What's new

[VERY IMPORTANT] Asus routers are compromised.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

delro92

Occasional Visitor
I just logged into my router's USB attached hard drive and found a file I DIDN'T create named: "WARNING_YOU_ARE_VULNERABLE.txt", it contains this text:

This is an automated message being sent out to everyone effected.
Your Asus router (and your documents) can be accessed by anyone in
the world with an internet connection. You need to protect yourself
and learn more by reading the following news article:
"http://nullfluid.com/asusgate.txt"

Below is a list of all the vulnerable IP addresses that have been
leaked. If you are reading this, YOU ARE VULNERABLE TOO:
"http://pastebin.com/ASfYTWgw"


Solution: COMPLETELY DISABLE "FTP" AND "AICLOUD", IMMEDIATELY.

I hope we helped.

Sincerely,
/g/

For the time being, I am doing as this file says since I found my IP on their list. Do I have to do something else to be protected? Also, is there anything they are not telling us?

Additional info:
This txt file appeared on my N66U running Merlin's version "3.0.0.4.374.39_0-em".
I had none of the AiCloud "services" enabled.
FTP was enabled in the "No account required" mode..
 
Last edited:
FTP was enabled in the "No account required" mode.. effective opening your router to the world!

Always use safe password/account combo's when connecting a device to the internet!

Default open FTP is madness.
 
FTP was enabled in the "No account required" mode.. effective opening your router to the world!

Always use safe password/account combo's when connecting a device to the internet!

Default open FTP is madness.

I believed it was only for LAN. Is there a way to keep the FTP without accounts but "unplugged" from WAN just like there is a "Allow SSH access from WAN" option?
 
Last edited:
you should probably change your aicloud user/pass

as far as ftp goes... nobody should use it, ever lol. if you're not using aicloud, you'd be better off using SCP, or VPN + SMB.
 
So, someone is actively scanning the Internet for open ports?
My, what a world we live in.

Thanks for the news, and I am not listed, both services are deactivated.

I had none of the AiCloud "services" enabled.
FTP was enabled in the "No account required" mode..
 
I believed it was only for LAN. Is there a way to keep the FTP without accounts but "unplugged" from WAN just like there is a "Allow SSH access from WAN" option?

2 things you could try;

iptables -I INPUT -i eth0 --dport 21 -j DROP

or

set a port forward that sends 21 to 0.0.0.0 or 1.1.1.1, if the webui wont accept 0.0.0.0 as input
 
Let's say, someone prior to this announcement modified something on my router's software. How would I go about cleaning it from any possible malware? Also, is samba affected by this?
 
Let's say, someone prior to this announcement modified something on my router's software. How would I go about cleaning it from any possible malware? Also, is samba affected by this?

The samba issue is a whole nother vulnerability in Asus stock firmware for AC68 and AC56. Port 445 is open to the world, if you enable samba server on Ac68 and ac56. It also affects older Merlin builds for AC68 and AC56. If you have a previously used/configured/shared a USB disk, it will automatically enable Samba server and open port 445 without your consent when you plug it in.

The port 445 issue is the real mind blower.

It's been around for those two routers since at least November (probably before).

Around 70 percent of all malicious port scans target port 445. Edit: Although the report below says only 23 percent target 445.
http://news.cnet.com/8301-1009_3-57607722-83/microsoft-ds-no-longer-hackers-top-target/#!
 
Last edited:
if you want to truly 'sanitize' _everything_, your best bet would be to detach external storage and scan with a computer detached from any network. it also wouldn't hurt to check timestamps on files you want to keep.

then, you would want to reflash the firmware, restore factory defaults and manually reconfigure.

if you use /jffs, you'll want to nuke that, too.

a more extreme recommendation might be to zero out storage, probably easiest to do from a linux box.

regarding samba; the ac56 and ac68 models had a recent vulnerability that left them wide open to the internet. merlin patched that with his 39 release. so, if your smb user/pass is the same as your aicloud AND the attacking user knew you well enough to where he'd be able to use that information while on your LAN, technically _your_ smb configuration is compromised, but smb itself is NOT vulnerable.
 
