What's new

Trying to rebuild after a total home breach, problems abound..RT-AC3100 / Network Leak..

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ShawnG

New Around Here
Hey all - Long time lurker, but I've been ground to submittion..

Backstory - home network with 20+ devices (ip cams, kids game systems, dads game systems, Synology nas) behind a R7000 running ddwrt - all running perfect for 1 1/2 years, no problems. About a month ago oddities started to arrise - a couple of my grey-market chinacams reverted to their native tongue, odd traffic / wireless disconnects occasionally (who checks after the movie?) which I ignored at the time - regrettably.

Fast forward to a week ago - synology comprimised and 2FA locked (havent even started with it, she sits cold) - R7000 has been hard - bricked and no hope of even the recovery console; Most of the house computers are in some state of win-doze reinstall from scratch, and I watched it all happen powerless - they (whoever) hit all in a two night attack - the worst part being after compromising the R7000 the second time, they allowed to continue with the parameters I had set - so while I was assessing the damages to the computers etc, they were going at the synology... FML. The real kicker - I had pulled the hard line and unplugged the r7000 and the sister AP wireless in my shop figuring I could breath and catch my breath; Turns out they had made their breach via my / wifes / sons androids - all of which are currently sitting on the counter with the batteries pulled (next to my minix U1 which I can only assume was nailed as well but is of low priority).

Windows reinstalls were turned rabid before I could get to the point of getting antivirus installed - infact I am typing this running hardwired on my old beater laptop and a live CD burn of kali. Its surreal. :(

So yesterday following the death of the R7000 I headed out and grabbed both a AC-3100 and a AC-5100 (which is still boxed) as I wanted backup "in case" and the vendor has a great return policy; i had yet to deduce the problem being the damn cell phones and installed the rt-ac3100 unhooked, configured her all right with the latest firmware via my kali-live powered laptop and checking the MD5 every step of the way. Its worth mentioning that I am on a static ip; the traffic ack-syning the unit seamed heavy but it seemed to be doing find and dropping packets like it should; I enjoyed a little research time on my phone and crashed out thinking it was over..

So this morning - no net, 3100 has a single led and is unresponsive.. thankfully there wasnt anything left running on the inside for them to chew on. Took a firmware restore to get the back up - to which I saw very odd traffic - what I assume is the dns rebinding attack described here -


regardless I have spent the better part of the day trying to discenrn if is my clients that are still infected; something else internal that is causing the issue, or perhaps the firmware I reloaded (threw on the newest merlin thinking it might help?) - Anyways, it only occured to me earlier while rebuilding on of my machines that the phones could possibly be the culperit - and pulling the batteries on everything android seems to have quieted the airways (at least from what I can see with the Kali wireless sniffer?) but the issue persists even with a full lockdown the on 3100 - Specified admin ports, ips, and SSL; DNS check... and I've attached what I see below within minutes of logging on with either the kali live machine or my one win10 laptop that I've rebuilt. At this point I'm considering cobbling together a PFsense machine out of some old hardware in the garage - but figured I would come see what the expert community has to say first. Its been a long couple days so please go easy, my brain is craving sleep horribly.


Wow... was kicked from the forum site the second I posted the bootlog. Will try again, but I'm hoping there is something in there. Some testing in the meantime - on my win10 laptop I installed tinywall; it appears I make multiple connections on port 443 to specific ips when I hit web urls... and I mean a lot... even disconnected form the lan and I get 50+ port connections.. yet machine shows clean and clear besides the usual "srvhosts"... ?

Boot
 
Nope - wont allow me to post.. attaching a txt?

Woulnt allow that either. Ok all, here's my zipped and renamed t txt Boot log... geez.
 

Attachments

  • Post SNB1.txt
    5.4 KB · Views: 225
Man that sounds bad. I don't envy your situation. That being said considering your network seems to have been compromised and the fact your a new poster, someone would have to be crazy to open a ZIP file you posted. You may want to try again to copy and paste the little bit of your log you want us to see so maybe we can help.
 
