What's new

Two-Way IPS: Exploit Remote Command Execution, Netcore Router Backdoor Access

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

majortom

Occasional Visitor
I installed the new version 384.3 of Asuswrt-Merlin an two different routers in two different locations. Since this update I now have a new menu entry regarding security issues. On the page regarding Two-Way IPS security risks I see hits counting up every day.

The log looks like this:
aQjxJ9I.png

https://imgur.com/a/3uVpV

What is this? What does that mean? Are both routers on continued attack? Are people looking for exploits at my WAN IP? Or is there any security inside my local network? Am I at risk?
 
Last edited:
someone attacks you and your router is blocking it. that's all. Nothing to worry about. If you you still have concerns, you may ask your ISP to change your WAN IP or rebooting your router changes your WAN IP you can try it but eventually you'll see these again. Since 5 January my WAN IP changed 2 times and I have 128 hits since that time.
 
This is normal internet background noise, bots are constantly probing the limited IPv4 space for vulnerable devices to add to their botnet. There is most likely significantly more then these few IP's hitting you, in the last 12 hours Skynet has picked up around 2000 blocked connections on my home network. Until IPv6 is more mainstream where IP's can't be easily guessed the best you can do is just stay updated.
 
Your router and AIProtection were blocking these things before you upgraded to the new firmware. The only thing different is the blocked events are now reported by AiProtection.

If you look at the exploits you'll see they are old , well known and your router is already patched against them, otherwise you would have been hacked long ago.
 
Thank you for the explanations.
I didn't think my IP especially at home would be exposed to such attacks. It is good to know that AsusWRT-Merlin is taking care of it.
 
Bots, script kiddies, 3-letter agencies, and other miscreants scan all possible IPV4 addresses continuously, looking, as Adamm said above, for open and/or unpatched devices to exploit. There are around 3.7 billion public IPV4 addresses total, but a well written script can scan them all in a fairly short time, then it starts over again, looking for new targets. :(
 
I just noticed these today too. Wondering if I should pick up another new router for a family member. I swapped out routers and gave them my N66U. Should I upgrade theirs?
 
Bots, script kiddies, 3-letter agencies, and other miscreants scan all possible IPV4 addresses continuously, looking, as Adamm said above, for open and/or unpatched devices to exploit. There are around 3.7 billion public IPV4 addresses total, but a well written script can scan them all in a fairly short time, then it starts over again, looking for new targets. :(

Yeah I was reading an article the other day from a university researcher that said someone with a 1 Gbps internet connection and a script should be able to scan the entire IP4 address range in 45 minutes now days. They found that there are still 2.5 million devices out there with unpatched/exposed UPNP.
 
I just noticed these today too. Wondering if I should pick up another new router for a family member. I swapped out routers and gave them my N66U. Should I upgrade theirs?
Good idea, because here’s what Merlin said in his end-of-2017 update:
“Unfortunately, to keep the project at a manageable level for a lone developer, I have decided to drop active support for the older MIPS platform, which means the RT-N66Uand RT-AC66U. ”
 
Got the same error, checked my settings, and found out that the Remote Access WebAccess from WAN was enabled by default! :-O
Check your settings "Administration -> System -> Remote Access Config -> Enable Web Access from WAN" and change this to OFF!!
 
Got the same error, checked my settings, and found out that the Remote Access WebAccess from WAN was enabled by default! :-O
Check your settings "Administration -> System -> Remote Access Config -> Enable Web Access from WAN" and change this to OFF!!
Have you been using the ASUS App on your phone to access your router? It has been reported that this app automagically enables WAN access to make it "easier" for you to use it from anywhere. :(

I have never used the app and my RT-AC68U running 384.4_2 does not have that setting enabled by default. :)
 
Have you been using the ASUS App on your phone to access your router? It has been reported that this app automagically enables WAN access to make it "easier" for you to use it from anywhere. :(

