Was my router's username and password hacked?

[tomsk]

It was -10C here today, too cold to wear t-shirts.

 

[Xentrk]

Agree, baidu is not a good website, for some reason, my Chinese IP camera was connecting to baidu.com thousands of times a month, I'm considering to throw that thing away. But for now, I have baidu in blacklist. I should also put hao123.com too. I'm curious why you put kapook.com to blacklist? Are there many things for entertainments there? Is it dangerous or just annoying? Btw, I live in the same province as you.

I also doubt that RMerlin will be the cause of this. I also think that if I am running AsusWRT stock firmware, I wouldn't care whatsoever is in the changelog, or care if SSH setting has been changed, or even care opening WebUI.

Hi @Wutikorn
The reason kapok.com is on the blacklist is the sites I support are a children's home for 30 orphans along with a grade school. It is the leadership team who asked me to blacklist it. I guess the kids were spending a lot of time on the site. They deemed the content not appropriate for them. Maybe it is because some of the girly pictures on the site show too much cleavage? 555

Regarding Baidu, even though it has been blacklisted for awhile now, it ranks as the top site being blacklisted on the OpenDNS stats page at the school. This tells me there may be malware on the clients that keep trying to talk to baidu. I have seen the teachers download freeware from the site. I cleaned up the school workstations but can't do anything about their personal clients. I am researching installing the Netflow plug-in from entware called "ipcad" to pull data. Then using something like Solarwinds Free Netflow Traffic Analyzer to see the offending clients, then work with them to remove any malicious software.

Glad to know you are in the same province. I see others in the forum from Land of Smiles as well. Maybe we need to have a snbforums gathering sometime soon?

 

[RMerlin]

380.64_1 was uploaded to Mediafire, and published on the update server. I backported Asus's security fixes from 4180 (now that I was able to fix the webui pages those fixes were breaking), as well as the additional fixes I mentioned previously in this thread. Note that I have no idea if all of these fixes will address the security issues reported here, since I have no information as to which security hole was exploited here.

Use the Check button on the FW update page to be taken directly to the download location.

 

[pattiri]

I think it's a brute force attack...

how can I get these log in logs for HTTP/HTTPs? I can only see telnet and SSH on system log page.

 

[eddiez]

380.64_1 was uploaded to Mediafire, and published on the update server. I backported Asus's security fixes from 4180 (now that I was able to fix the webui pages those fixes were breaking), as well as the additional fixes I mentioned previously in this thread. Note that I have no idea if all of these fixes will address the security issues reported here, since I have no information as to which security hole was exploited here.

Use the Check button on the FW update page to be taken directly to the download location.

Thanks. Will leave the hacked box now and update.

 

[Minglarn]

And to be sure we should restore to factory settings + format JFFS partition and then make the update ?

 

[martinr]

And to be sure we should restore to factory settings + format JFFS partition and then make the update ?

Understandably, there's so much gone on in this thread that you've forgotten the answer!
http://www.snbforums.com/threads/wa...-and-password-hacked.36602/page-6#post-299662

 

[Minglarn]

Well my mind has been "plugged-in" to the router so it feels like living in the MATRIX... Thanks for reminding me about the real world. =)

 

[Wutikorn]

Hi @Wutikorn
The reason kapok.com is on the blacklist is the sites I support are a children's home for 30 orphans along with a grade school. It is the leadership team who asked me to blacklist it. I guess the kids were spending a lot of time on the site. They deemed the content not appropriate for them. Maybe it is because some of the girly pictures on the site show too much cleavage? 555

Regarding Baidu, even though it has been blacklisted for awhile now, it ranks as the top site being blacklisted on the OpenDNS stats page at the school. This tells me there may be malware on the clients that keep trying to talk to baidu. I have seen the teachers download freeware from the site. I cleaned up the school workstations but can't do anything about their personal clients. I am researching installing the Netflow plug-in from entware called "ipcad" to pull data. Then using something like Solarwinds Free Netflow Traffic Analyzer to see the offending clients, then work with them to remove any malicious software.

Glad to know you are in the same province. I see others in the forum from Land of Smiles as well. Maybe we need to have a snbforums gathering sometime soon?

Kapok blacklist now makes sense to me. Baidu troubled me badly, its apps are, most of the time, not malware, but PUP, which can avoid detection by most antivirus. So now I have both McAfee(use it as it costs less than $20 a year for unlimited devices, and not too bad detection rate) and Malwarebytes to help when users do not know how to uncheck for extra apps when installing software. I haven't seen other Thai yet except you. At least this vulnerability allow me to know someone in Thailand is also running Merlin firmware, I tried to spread my experience, but many people don't have supported firmware as AC68U is too expensive here, and AC56U is not imported to Thailand.

how can I get these log in logs for HTTP/HTTPs? I can only see telnet and SSH on system log page.

I think it should be in the system log as well. However, that is different case than what we faced. What that case was showing is that the attacker was trying to use known default user/pass sets to login to the router, but that won't get him/her into my router as I don't use default username or password.

