What's new

Unsual acitvities in Router Logs

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

noidea

New Around Here
hi all,

I'm seeing some unusual activities in my router logs; I'm on the latest Merlin Firmware (384.19) for my AX88U... I'm seeing that my Router is being attempting to be hacked and then the clock defaults back to May 5...

I've also disabled my web access from WAN as a precaution.

I'm also having random devices loosing WiFi connectivity, this started after updating the firmware... the only way to resolve it is to reboot the router as the device cannot find the wireless network.

Here's an extract of what I'm seeing... does anybody have any comments?


Oct 22 17:57:45 httpd_login_lock: Detect abnormal logins at 5 times. The newest one was from 185.172.129.102 in login.
May 5 05:05:07 kernel: brcmboard registered
May 5 05:05:07 kernel: genirq: Flags mismatch irq 36. 00000000 (brcm_36) vs. 00000000 (brcm_36)
May 5 05:05:07 kernel: pci 0000:00:00.0: of_irq_parse_pci() failed with rc=-22
May 5 05:05:07 kernel: pci 0000:01:00.0: of_irq_parse_pci() failed with rc=-22
May 5 05:05:07 kernel: pci 0001:00:00.0: of_irq_parse_pci() failed with rc=-22
May 5 05:05:07 kernel: pci 0001:01:00.0: of_irq_parse_pci() failed with rc=-22
May 5 05:05:07 kernel: broadcomThermalDrv brcm-therm: init (CPU count 4 4 4 4)
May 5 05:05:07 kernel: hub 1-0:1.0: config failed, hub doesn't have any ports! (err -19)
May 5 05:05:07 kernel: eth5 (Ext switch port: 7) (Logical Port: 15) (phyId: 1e) Link UP at 1000 mbps full duplex
May 5 05:05:08 nat: apply redirect rules
May 5 05:05:11 kernel: eth4 (Ext switch port: 3) (Logical Port: 11) (phyId: b) Link UP at 1000 mbps full duplex
May 5 05:05:12 WAN_Connection: Ethernet link down.
May 5 05:05:12 acsd: eth6: Selecting 2g band ACS policy
May 5 05:05:12 RT-AX88U: start https:8443
May 5 05:05:12 RT-AX88U: start httpd:80
May 5 05:05:12 httpd: Save SSL certificate...80
May 5 05:05:13 NAT_Tunnel: AAE Service is stopped
May 5 05:05:13 disk_monitor: be idle
May 5 05:05:13 AAE: AAE Service is started
May 5 05:05:13 hour_monitor: daemon is starting
May 5 05:05:13 hour_monitor: daemon terminates
May 5 05:05:13 Mastiff: init
May 5 05:05:14 jffs2: valid logs(1)
May 5 05:05:16 ntpd: Started ntpd
May 5 05:05:16 modprobe: module scsi_wait_scan not found in modules.dep
May 5 05:05:16 modprobe: module mbcache not found in modules.dep
May 5 05:05:16 modprobe: module jbd not found in modules.dep
May 5 05:05:16 modprobe: module ext3 not found in modules.dep
May 5 05:05:16 modprobe: module ext4 not found in modules.dep
May 5 05:05:16 modprobe: module ext2 not found in modules.dep
May 5 05:05:16 modprobe: module btusbdrv not found in modules.dep
May 5 05:05:16 acsd: eth6: COEX: downgraded chanspec 0x1909 (11) to 0x100b (11): channel 6 used by exiting BSSs
May 5 05:05:16 acsd: eth6: selected channel spec: 0x100b (11)
May 5 05:05:16 acsd: eth6: Adjusted channel spec: 0x100b (11)
May 5 05:05:16 acsd: eth6: selected channel spec: 0x100b (11)
May 5 05:05:16 acsd: acs_set_chspec: 0x100b (11) for reason APCS_INIT
May 5 05:05:17 acsd: eth7: Selecting 5g band ACS policy
May 5 05:05:18 acsd: eth7: selected channel spec: 0xe02a (36/80)
May 5 05:05:18 acsd: eth7: Adjusted channel spec: 0xe02a (36/80)
May 5 05:05:18 acsd: eth7: selected channel spec: 0xe02a (36/80)
May 5 05:05:18 acsd: acs_set_chspec: 0xe02a (36/80) for reason APCS_INIT
May 5 05:05:19 kernel: eth0 (Int switch port: 3) (Logical Port: 3) (phyId: c) Link UP at 1000 mbps full duplex
May 5 05:05:20 WAN_Connection: Fail to connect with some issues.
May 5 05:05:22 BONDING: option disabled
