Nullity
Very Senior Member
You changed the admin username? I thought the admin username was kinda hard-wired.
Is the admin username non-existant on your device?
You changed the admin username? I thought the admin username was kinda hard-wired.
Is the admin username non-existant on your device?
I can make my logs available. Password info is outdated now of course. Logs include errors from ROP and SSH activities. If there's any other log info not displayed through the web UI , please point them out to me (Linux n00b) and I'll make them available for investigation.
Also, I could re-establish the SSH connection on port 16161 to use as honey pot if someone helps me out in setting the traces.
Just let me know if this would help... Someone must sacrifice for the greater good
Verstuurd vanaf mijn SM-G935F met Tapatalk
Wutikorn
Senior Member
Yeah, I believe not many people will have WebUI opened to WAN, but 4 reports in a week are not that small in population. However, if you have sum all questions up, we would be happy to answer it if any want it.
They manage to restart the service before authentication takes place?
Wutikorn
Senior Member
I didn't use default admin username. In fact, my username also has capitalized characters which the attacker has that info too as seen from my logs.
I also changed the admin username from when I first got the router 2.5 years ago.
RMerlin
Asuswrt-Merlin dev
The series of services restarted is identical to what is found on the Advanced_System_Content.asp page. That implies a separate web connection most likely, which changed and applied changes on that specific page.
john9527
Part of the Furniture
But that would imply an attack vector that allows them to either bypass httpd password authorization or get the password via some other means. And if they could do that, why do the initial dropbear connect unless it facilitates one of those attacks? This one is still nagging at me.
sfx2000
Part of the Furniture
My best guess would be that Dropbear gives them an interactive shell that they can do whatever is needed... not uncommon.
john9527
Part of the Furniture
But then we are back to my original 'nag'.....why no password auth for dropbear?
dilantin22
New Around Here
I saw something similar by eddiez in the SNB ASUSWRT subforum. Quick question, is this hack/exploit mainly seen in Merlin/non-stock ASUSWRT builds or is there a chance it's in factory firmware also? I'm running the latest 3.0.0.4.380_4180 on an AC66
Just asking so I can be better informed. I'm a security novice, but trying to follow some of this in the thread. I've been checking my settings and I think I've been following most of your suggestions since day one. Let me know if there is more things I can check for. I apologize if this is the wrong thread since it's in the Merlin subforum.
Just asking so I can be better informed. I'm a security novice, but trying to follow some of this in the thread. I've been checking my settings and I think I've been following most of your suggestions since day one. Let me know if there is more things I can check for. I apologize if this is the wrong thread since it's in the Merlin subforum.
1. username/password are completely different. I don't use "admin" as username.
2. In Administration>Enable telnet "NO"
3. In Administration>Enable web access from WAN "NO"
4. In WAN>Internet Connection tab> Enable WAN "Yes"
5. In WAN>Internet Connection tab> Enable NAT "Yes"
6. In WAN>Internet Connection tab> Enable UPnP "NO"
7. AiCloud and any services like that have been disabled since day 1. DDNS disabled too.
8. I used ShieldsUP and I didn't find any open ports, even on 22, 2222, or the 16161. Everything was "stealth"
9. I used Fing on iOS to scan for services directly on the asus router and only thing I saw open was ports 53, 80, 515 (printer spooler lpd) and 9100 (jetdirect - HP JetDirect card). My printer is not attached via usb. Only via WiFi.
10. I have used the Asus router app on iOS, but I logged into it via 192.168.x.x. Never remotely.
11. No IoT devices like cameras, sensors, thermostats, etc on my network.
2. In Administration>Enable telnet "NO"
3. In Administration>Enable web access from WAN "NO"
4. In WAN>Internet Connection tab> Enable WAN "Yes"
5. In WAN>Internet Connection tab> Enable NAT "Yes"
6. In WAN>Internet Connection tab> Enable UPnP "NO"
7. AiCloud and any services like that have been disabled since day 1. DDNS disabled too.
8. I used ShieldsUP and I didn't find any open ports, even on 22, 2222, or the 16161. Everything was "stealth"
9. I used Fing on iOS to scan for services directly on the asus router and only thing I saw open was ports 53, 80, 515 (printer spooler lpd) and 9100 (jetdirect - HP JetDirect card). My printer is not attached via usb. Only via WiFi.
10. I have used the Asus router app on iOS, but I logged into it via 192.168.x.x. Never remotely.
11. No IoT devices like cameras, sensors, thermostats, etc on my network.
We don't know yet. Is has been observed 4 times now, all with non-stock builds. But that might be the tip of the proverbial iceberg since we tend to check these logs and stuff a bit more than the average consumer who checks in twice year to adjust his parental settings.
dilantin22
New Around Here
Thanks for the info. I guess I'll keep a close eye in this thread for anything new. I hope you all figure it out soon. Glad to be apart of such an advanced community even as the newb I am.
Indirectly related.
I have ssh access via the WAN enabled but have disabled password login (I use keys). I've also enabled brute force protection and changed the default login name from 'admin'. I then use port forwards etc. aas a SOCKS5 proxy and others.
Is this considered safe? Should I look at setting up a VPN server? I'm much more familiar with ssh.
Another question. Is dropbear considered safe enough? Should I be using openssh-server (via Entware) instead?
Thanks
Edit: I have disabled telnet and web access from WAN.
I have ssh access via the WAN enabled but have disabled password login (I use keys). I've also enabled brute force protection and changed the default login name from 'admin'. I then use port forwards etc. aas a SOCKS5 proxy and others.
Is this considered safe? Should I look at setting up a VPN server? I'm much more familiar with ssh.
Another question. Is dropbear considered safe enough? Should I be using openssh-server (via Entware) instead?
Thanks
Edit: I have disabled telnet and web access from WAN.
RMerlin
Asuswrt-Merlin dev
If they accessed the Advanced_System page, it means they could either change the password to anything they wanted, or retrieve the existing password, and use that to login over SSH to gain a shell access, and do what they wanted to do.
My guess is that the web exploit is allowing them to bypass authentication at the webui level, or to retrieve the stored login credentials.
sfx2000
Part of the Furniture
It's not the advanced system page... that's the target that they're aiming for, but to get there - they have to smash the webserver... (or find another way in...)
Do I get a t-shirt for this?
RMerlin
Asuswrt-Merlin dev
And that's what I wrote in the last sentence you quoted from my post.
tomsk
Very Senior Member
Does that mean you get the t-shirt?
RMerlin
Asuswrt-Merlin dev
It was -10C here today, too cold to wear t-shirts.
Similar threads
Similar threads
Similar threads
-
-
AX88U Pro (3004.388.5) suddenly rebooted mid-day. Last manual reboot was a few days ago.
- Started by theirongiant
- Replies: 0
-
-
-
(Solved - Bad router) RT-AX88U node causes network instability (3004.388.7)
- Started by nbjam
- Replies: 2
-
-
Question about Asus Merlin Router behind a firewalla?
- Started by AsusRouterUser
- Replies: 8
-
Prevent client from connecting to router but allow connection to internet via access point
- Started by swbrains
- Replies: 4
-
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
- Started by PaulA
- Replies: 1