Curado Kev
Occasional Visitor
Thank you Wuticorn - Just what I needed !
maxbraketorque
Very Senior Member
I guess I should consider myself lucky because up until mid-Nov I had the https gui open to the internet. I did carelessly leave ssh with password login open, and when I looked at my log last night, it was getting hammered way more than I had ever seen.
The whole discussion about not leaving these kinds of services open is interesting because most people will keep them closed because they either have no knowledge of them, or they are aware of the potential for vulnerability. Its people like myself who have some knowledge and understanding but don't dig deep enough to realize that some implementations of a secure protocol can be very weak.
Perhaps a pertinent question is if the ASUS version of https is that weak (what hole will be found next?), maybe ASUS should just remove the option to expose it to the internet?
The whole discussion about not leaving these kinds of services open is interesting because most people will keep them closed because they either have no knowledge of them, or they are aware of the potential for vulnerability. Its people like myself who have some knowledge and understanding but don't dig deep enough to realize that some implementations of a secure protocol can be very weak.
Perhaps a pertinent question is if the ASUS version of https is that weak (what hole will be found next?), maybe ASUS should just remove the option to expose it to the internet?
RMerlin
Asuswrt-Merlin dev
Not everyone's "WAN" is actually the raw, unfiltered Internet. In my case for instance, if I need to test something on a router, I plug it within my LAN. Since my laptop sits on that same LAN, it means I need to enable WAN access on that device getting tested.
In a double NAT network, or when cascading routers, it might be useful to have access to the device from its WAN side.
Here you have one more affected router (RT-AC88) with RMerlin FW 380.62_1.
Yesterday I saw same entries in my asus router log (dropbear access). I had WebUI to WAN open, but not SSH.
In my case, I saw those entries since Jan 1.
I only had time to save output logs and upgrade to last RMerlin FW version, restore default, format JFFS.
Yesterday I saw same entries in my asus router log (dropbear access). I had WebUI to WAN open, but not SSH.
In my case, I saw those entries since Jan 1.
I only had time to save output logs and upgrade to last RMerlin FW version, restore default, format JFFS.
Datamupp
New Around Here
Hi everyone! My RT-AC88U with stock-firmware has also been hacked, so I can confirm it has nothing to do with Merlin. I was unaware of the intrusions until last week (9/2) when my ISP contacted me about attempts to access some of their services through SSH.
It was a chock to find out that I've been having unwanted visitors for a month, starting 10/1 for what I can tell when someone logged in to dropbear on the first attempt. And I always use strong unique passwords and I'm almost 100% sure it wasn't compromised by virus or malware. I guess my misstake was to have webaccess to the WAN enabled. I thought it would be safe considering my strong password But I can't remember I enabled telnet or SSH, which was now open on port 2222. I also havn't been using AiCloud or AiDisk. I've been using the router-app for iPhone, not Android.
When my ISP contacted me I was running version 3.0.0.4.380.4180 released late december with the securityfix for dropbox. But I'm not really sure when I updated to that version, it could be after the initial attack 10/1. In my logfile it's seems like the router restared about 4 hours before the first login (since the date according to the log was Aug 1 which I believe means a restart). Is it possible to somehow see when the FW was updated?
I see some suspicious things in my log but luckily I can't find any execute commands like someone in this forum had. I don't know if they managed to break through to my computers, but since my anti-virus doesn't find anything I hope my files where left alone. But around 1/2 my systemdrive (SSD) crashed and I don't know if that got infected. I mean the drive really CRASHED, I can't reinstall it since it's not found by the system. I guess this is just a coincidence and has nothing to do with the attacks.
I hope everything is fine with the router now. I disconnected it from the WAN and updated to the latest FW released a couple of days ago and I also wiped the nvram.
