Weird website issue - seem to be something with the router..

[ex313]

New router delivered, flashed with Merlin and it seems to be working fine. The issue with that website coming up is gone, overall traffic seems a little faster than with the 1900P.

Is it worth it to send the 1900P into Asus to have it repaired?

 

[martinr]

....
Is it worth it to send the 1900P into Asus to have it repaired?

I thought the final diagnosis by dave14305 was that it needed an exorcist, not an IT specialist?

Glad you’ve got it sorted and are happy with the outcome.

So I guess we’ll never know what the problem was? Where do you live? Maybe someone will offer to try and get to the bottom of it if the shipping charges are low? Someone who’s not afraid of spirits.

 

[dave14305]

New router delivered, flashed with Merlin and it seems to be working fine. The issue with that website coming up is gone, overall traffic seems a little faster than with the 1900P.

Is it worth it to send the 1900P into Asus to have it repaired?

Since it was a Newegg refurb 2 years ago, not sure what your options are. I would personally take it apart and look for anything unusual inside, like an extra memory card with malware (I'm obviously reaching for a physical explanation for that behavior).

Or you could spit into the wind and clone the MAC from the 1900 to the 86U and see if the problem returns.

 

[Adamm]

Since it was a Newegg refurb 2 years ago, not sure what your options are. I would personally take it apart and look for anything unusual inside, like an extra memory card with malware (I'm obviously reaching for a physical explanation for that behavior).

Or you could spit into the wind and clone the MAC from the 1900 to the 86U and see if the problem returns.

Personally I think there's a more logical reason to this. The chances of getting a router with pre-installed persistent malware is quite unlikely, I've never heard of a single case in the 5+ years I've been actively involved in the Asus ecosystem. The fact it only affects one obscure (talent agency?) website homepage the OP happens to visit only furthers the improbability, if the OP is that (un)lucky his next purchase should be a lottery ticket. Any malware that's allegedly this sophisticated would do a lot more harm then redirect one random website to an obvious fake chemist website.

To add to this there is a lot of conflicting information, all the diagnostics show the router isn't the cause. But with that being said, I don't have an answer to what is going on if all the information provided is to be taken at face value.

 

[ex313]

Personally I think there's a more logical reason to this. The chances of getting a router with pre-installed persistent malware is quite unlikely, I've never heard of a single case in the 5+ years I've been actively involved in the Asus ecosystem. The fact it only affects one obscure (talent agency?) website homepage the OP happens to visit only furthers the improbability, if the OP is that (un)lucky his next purchase should be a lottery ticket. Any malware that's allegedly this sophisticated would do a lot more harm then redirect one random website to an obvious fake chemist website.

To add to this there is a lot of conflicting information, all the diagnostics show the router isn't the cause. But with that being said, I don't have an answer to what is going on if all the information provided is to be taken at face value.

What information did you find conflicting?
A few corrections to note.
a. The website that I was redirected to was legitimate. This was the url that the 1900P was returning for that talent company website: https://www.spiceoflifepharmacy.com/?search=cialis
b. I checked the router for malware and it was clean.
c. The same result happened not only on multiple website, but an android device. Then I ssh into the router and pulled down html - it was of that pharmacy site.

A few things I noticed since replacing the router:
a. CPU usage is much less that it was before and as such temperatures are lower.
b. Immediately upon installing this router - it pulled a new IP address from the cable modem, whereas the previous unit through many different reboots, resets and firmware installs maintained the same WAN IP. It was only when I installed DD-WRT that it changed. When I reloaded the Merlin firmware after DD-WRT the router was still pulling the same IP address, it reverted to what it had before.

If I had to take a SWAG (scientific wild butt guess) at the problem, it sounds like a portion of the flash memory is corrupt. Not enough to affect overall operation of the modem but at some level there is data in the unit that is corrupted and it cannot be erased or re-written.

I did take the time to crack the unit open and I see two things that alarm me.
1. The white corrosion on the back of the mainboard.
2. What looks like a fluid stain on the heatsink.
Did this thing get wet sometime in its life?

 

[ColinTaylor]

b. Immediately upon installing this router - it pulled a new IP address from the cable modem, whereas the previous unit through many different reboots, resets and firmware installs maintained the same WAN IP. It was only when I installed DD-WRT that it changed. When I reloaded the Merlin firmware after DD-WRT the router was still pulling the same IP address, it reverted to what it had before.

We had asked you previously to ensure that the router picked up a new IP address (e.g. by cloning) and you said you would do that by powering off your cable modem for 20 minutes. So it sounds like you never tested that as the cause of your problem (if I understand what you mean by "it reverted to what it had before").

 

[dave14305]

I think there have been flimsier excuses to buy a new router.

 

[Makaveli]

We had asked you previously to ensure that the router picked up a new IP address (e.g. by cloning) and you said you would do that by powering off your cable modem for 20 minutes. So it sounds like you never tested that as the cause of your problem (if I understand what you mean by "it reverted to what it had before").

I was thinking about this also. Doesn't make sense that it keeps getting the same IP address.

When I was on cable you had to change the MAC Address and Power cycle to get a New IP.