Wow, thank you very much for your replies. I just found out about this vulnerabilities and I have to say I'm in awe. It really changes the idea I had about ASUS.
 
Wow, thank you very much for your replies. I just found out about this vulnerabilities and I have to say I'm in awe. It really changes the idea I had about ASUS.

I'm not going to lie. It changed my opinion too. The port 445 thing still has my mind blown even though it didn't affect my n66u. Currently, I have double natted the asus I remember reading something about port 80 too a couple weeks ago on this forum. I'm sure the hackers in Indonesia and China are applauding Asus right now.
 
Good grief were does it end with these routers..Always something. :(
 
Good grief were does it end with these routers..Always something. :(

This is a old security hole, but there are so few that updates the router. There should be some kind of automatic update feature.

The AiCloud-issue was fixed last summer. The ftp-issue last month. But for the firmware from last month, you'll have to download it manually from Asus website.

I will never trust feature like this directly on the router. And the manufactures - both Asus and others - need to take security more serious. There is a lot of known issues that manufactures have known for a long time as don't plan to fix - even on products that are still in sale.

Keeping it simple would have been the best solution....
 
So, someone is actively scanning the Internet for open ports?
My, what a world we live in.
Even Microsoft does it.
We surveyed the state of elliptic curve deployment on the server side for SSH by scanning the complete public IPv4 space in October 2013 for SSH host keys, server Die-Hellman values, and signature values. We also collected the list of key exchange and authentication cipher suites o ered by each server.
For academic purposes of course ;)
 
opkg install nmap

nmap --open my.wan.ip.address

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
515/tcp open printer
3128/tcp open squid-http
8082/tcp open blackice-alerts
8200/tcp open trivnet1
9091/tcp open xmltec-xmlmail
9100/tcp open jetdirect
9998/tcp open distinct32

I have "Allow SSH access from WAN" set to No, open anyway. Same with "Enable Web Access from WAN" set to No, allows it anyway.
 
Last edited:
opkg install nmap

nmap --open my.wan.ip.address

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
515/tcp open printer
3128/tcp open squid-http
8082/tcp open blackice-alerts
8200/tcp open trivnet1
9091/tcp open xmltec-xmlmail
9100/tcp open jetdirect
9998/tcp open distinct32

I have "Allow SSH access from WAN" set to No, open anyway. Same with "Enable Web Access from WAN" set to No, allows it anyway.

lol, you need to use an external service to test your firewall, like ShieldsUp
 
Wow, thank you very much for your replies. I just found out about this vulnerabilities and I have to say I'm in awe. It really changes the idea I had about ASUS.

And Netgear. And Linksys. And DLink. And ...

The truth is, most of these home devices get next to no security testing by their manufacturers. Heck, they even shipped devices with backdoors in them (DLink recently made the news there).

The only way to get something really tested for hardened security is to go with a business-class product. Otherwise... Disable any kind of file sharing service on your router, and leave it as what it was originally intended to be used: a router/firewall. And hope for the best.
 
I agree about using as router/firewall. Never understood using USB for file sharing, for example, which is slow and touchy. Better to take that old piece of hardware laying around and build a NAS. Goes for trying to download from the router as well. Better ways to do it. Look thru the forums and see how poorly this works.
--bill
 
So, someone is actively scanning the Internet for open ports?
My, what a world we live in.
And much more...
Internet is as safe as conversation between two people in e.g. the train (other passengers may hear you), or sending a postcard to someone else (the postman can read what you wrote). As longs as there is nothing to hide, you shall not worry.

And actively scanning ports is like trying every door in the street to see if one is left open, or try the set of master keys on those doors and see if one door uses cheap easy to compromise locks.

Software and devices with access right are like buying the locks for your house. Who guarantees that the locksmith doesnt keep a key of your expensive highly secure locks? Or the garage who appears to have a magic remote control for your car doors to open them at the moment you left the keys in?

Internet does not bring guaranteed privacy, but you can make it more difficult for everyone to step in your privacy like you still lock your doors and windows, thats it folks.
You can create privacy: make an appointment on the wide open beach and discuss your business there :)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top