Best regards
Håkan
It was a chock to find out that I've been having unwanted visitors for a month, starting 10/1 for what I can tell when someone logged in to dropbear on the first attempt. And I always use strong unique passwords and I'm almost 100% sure it wasn't compromised by virus or malware. I guess my misstake was to have webaccess to the WAN enabled. I thought it would be safe considering my strong password
But I can't remember I enabled telnet or SSH, which was now open on port 2222. I also havn't been using AiCloud or AiDisk. I've been using the router-app for iPhone, not Android.When my ISP contacted me I was running version 3.0.0.4.380.4180 released late december with the securityfix for dropbox. But I'm not really sure when I updated to that version, it could be after the initial attack 10/1. In my logfile it's seems like the router restared about 4 hours before the first login (since the date according to the log was Aug 1 which I believe means a restart). Is it possible to somehow see when the FW was updated?
I see some suspicious things in my log but luckily I can't find any execute commands like someone in this forum had. I don't know if they managed to break through to my computers, but since my anti-virus doesn't find anything I hope my files where left alone. But around 1/2 my systemdrive (SSD) crashed and I don't know if that got infected. I mean the drive really CRASHED, I can't reinstall it since it's not found by the system. I guess this is just a coincidence and has nothing to do with the attacks.
I hope everything is fine with the router now. I disconnected it from the WAN and updated to the latest FW released a couple of days ago and I also wiped the nvram.
Best regards
Håkan
ColinTaylor
Part of the Furniture
Thanks for your post @Datamupp, that's useful information, particularly that it's confirmed that it's not Merlin-specific.
The information from your ISP is interesting as well. It possibly suggests that once the router has been compromised it starts looking for other devices it can infect on the WAN side, typical botnet behaviour.
Anyway, it looks like you've sorted it out now and I'd agree that the SSD is probably just a coincidence.
Thanks again for the info.
The information from your ISP is interesting as well. It possibly suggests that once the router has been compromised it starts looking for other devices it can infect on the WAN side, typical botnet behaviour.
Anyway, it looks like you've sorted it out now and I'd agree that the SSD is probably just a coincidence.
Thanks again for the info.
Wutikorn
Senior Member
That confirms our hypothesis. I was hoping you didn't factory reset the router yet, so that we might be able to report this directly to Asus, since none of the others, who have been hacked, used stock firmware.Hi everyone! My RT-AC88U with stock-firmware has also been hacked, so I can confirm it has nothing to do with Merlin. I was unaware of the intrusions until last week (9/2) when my ISP contacted me about attempts to access some of their services through SSH.
It was a chock to find out that I've been having unwanted visitors for a month, starting 10/1 for what I can tell when someone logged in to dropbear on the first attempt. And I always use strong unique passwords and I'm almost 100% sure it wasn't compromised by virus or malware. I guess my misstake was to have webaccess to the WAN enabled. I thought it would be safe considering my strong password
When my ISP contacted me I was running version 3.0.0.4.380.4180 released late december with the securityfix for dropbox. But I'm not really sure when I updated to that version, it could be after the initial attack 10/1. In my logfile it's seems like the router restared about 4 hours before the first login (since the date according to the log was Aug 1 which I believe means a restart). Is it possible to somehow see when the FW was updated?
I see some suspicious things in my log but luckily I can't find any execute commands like someone in this forum had. I don't know if they managed to break through to my computers, but since my anti-virus doesn't find anything I hope my files where left alone. But around 1/2 my systemdrive (SSD) crashed and I don't know if that got infected. I mean the drive really CRASHED, I can't reinstall it since it's not found by the system. I guess this is just a coincidence and has nothing to do with the attacks.
For your SSD, I doubt that it is related to this attack.
Did you save your system log before doing NVRAM wipe?
Datamupp
New Around Here
Well, I actually didn't pressed the "factory reset" button before I wiped the NVRAM but all my settings where gone so I guess it's like the same thing. But I did save the system log though. I also have a little part of the logfile my ISP sent me. Are you interested in something special in the log? I'm not very experienced in telnet/ssl/linux etc so I don't understand everything in the log. But I've learned a lot this week
Last week I had no idea what BusyBox, Dropbear, Klogd, NVRAM, jffs etc was 
Datamupp
New Around Here
I'm not at home right now but I will post it (or at least parts of it) as soon as I can
Datamupp
New Around Here
hopefully you have changed default username and password. as the default user is admin.