Until you isolate the infection vector I would set up Wifi devices to connect using guest networks and not allow these devices to connect to your Intranet (other LAN connected devices ). Don't put your NAS or printer back on line until you are sure all devices are clean.

For wired devices you might use a double NAT setup to isolate devices from each other. Just connect devices you are not certain that are clean to the Internet facing router and cleaned devices to the second router. Be sure to BAN any access to the second double NATed router from the WAN port by any means.
 
Well I guess start I with another reflash of the 3100; I cant understand how the image might have gotten corrupted between the downloading of the merlin rom and the push / config (via wired machine) to the 3100; but I'm assuming since it wont allow me the post its comprised already. Its times like this I wish I had a couple USB keys with a hardware - write lock; I am using a couple old SD cards (hardware write locks) with usb adapters. I'll keep you updated.. :)
 
If they are getting to the AC3100 you might try pfsense or/and Untangle loaded on a PC. Untangle will track at a higher level which might be good for you. I quit running Untangle when they started charging $50 for home use. They may have a eval period but you need to check how it now works.

PS
I had someone bring over an infected laptop for me to fix. It infected one of my other machines. I have since built a guess network isolated from my core network so this cannot happen again.
 
Last edited:
If they are getting to the AC3100 you might try pfsense or/and Untangle loaded on a PC. Untangle will track at a higher level which might be good for you. I quit running Untangle when they started charging $50 for home use. They may have a eval period but you need to check how it now works.

Untangle is $50/year for home users.
 
Hey all - Long time lurker, but I've been ground to submittion..

Backstory - home network with 20+ devices (ip cams, kids game systems, dads game systems, Synology nas) behind a R7000 running ddwrt - all running perfect for 1 1/2 years, no problems. About a month ago oddities started to arrise - a couple of my grey-market chinacams reverted to their native tongue, odd traffic / wireless disconnects occasionally (who checks after the movie?) which I ignored at the time - regrettably.

Fast forward to a week ago - synology comprimised and 2FA locked (havent even started with it, she sits cold) - R7000 has been hard - bricked and no hope of even the recovery console; Most of the house computers are in some state of win-doze reinstall from scratch, and I watched it all happen powerless - they (whoever) hit all in a two night attack - the worst part being after compromising the R7000 the second time, they allowed to continue with the parameters I had set - so while I was assessing the damages to the computers etc, they were going at the synology... FML. The real kicker - I had pulled the hard line and unplugged the r7000 and the sister AP wireless in my shop figuring I could breath and catch my breath; Turns out they had made their breach via my / wifes / sons androids - all of which are currently sitting on the counter with the batteries pulled (next to my minix U1 which I can only assume was nailed as well but is of low priority).

Sounds like a really good lesson here...

1) know what's on your network - seriously - every node should be checked out
2) don't expose services - see number 1 above...

It was probably the Cams that go you into trouble... see #1 above.
 
Dnsmasq users remember to add "stop-dns-rebind" in your config. That helps stopping DNS rebind attacks. Possibly rebound domains will also be logged.

Unbound (used in pfSense?) has similar feature with keyword "private-address".
 
If you think it is the cams then put a block in your outbound firewall for their IP addresses.

This is a good suggestion. It's a nuisance to track down the IPs. Simply pull from online sources of malicious IP lists and block them all!

I used to curate my own list which is very tiny. It grew from a few to over 600 IPs. A while back I expanded to over 90,000 by pulling in online sources. Quite shocked to see what happened.

My LAN is regularly connecting to malicious IPs. Some are false positive some aren't. But to my surprise it's because I put some shirt on my RT-AC56U which attract flies!

Going to find time to write and share my story and how to prevent it.
 
Nope - wont allow me to post.. attaching a txt?

Woulnt allow that either. Ok all, here's my zipped and renamed t txt Boot log... geez.

By any chance, did you get any unwanted pop up ad. (something like registry cleaner)? Anyone there use
Windows 10?
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top