Menu
What's new
By:
Filters Better Search

Suspicious Activity?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

N

NoviceNetworker

New Around Here
I was running an ASUS RT-AC66U B1 router that this morning was having trouble connecting to the internet. I was receiving a warning that my ISP's DHCP does not function properly. I restarted the router and cable modem multiple times with the same result and also tried to manually update the firmware on the router and it would not update. I pulled up the router system log and saw what appears to be an OpenVPN connection trying to be established (I don't remember ever turning this on). The log times are also late in the evening and I was not up on any computer. I'm not a networking guy, so I'm curious if those smarter than I see anything suspicious in the below portions of the log? The "out_fd is a pipe" entry occurred over and over for about 45 minutes and this is where the log starts. I'm using a different router now but would like to know if this was just an error with my router or something more? I've removed any specific IP or MAC ADDRESS info in the below:

May 16 23:27:09 kernel: out_fd is a pipe
May 16 23:27:09 kernel: out_fd is a pipe
May 16 23:27:11 kernel: out_fd is a pipe
May 16 23:27:11 kernel: out_fd is a pipe
May 16 23:27:11 kernel: out_fd is a pipe
May 16 23:27:11 kernel: out_fd is a pipe
May 16 23:27:21 DualWAN: skip single wan wan_led_control - WANRED off
May 16 23:27:26 WAN Connection: WAN(0) link up.
May 16 23:27:26 rc_service: wanduck XXX:notify_rc restart_wan_if 0
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:39 kernel: out_fd is a pipe
May 16 23:27:40 kernel: out_fd is a pipe
May 16 23:27:40 kernel: out_fd is a pipe
May 16 23:27:47 kernel: out_fd is a pipe
May 16 23:27:47 kernel: out_fd is a pipe
May 16 23:27:47 kernel: out_fd is a pipe
May 16 23:27:48 kernel: out_fd is a pipe
May 16 23:27:48 kernel: out_fd is a pipe
May 16 23:28:01 WAN Connection: WAN(0) link up.
May 16 23:28:01 rc_service: wanduck XXX:notify_rc restart_wan_if 0
May 16 23:28:03 kernel: out_fd is a pipe
May 16 23:28:21 syslog: wlceventd_proc_event(527): eth1: Auth MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:28:21 syslog: wlceventd_proc_event(556): eth1: Assoc MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:28:38 syslog: wlceventd_proc_event(527): eth1: Auth MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:28:38 syslog: wlceventd_proc_event(556): eth1: Assoc MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:28:59 syslog: wlceventd_proc_event(527): eth1: Auth MAC ADDRESS status: Successful (0), rssi:0
May 16 23:28:59 syslog: wlceventd_proc_event(556): eth1: Assoc MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:29:07 wan: finish adding multi routes
May 16 23:29:08 vpnserver1[9724]: Multiple --up scripts defined. The previously configured script is overridden.
May 16 23:29:08 vpnserver1[9724]: OpenVPN 2.4.11 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 2 2021
May 16 23:29:08 vpnserver1[9724]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.03
May 16 23:29:08 vpnserver1[9731]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 16 23:29:08 vpnserver1[9731]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
May 16 23:29:08 vpnserver1[9731]: Diffie-Hellman initialized with 2048 bit key
May 16 23:29:08 vpnserver1[9731]: TUN/TAP device tun21 opened
May 16 23:29:08 vpnserver1[9731]: TUN/TAP TX queue length set to 100
May 16 23:29:08 vpnserver1[9731]: /sbin/ifconfig tun21 10.8.x.x pointopoint 10.8.x.x mtu 1500
May 16 23:29:09 vpnserver1[9731]: /bin/sh /jffs/updater tun21 1500 1622 10.8.x.x 10.8.x.x init
May 16 23:29:09 vpnserver1[9731]: WARNING: Failed running command (--up/--down): external program exited with error status: 2
May 16 23:29:09 vpnserver1[9731]: Exiting due to fatal error
May 16 23:29:17 dhcp client: bound 192.168.x.x/255.255.x.x via for 20 seconds.
May 16 23:29:21 wan: finish adding multi routes
May 16 23:30:25 BWDPI: fun bitmap = 5ff
May 16 23:30:25 A.QoS: qos_count=0, qos_check=0
May 16 23:30:30 dhcp client: bound EXTERNAL IP ADDRESS/255.255.255.0 via EXTERNAL IP ADDRESS for 4549 seconds.
 
There have been other reports of this "out_fd is a pipe" message recently. It's possible that it's malware, particularly if you didn't setup the VPN server (which thankfully isn't working).

I suggest you play it safe and hard reset your router as soon as possible and set it up again from scratch.


EDIT: Looking more at your log, that "/jffs/updater" message definitely looks like malware to me. What firmware version are you using?
 
I also found my routers offline this morning and then they back to normal after I made them reset. It seems that many ASUS routers were having this trouble?

I would suggest that you refer to this FAQ to make your router hard reset: https://www.asus.com/support/FAQ/1039074/
And remember to save the settings in advance (here: https://www.asus.com/support/FAQ/1001376/). It would save a lot of time from doing all the setting...

Hope it would help.
 
ColinTaylor said:
There have been other reports of this "out_fd is a pipe" message recently. It's possible that it's malware, particularly if you didn't setup the VPN server (which thankfully isn't working).

I suggest you play it safe and hard reset your router as soon as possible and set it up again from scratch.


EDIT: Looking more at your log, that "/jffs/updater" message definitely looks like malware to me. What firmware version are you using?
Click to expand...
Thanks. When I logged into the router, it had an older firmware version. I'm now running 3.0.0.4.386_51665-g8072e52. I believe it was running 3.0.0.4.386_49703 - I don't remember exactly what was after the 4, but I remember after the underscore was a 4.

At first I first tried to update the firmware, and when I had it check for updates, it said no update required. I then downloaded the firmware, did the checksum, and tried to manually update, and it would not update. I was in bed and asleep during all the log activity showing the VPN setup attempts, so someone was definitely trying to setup the VPN server. Looking at the log files, it appears they ran the script you referenced multiple times, failing each time before giving up late in the evening.

I think I'm good now running the latest firmware and haven't seen any more unusual activity in the logs.
 
No, that link states a wonky asd file was the culprit for many, this is (possibly) much more malicious.
 
You must log in or register to reply here.

Similar threads

H
Asus RT- AC88U strange log
Replies
9
Views
920
Hypersnix
H
T
ASUS RT-AX57 router in repeater mode is working, but it's not able to connect to the Internet.
Replies
2
Views
496
Tolki
T
H
Normal For Logs To Be Full Of These Events?
Replies
1
Views
460
Maverickcdn
Maverickcdn
T
ASUS RT-AX55U\56v2 Firmware version 9.0.0.4.386_52297-g05e2188
Replies
3
Views
321
Tech9
Tech9
B
RT-AX5400 going crazy (dropping devices, assigning invalid IPs)
Replies
5
Views
163
ColinTaylor
C

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 601 (members: 20, guests: 581)
Top