Datamupp
New Around Here
As you noticed I never changed the default username. I thought a strong password was good enough. But after the reset I've changed both username and password and of course turned off access from WAN
Datamupp
New Around Here
Ok, I will post it later today.
Datamupp
New Around Here
Did this ever get solved? I've a couple of other points to raise, if not. They may or may not be related.
I've seen a number of posts suggesting that closing off access from the outside internet should make you safe. Netgear had a big vulnerability in December, where a web page with an embedded hyperlink of the form http://192.168.1.1/cgi-bin/blah-blah could execute code. This was used to take over the router. ASUS may have been vulnerable to this at some point in the past. At one time, you could enable Telnet on an ASUS with the following: http://192.168.1.1/telnetd.cgi?enable=1. Perhaps those who have been hacked clicked on an URL (metaphorically) like http://192.168.1.1/ssh.cgi?enable_to_outside_world=1
Totally different idea: I may have been hit by something related on my Ubuntu WEB server. About a month ago, I failed to ssh to it. My only open services on that box were ssh and http. I discovered that someone had moved my sshd from port 22 to port 2222. I could find no other changes on the box. I wiped the box and rebuilt it, so I don't have the data. It is *probably* unrelated, but since it moved ssh from 22 to 2222 and that's what happened here, I thought I'd mention it.
I've seen a number of posts suggesting that closing off access from the outside internet should make you safe. Netgear had a big vulnerability in December, where a web page with an embedded hyperlink of the form http://192.168.1.1/cgi-bin/blah-blah could execute code. This was used to take over the router. ASUS may have been vulnerable to this at some point in the past. At one time, you could enable Telnet on an ASUS with the following: http://192.168.1.1/telnetd.cgi?enable=1. Perhaps those who have been hacked clicked on an URL (metaphorically) like http://192.168.1.1/ssh.cgi?enable_to_outside_world=1
Totally different idea: I may have been hit by something related on my Ubuntu WEB server. About a month ago, I failed to ssh to it. My only open services on that box were ssh and http. I discovered that someone had moved my sshd from port 22 to port 2222. I could find no other changes on the box. I wiped the box and rebuilt it, so I don't have the data. It is *probably* unrelated, but since it moved ssh from 22 to 2222 and that's what happened here, I thought I'd mention it.
RMerlin
Asuswrt-Merlin dev
Hm, no. Asuswrt does not rely on any CGI file like used in that URL, so that certainly wasn't targeting Asus routers...
Hello,
if you care about your routers safety PLEASE DO NOT open WAN port for the remote access, even the newest Merlin fw is exposed to the exploit, also the stock firmware. And it applies to the all ASUS/Merlin/other forks, not only for the ASUS routers (for example customized R7000). They are all hackable.
Use VPN or at least not the default port for scanners not to see you so easily.
if you care about your routers safety PLEASE DO NOT open WAN port for the remote access, even the newest Merlin fw is exposed to the exploit, also the stock firmware. And it applies to the all ASUS/Merlin/other forks, not only for the ASUS routers (for example customized R7000). They are all hackable.
Use VPN or at least not the default port for scanners not to see you so easily.
Similar threads
Similar threads
Similar threads
-
-
AX88U Pro (3004.388.5) suddenly rebooted mid-day. Last manual reboot was a few days ago.
- Started by theirongiant
- Replies: 0
-
-
Prevent client from connecting to router but allow connection to internet via access point
- Started by swbrains
- Replies: 4
-
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
- Started by PaulA
- Replies: 1
-
Solved xbox one not able to sign in when connected through router running asuswrt-merlin on an rt-ac5300.
- Started by haxorflakes
- Replies: 5
-
-
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!