I have never used the app and my RT-AC68U running 384.4_2 does not have that setting enabled by default. :)
I use the Asus Router app and it doesn't enable WAN access

Sent from my Nexus 5 using Tapatalk
 
Have you been using the ASUS App on your phone to access your router? It has been reported that this app automagically enables WAN access to make it "easier" for you to use it from anywhere
Yes, this is absolutely ridiculous. I noticed the same thing with my new AC86u. The app immediately prompted to enable remote WAN access - WTF?? And it keeps doing that. For a router that scans for all sorts of vulnerabilities and prompts to change them - this is just plain ridiculous. Use VPN instead.

Bit of a worry though, I notice these scans showing up constantly in my logs and changing IP probably wont' fix anything.

Would having WAN access disabled (except VPN) have protected against this 'netcore' vulnerability?
 
Would having WAN access disabled (except VPN) have protected against this 'netcore' vulnerability?
Netcore vulnerability are for Netcore routers. A lot the vulnerability detected by IPS are really old. Asus router using the latest FW aren't vulnerable to anything detected by the IPS.
 
Thanks.. Well I'm hoping the IDS and blocklist will help protect against unknown vulnerabilities too.

Is the Aiprotection care of Trend Micro ok? In tandem with Skynet it should be pretty solid.

Sent from my SM-G965F using Tapatalk
 
I run sophos utm (home license) to protect the home network. On a typical day I'll see between 1500-5000 firewall hits. I've yet to see their version of an IPS hit. Just imagine if there was no firewall between you and the internet. How well would windows firewall protect. What about if it's disabled. Internet with a condom these days :)

upload_2018-9-30_22-59-30.png
 
Filtered packets could be random pings or something too..so you don't use the router firewall and IDS and use a Sophos device instead?

I'm betting on the Asus firewall and IDS being strong enough.

You're right, it's quite terrifying.

Although IPv6 will help through obscurity I'm sure it will still happen.

Sent from my SM-G965F using Tapatalk
 
You're right about the filtered packets. It could be traffic even inside the network getting blocked because there's no specific rule to allow. Still, periodically I review the firewall logs and see all sorts of inbound connections. Many more until I blocked everything inbound from anywhere but the country i'm in (US).

I have fiber here. Once the ONT is authenticated, topology is like this.

ONT <> dumb switch (needed to help with ont authentication) <> sophos utm box WAN port. From there, lan port goes out to other switches and AP's around the house.

I wanted better security and network use tracking than what the rt (rt-ac68u) was able to provide. Just not enough processor speed. UTM is run as a vm under esxi, 6GB ram with 4 cpu cores assigned (i5 6600k).

With a single connection I get about 400 mbps through snort. Multiple connections drop it down to ~300-325 mbps. So it takes ~3-4 connections to fully saturate the pipe. No way would the rt handle that. Not sure about the newer models. Maybe something with a quad core process can handle more. I remember speeds taking a nose drive when I just enabled bandwidth use in the rt. These days the rt's function as over glorified ap's and switches (vlans work well).

Still, the utm provides some much more functionality over what the routers offer. I was initially going to use pfsense, but in testing liked the ui of utm. As a lay person, setup was much easier. Pfsense is definitely lighter and has more advanced features. Sort of like ddwrt vs stockfirmware.
 
Hmm something to consider..

My pipe is only 60/16 so the 86u may be fine for my needs then.. Hope so anyway because I just dropped a few pennies on it! The wirepess works like a charm anyway.

Sent from my SM-G965F using Tapatalk
 
This is normal internet background noise, bots are constantly probing the limited IPv4 space for vulnerable devices to add to their botnet. There is most likely significantly more then these few IP's hitting you, in the last 12 hours Skynet has picked up around 2000 blocked connections on my home network. Until IPv6 is more mainstream where IP's can't be easily guessed the best you can do is just stay updated.

Just discovered this thread, was getting spooked too, thanks :)
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top