 

[eddiez]

And to be sure we should restore to factory settings + format JFFS partition and then make the update ?

I think it should be in the system log as well. However, that is different case than what we faced. What that case was showing is that the attacker was trying to use known default user/pass sets to login to the router, but that won't get him/her into my router as I don't use default username or password.

This hack did get non-default login/passwords right, it seems. So that would also grant access to the UI of the router. But apparently that was not the intention of the hack.

 

[ColinTaylor]

how can I get these log in logs for HTTP/HTTPs? I can only see telnet and SSH on system log page.

As I previously stated, what @bmi saw is not the same attack we are discussing here.

 

[Xentrk]

A web search of "defcon 18 - craig heffner - how to hack millions of routers" will give you a link to a pdf and videos of a 35 minute presentation on this topic. It is a 2010 presentation and one would hope that manufacturers have plugged the DNS Rebinding security flaw by now. At the end, there are some tips to secure the router, which have all been written in the forum. One of the suggestions it to block incoming traffic from ISP ranges by creating a firewall rule. For example:

iptables -A INPUT -i eth0 -d 172.69.0.0/16 -j DROP

One would need to find out the IP block ranges used by their ISP for this to work. Is something like this recommended if we have all external connections turned off? Does the built in firewall take care of this?

 

[ColinTaylor]

Is something like this recommended if we have all external connections turned off? Does the built in firewall take care of this?

No need. By default the router drops all unsolicited incoming packets..

 

[RMerlin]

DNS Rebinding security flaw by now.

dnsmasq fixed that a few years ago. Routers like Asuswrt are fine, however there are a number of manufacturers out there still running prehistoric versions of dnsmasq, and which are possibly still vulnerable.

 

[eddiez]

It's not the advanced system page... that's the target that they're aiming for, but to get there - they have to smash the webserver... (or find another way in...)

Do I get a t-shirt for this?

Related to this perhaps?
https://w00tsec.blogspot.nl/2014/07/hacking-asus-rt-ac66u-and-preparing-for.html

 

[alternety]

May or may not be relevant.

A couple of weeks ago I noticed that the various lights on the router were pretty much constantly on. I do not believe this was normal. This occurs with only 1 PC not doing anything in particular and an Ooma VOIP box. I do not use the default user/psw. I really don't know about the settings under discussion being available to the web. But I believe I at least had it setup to allow a telnet connection.

A few days ago I tried to log into the router via the LAN. I kept getting back problem - try later messages. Tried several times. Then I was able to log in. My thought was "who knows why". However, when I tried to access it again, I was once again rejected. Many tries have not gotten me in. I was intending to install 380.6x at the time. My take on this was that maybe someone had taken over my router and was using it for spam or DDOS uses. I have seen information that this was a fairly wide spread activity in small local net connected devices (e.g., cameras and household devices). Either changing the user/psw or simply using all of the router resources could keep me out. I have not specifically noticed problems using the router. Sometimes there are rather long times for a web site to respond; but that is not unique.

As a result I want to clean everything out and do a fresh install of 380.64 to try to resolve this.

 

[blbeczech82]

Related to this perhaps?
https://w00tsec.blogspot.nl/2014/07/hacking-asus-rt-ac66u-and-preparing-for.html

Good post. One can learn a lot

 

[eddiez]

Good post. One can learn a lot

Quite a recent verdict: https://www.ftc.gov/news-events/pre...rges-insecure-home-routers-cloud-services-put

 

[sfx2000]

I took a look at RMerlin's current git repo - some good changes there that could help...

What I can say is that the http server itself is pretty brittle - I was able to break into an older non-RT-AC68 series one time - it was a one off, but during that session I was able to spelunk around inside the other nodes that were attached.

I've said this a couple of times earlier - and others have as well - do not expose the WebGUI to the WAN, folks are looking at it for other potential issues, but it's a big chunk of code that does a lot of different things, and it does it, by nature of configuring the device, with elevated privileges...

@RMerlin - saw your checkin here... I think this is a good change... but that's assuming 63 chari in ISO-Latin or UTF-8

Normally hostname is limited to 64 bytes for posix, the FQDN can be longer at 255 bytes - so dnsmasq should be able to handle it, but there's other items that might not...

 

[eddiez]

BTW

I took a look at RMerlin's current git repo - some good changes there that could help...

What I can say is that the http server itself is pretty brittle - I was able to break into an older non-RT-AC68 series one time - it was a one off, but during that session I was able to spelunk around inside the other nodes that were attached.

I've said this a couple of times earlier - and others have as well - do not expose the WebGUI to the WAN, folks are looking at it for other potential issues, but it's a big chunk of code that does a lot of different things, and it does it, by nature of configuring the device, with elevated privileges...

@RMerlin - saw your checkin here... I think this is a good change... but that's assuming 63 chari in ISO-Latin or UTF-8

Normally hostname is limited to 64 bytes for posix, the FQDN can be longer at 255 bytes - so dnsmasq should be able to handle it, but there's other items that might not...

Try the AiCloud for a change. An even bigger door.