 

[ex313]

We had asked you previously to ensure that the router picked up a new IP address (e.g. by cloning) and you said you would do that by powering off your cable modem for 20 minutes. So it sounds like you never tested that as the cause of your problem (if I understand what you mean by "it reverted to what it had before").

That coincided with me flashing DD WRT to the router - and then with the same MAC address it did pick up a new WAN IP. So at that time - I was under the impression it was working as it should and wasn't an issue with the ISP.

When I flashed back to Merlin 384.13 it showed the original IP address it had before the flash - that was the time I decided to order a new unit.

 

[ex313]

I think there have been flimsier excuses to buy a new router.

Even though they were on sale at Amazon that was $170 I didn't really want to spend.

 

[ex313]

I was thinking about this also. Doesn't make sense that it keeps getting the same IP address.

When I was on cable you had to change the MAC Address and Power cycle to get a New IP.

I am on Charter Spectrum - looks like they run lease times as little as 6 hours., and the IP is not tied to the MAC address. Looking back at my speed test through dslreports.com - I see three different IP addresses.

 

[dave14305]

Even though they were on sale at Amazon that was $170 I didn't really want to spend.

Since we could never get to the root cause, you have to be careful that the new router remains locked down. There could still be something on your LAN that is infecting your network in some way. Be content with a newer, faster router. But don't be confident that the issue is resolved.

 

[ColinTaylor]

When I flashed back to Merlin 384.13 it showed the original IP address it had before the flash - that was the time I decided to order a new unit.

It would have been helpful to test it with a different WAN IP address as that is the only thing I can think off that might make a difference that you haven't tested.

 

[ex313]

I can retest the the unit - getting very good at swapping it out. I will change the MAC to reflect the same one as the new router and see what happens? or is there another parameter I should use?

 

[ColinTaylor]

I can retest the the unit - getting very good at swapping it out. I will change the MAC to reflect the same one as the new router and see what happens? or is there another parameter I should use?

I suggest you try it with the MAC address of your new router as you know that works OK.

 

[ex313]

I tried it with both the MAC of the new router and then cloned the MAC of the PC I am on and it seems to be having. The old MAC address continued to give me the same IP, trying the other two I am getting different DHCP duration but the site traffic anomaly is gone.
Tried to call Charter/Spectrum to see if my MAC address had a blacklist or a problem, they didn't know what I was talking about.
So I guess I just keep the AC-1900P and run a spoofed MAC on it?

 

[follower]

I think it was a refurb through Newegg, been running fine for two years now.

Can you capture the packet when you go to the site? In your case, you should check the packet first.

 

[dave14305]

I tried it with both the MAC of the new router and then cloned the MAC of the PC I am on and it seems to be having. The old MAC address continued to give me the same IP, trying the other two I am getting different DHCP duration but the site traffic anomaly is gone.
Tried to call Charter/Spectrum to see if my MAC address had a blacklist or a problem, they didn't know what I was talking about.
So I guess I just keep the AC-1900P and run a spoofed MAC on it?

Did you get a new IP when you cloned the MAC? You only refer to dhcp duration (presumably lease time). I can imagine different behavior based on source IP but not MAC address since MAC isn’t shared outside your Ethernet network.

The day may come when that IP comes your way again even with the new MAC or new router.

Have you considered running AiMesh with the 86U as the router and 1900ac as the node?

 

[martinr]

I tried it with both the MAC of the new router and then cloned the MAC of the PC I am on and it seems to be having.....
...Tried to call Charter/Spectrum to see if my MAC address had a blacklist or a problem, they didn't know what I was talking about....

You might want to edit the end of your first sentence to read “seems to be behaving”.
(And you might want to edit the penultimate sentence to forestall any wit here having a good-natured dig. )
So thanks to Colin, you don’t need to call on Ghostbusters.

 

[ColinTaylor]

Did you get a new IP when you cloned the MAC? You only refer to dhcp duration (presumably lease time). I can imagine different behavior based on source IP but not MAC address since MAC isn’t shared outside your Ethernet network.

I tried it with both the MAC of the new router and then cloned the MAC of the PC I am on and it seems to be having. The old MAC address continued to give me the same IP, trying the other two I am getting different DHCP duration but the site traffic anomaly is gone.
Tried to call Charter/Spectrum to see if my MAC address had a blacklist or a problem, they didn't know what I was talking about.

Assuming you're talking about IP addresses as @dave14305 pointed out, this would strongly suggest that this is caused by something outside your network. Searching on the internet it appears that Charter/Spectrum has previous form in hijacking peoples web traffic and redirecting to their own search pages so I'm wondering whether it's related to a mis-configuration of that process. Alternatively the "hero's" site might be infected with malware, if not directly but indirectly though embedded ads. Either way it's probably something you're not in a position to fix.

So I guess I just keep the AC-1900P and run a spoofed MAC on it?

You would only need to spoof the MAC address if you wanted to connect it directly to your modem, to avoid this problem. If you were to use the AC-1900P elsewhere on your LAN you should leave the MAC address alone to avoid any confusion or conflicts with other devices.