1502/ntp
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 1805 349/nt_center /var/run/nt_center_socket
unix 2 [ ACC ] STREAM LISTENING 2342 1192/amas_lib /var/run/amas_lib_socket
unix 2 [ ACC ] STREAM LISTENING 1835 469/nt_actMail /var/run/nt_actMail_socket
unix 2 [ ACC ] STREAM LISTENING 2146 1135/avahi-daemon: /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 3692 1169/cfg_server /var/run/cfgmnt_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 1658 291/netool /var/run/netool_socket
unix 2 [ ACC ] STREAM LISTENING 1671 290/protect_srv /var/run/protect_srv_socket
unix 2 [ ACC ] STREAM LISTENING 654 139/PS_pod /tmp/ps_sock
unix 11 [ ] DGRAM 658 143/syslogd /dev/log
unix 2 [ ACC ] STREAM LISTENING 2209 1150/conn_diag /var/run/conndiag_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 2213 1163/lldpd /var/run/lldpd.socket
unix 2 [ ACC ] STREAM LISTENING 1118684 22342/dcd /var/conf_serv_sock
unix 2 [ ACC ] STREAM LISTENING 3804 1148/roamast /var/run/rast_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 1385 288/haveged @/sys/entropy/haveged
unix 2 [ ACC ] STREAM LISTENING 1783 318/wlc_nt /var/run/wlcnt_socket
unix 2 [ ACC ] STREAM LISTENING 3834 1148/roamast /var/run/rast_internal_ipc_socket
unix 2 [ ] STREAM CONNECTED 1140637 1192/amas_lib /var/run/amas_lib_socket
unix 3 [ ] STREAM CONNECTED 1118834 22363/wred
unix 3 [ ] STREAM CONNECTED 1118833 22363/wred
unix 2 [ ] DGRAM 1117105 22025/stubby
unix 2 [ ] DGRAM 1117084 22023/pppd
unix 2 [ ] DGRAM 4730 1092/crond
unix 3 [ ] STREAM CONNECTED 2225 1163/lldpd
unix 3 [ ] STREAM CONNECTED 2224 1163/lldpd
unix 3 [ ] STREAM CONNECTED 2218 1158/lldpd
unix 3 [ ] STREAM CONNECTED 2217 1163/lldpd
unix 2 [ ] DGRAM 2212 1158/lldpd
unix 2 [ ] DGRAM 2140 1135/avahi-daemon:
unix 2 [ ] DGRAM 1978 1084/dnsmasq
unix 2 [ ] DGRAM 1814 390/wlceventd
unix 2 [ ] DGRAM 1389 288/haveged
unix 2 [ ] DGRAM 711 145/klogd


They have done something to my phone and I can't upload files here they say they are empty
 
Hi everyone,. I have been hacked exactly the same as what's been written here, that's how I found it by googling some terms.
The information in the original post did not indicate the the user had been hacked. It was a misunderstanding on his part.

What is it that makes you think your router has been hacked?

What router model do you have? What firmware version?

They have done something to my phone and I can't upload files here they say they are empty
This is probably caused by this website's content filter blocking the upload. It does that when it sees something that might be a problem. That's not unusual.
 
Similar threads

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top