What does this log mean? someone can login my router easily?

[pattiri]

Hello All,

I'm a new user and if I created this topic wrong sorry about that.

I'm using Merlin Firmware: 380.64 on my Asus RT-AC88U and saw below logs;
Dec 31 15:10:00 dropbear[16332]: Child connection from 109.74.34.63:43600
Dec 31 15:10:07 dropbear[16332]: Password auth succeeded for 'admin' from 109.74.34.63:43600
Dec 31 15:10:56 dropbear[16510]: Running in background
Dec 31 15:11:36 dropbear[16619]: Child connection from 109.74.34.63:48315
Dec 31 15:12:05 dropbear[16619]: Exit before auth (user 'admin', 0 fails): Exited normally

I've seen similar logs last week too and changed my password. After that I saw these as "auth failed" but it seems he/she can connect again easily.

Access from WAN is allow for HTTP and HTTPs but when I connect web interface from WAN no logs dropped.

What are these logs mean?

Thanks for your help

 

[thelonelycoder]

Hello All,

I'm a new user and if I created this topic wrong sorry about that.

I'm using Merlin Firmware: 380.64 on my Asus RT-AC88U and saw below logs;
Dec 31 15:10:00 dropbear[16332]: Child connection from 109.74.34.63:43600
Dec 31 15:10:07 dropbear[16332]: Password auth succeeded for 'admin' from 109.74.34.63:43600
Dec 31 15:10:56 dropbear[16510]: Running in background
Dec 31 15:11:36 dropbear[16619]: Child connection from 109.74.34.63:48315
Dec 31 15:12:05 dropbear[16619]: Exit before auth (user 'admin', 0 fails): Exited normally

I've seen similar logs last week too and changed my password. After that I saw these as "auth failed" but it seems he/she can connect again easily.

Access from WAN is allow for HTTP and HTTPs but when I connect web interface from WAN no logs dropped.

What are these logs mean?

Thanks for your help

Those are logins via SSH which appears to be enabled from WAN in Administration / System.
It is generally a very bad idea to allow access to the WebUI and SSH from WAN. Especially the WebUI over http.
If you don't know whose IP these login belong to, you likely have been hacked and I would recommend setting up your router from scratch.
Then DO NOT allow Login in any way from WAN. Use a VPN to connect to your router and then login via LAN to your router.

 

[pattiri]

Those are logins via SSH which appears to be enabled from WAN in Administration / System.
It is generally a very bad idea to allow access to the WebUI and SSH from WAN. Especially the WebUI over http.
If you don't know whose IP these login belong to, you likely have been hacked and I would recommend setting up your router from scratch.
Then DO NOT allow Login in any way from WAN. Use a VPN to connect to your router and then login via LAN to your router.

Well, In fact SSH is disabled but telnet is enabled and it doesn't have options to allow access from LAN or WAN. I thought it was enabled only for LAN and when I telnet to router only log is as below;

Dec 31 16:55:09 login[378]: root login on 'pts/0'

Anyway I will disable access from WAN and if I need it I will connect via VPN as you advised.

Thanks

 

[martinr]

...
It is generally a very bad idea to allow access to the WebUI and SSH from WAN. ....

Would that still hold true for SSH where public key infrastructure together with usernames and passwords is set up? And where SSH brute force protection is enabled (and to a lesser degree, with the port changed from 22 to an obscure one)?

 

[thelonelycoder]

Would that still hold true for SSH where public key infrastructure together with usernames and passwords is set up? And where SSH brute force protection is enabled (and to a lesser degree, with the port changed from 22 to an obscure one)?

I meant that more as a general warning, for your router. Unless you know what you do it is best left to default setting (off).
The answer to your scenario would be 'false'.
Meaning this is the only safe way to do it.

 

[thelonelycoder]

Well, In fact SSH is disabled but telnet is enabled and it doesn't have options to allow access from LAN or WAN. I thought it was enabled only for LAN and when I telnet to router only log is as below;

Dec 31 16:55:09 login[378]: root login on 'pts/0'

Anyway I will disable access from WAN and if I need it I will connect via VPN as you advised.

Thanks

There may be scripts placed or altered on your router by the intruder. Why else would one log in if not for some mischief, be safe!

 

[pattiri]

Just to check, I've enabled SSH from LAN and after I've connected same logs.

SSH was disabled and how this guy managed to connect even SSH was disabled?

I will change all my passwords on router, disable access from WAN and monitor for a while if I see similar logs.

 

[thelonelycoder]

Well, In fact SSH is disabled but telnet is enabled and it doesn't have options to allow access from LAN or WAN. I thought it was enabled only for LAN and when I telnet to router only log is as below;

If the admin login is known and the WebUI is accessible from WAN, I too would log in to the UI, enable ssh, do some stuff (!), disable ssh, logout.

 

[pattiri]

If the admin login is known and the WebUI is accessible from WAN, I too would log in to the UI, enable ssh, do some stuff (!), disable ssh, logout.

lol, this looks reasonable

 

[martinr]

I meant that more as a general warning, for your router. Unless you know what you do it is best left to default setting (off).
The answer to your scenario would be 'false'.
Meaning this is the only safe way to do it.

SSH access from WAN now disabled. Many thanks.

 

[thelonelycoder]

Would that still hold true for SSH where public key infrastructure together with usernames and passwords is set up? And where SSH brute force protection is enabled (and to a lesser degree, with the port changed from 22 to an obscure one)?

And just to add, public key only, no password login and obscure port.

 

[martinr]

If the admin login is known and the WebUI is accessible from WAN, I too would log in to the UI, enable ssh, do some stuff (!), disable ssh, logout.

You surely don't expect us to believe you'd do such a thing, do you?

 

[thelonelycoder]

You surely don't expect us to believe you'd do such a thing, do you?

You might very well think that. I couldn't possibly comment.

 

[martinr]

And just to add, public key only, no password login and obscure port.

I was thinking more of username/password login (specific to each permitted client device) in addition to PKI (with specific passphrase for the client device).

Anyway, I've taken your kind advice and disabled it.

 

[paulbates]

Is there a way to tell what the intruder loaded or did while they were logged in?

I would think about using the factory reset button and then restore from a backup before the incident. Or even re flashing.

Paul

 

[RASG]

just reset you router to 'factory' defaults and format the jffs partition.
you should be fine.

later, if you really must have access to your router outside your lan, set ssh to use your key and disable password login.

increasing the paranoia level, you could also change the default port, allow only specific ip addresses to login, or disable ssh entirely.

PS: disable telnet. always.

 

[pattiri]

Is there a way to tell what the intruder loaded or did while they were logged in?

I would think about using the factory reset button and then restore from a backup before the incident. Or even re flashing.

Paul

Nothing, just the logs. I've checked JFFS scripts but couldn't see anything changed. All file's last changed dates are old enough. For now, I've changed all my passwords on router, disabled access from WAN. I will keep router under monitoring, if someone logs in again I will re flash it. I have a USB stick plugged and AB-Solution is installed on it. It will be take too many time for a noob like me to install all over again, that's why I've passed re flashing for now

 

[evh909]

It's not hard to change filedates after modifying them if they had root access, I would if I broke into your router. If you are not absolutely sure of the contents, restore and reformat.