May 5 05:05:37 nat: apply nat rules (/tmp/nat_rules__eth0) error!
May 5 05:05:38 zcip_client: configured 169.254.183.89
May 5 05:05:40 nat: apply redirect rules error!
May 5 05:05:44 kernel: ubi: mtd10 is already attached to ubi1
May 5 05:05:45 nat: apply redirect rules error!
May 5 05:05:48 httpd: Succeed to init SSL certificate...80
May 5 05:05:48 httpd: Succeed to init SSL certificate...8443
May 5 05:05:50 nat: apply redirect rules error!
May 5 05:05:51 pppd[1381]: Timeout waiting for PADO packets
May 5 05:05:55 nat: apply redirect rules error!
May 5 05:05:56 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
May 5 05:05:56 kernel: x_tables: ip_tables: mac match: used from hooks POSTROUTING, but only valid from PREROUTING/INPUT/FORWARD
May 5 05:05:56 wan: finish adding multi routes
May 5 05:05:57 rc_service: ip-up 1740:notify_rc stop_ntpd
May 5 05:05:57 rc_service: ip-up 1740:notify_rc start_ntpd
May 5 05:05:57 rc_service: waitting "stop_ntpd" via ip-up ...
May 5 05:05:57 ntpd: Stopped ntpd
May 5 05:05:58 ntpd: Started ntpd
May 5 05:06:00 WAN_Connection: WAN was restored.
May 5 05:06:01 BWDPI: fun bitmap = 47f
May 5 05:06:03 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
May 5 05:06:03 kernel: x_tables: ip_tables: mac match: used from hooks POSTROUTING, but only valid from PREROUTING/INPUT/FORWARD
May 5 05:06:34 rc_service: amas_lib 1330:notify_rc restart_qos;restart_firewall
May 5 05:06:34 kernel: x_tables: ip_tables: mac match: used from hooks POSTROUTING, but only valid from PREROUTING/INPUT/FORWARD
May 5 05:06:36 BWDPI: fun bitmap = 47f
May 5 05:06:36 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
May 5 05:06:36 kernel: x_tables: ip_tables: mac match: used from hooks POSTROUTING, but only valid from PREROUTING/INPUT/FORWARD
May 5 05:07:14 rc_service: amas_lib 1330:notify_rc restart_qos;restart_firewall
May 5 05:07:16 BWDPI: fun bitmap = 47f
May 5 05:07:16 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
Oct 22 18:41:58 ntpd: Initial clock set
Oct 22 18:41:58 rc_service: ntpd_synced 3083:notify_rc restart_diskmon
Oct 22 18:41:58 disk_monitor: Finish
Oct 22 18:41:58 start_ddns: update WWW.ASUS.COM update@asus.com, wan_unit 0
Oct 22 18:41:58 disk_monitor: be idle
Oct 22 18:42:24 crond[1225]: time disparity of 1298251 minutes detected
Oct 23 08:09:35 Mastiff: Got AAE_SIG_REMOTE_CONNECTION_TURNED_ON
Oct 23 08:09:35 rc_service: httpd 1227:notify_rc restart_time;restart_leds;restart_usb_idle;restart_firewall;
Oct 23 08:09:36 ntpd: Stopped ntpd
Oct 23 08:09:36 hour_monitor: daemon is starting
Oct 23 08:09:36 hour_monitor: daemon terminates
Oct 23 08:09:36 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
Oct 23 08:19:02 rc_service: httpd 1227:notify_rc restart_firewall
Oct 23 08:19:02 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
 
You have two issues. 1) You had enabled WAN access to your router which you should never do. 2) The 5th May entries appear when the router is rebooted. The reboot happened 45 minutes after the last failed login attempt so is likely unrelated.
 
Thanks Colin... i was concerned that there was something dodgy going on but feel assured now... thanks for your help :)
 
If you had been running the Skynet firewall add-on, that IP would not have been allowed to reach your router since that IP is in one of the default ban lists Skynet uses. Just saying.

Code:
185.172.129.102 is NOT in set Skynet-Whitelist.
185.172.129.102 is in set Skynet-Blacklist.
185.172.129.102 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: alienvault_reputation.ipset"
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top