RT-AX86U running Merlin serving DNS - possible Malware infection

[spacemanspiff]

I've just become aware that my Asus RT-AX86U which is running the latest Merlin firmware (3004.388.9) might be compromised. Potentially by TheMoon malware or Alogin. I was made aware that port 53 is open, however, I don't have any port forwards enabled for 53 so I can't see why it would be open.

This seems highly suspicious. Furthermore, it appears that I'm serving DNS because if I run dig as follows I get this result:

~$ dig +short @119.2xx.xxx.xxx google.com
142.251.221.78

That seems like it should not be happening and is a red flag to me.

Then if I look in IPTables I see some entries that look really suspect, too:

Chain OUTPUT_IP (1 references)
target     prot opt source               destination         
logdrop_ip  all  --  anywhere             193.201.224.0/24   
logdrop_ip  all  --  anywhere             245-120-15-51.instances.scw.cloud
logdrop_ip  all  --  anywhere             li1019-134.members.linode.com
logdrop_ip  all  --  anywhere             190.115.18.28       
logdrop_ip  all  --  anywhere             51-159-52-250.rev.poneytelecom.eu
logdrop_ip  all  --  anywhere             190.115.18.86

And this too:

Chain PTCSRVWAN (0 references)
target     prot opt source               destination         
DROP       tcp  --  92.255.85.107        anywhere             tcp dpt:ssh
DROP       tcp  --  92.255.85.253        anywhere             tcp dpt:ssh
DROP       tcp  --  185.42.12.240        anywhere             tcp dpt:ssh
DROP       tcp  --  92.255.85.37         anywhere             tcp dpt:ssh
DROP       tcp  --  185.7.214.37         anywhere             tcp dpt:ssh

I had a quick look for obvious signs of TheMoon in find/tmp and didn't see anything obvious - paste here https://pastebin.com/LR3CJzpf

Also, taking a look at the output of 'ps' I didn't see .nttpd or .sox running which is the normal culprit. Of course a newer/better variant of TheMoon might just be better disguising itself so here's my 'ps' output if anyone wants to look - https://pastebin.com/MiAHgyP4

I don't have my admin gui open to the WAN and never did so in the past. I do run IPsec and OpenVPN and I'm also seeing some suspicious login attempts via IPSec.

I'd really like to know what is going on and try to figure out the source/vector for this. I'm also unsure how to clean this up, but I suspect factory reset, flashing again and another factory reset should do the job?

 

[dave14305]

Then if I look in IPTables I see some entries that look really suspect, too:

But those rules all drop traffic, versus allowing it. It might be the asd daemon adding IPs to the OUTPUT_IP chain.

Nothing was obviously suspicious in the /tmp files or ps output.

How did you conclude you might be compromised?

 

[dave14305]

If you want to share your full iptables rules, run iptables-save -c

 

[spacemanspiff]

But those rules all drop traffic, versus allowing it. It might be the asd daemon adding IPs to the OUTPUT_IP chain.

Nothing was obviously suspicious in the /tmp files or ps output.

How did you conclude you might be compromised?

Someone scanned me using shodan and then found that my ip is answering public DNS queries. I was also unable to access my router via SSH until a reboot. That person suggested I was compromised.

If not, why is port 53 open on my IP and why am I answering public DNS queries?

I will post full iptables when I get back to my desk in an hour or so

 

[RMerlin]

Then if I look in IPTables I see some entries that look really suspect, too:

These are blacklisted IPs that Asuswrt automatically blocks as they are tied to known router malwares. Nothing abnormal there, they are blocked by the firmware.

And this too:

This indicates that you have SSH open to the WAN, and these are IPs that tried (and failed) to connect, they were blocked by Asuswrt's security daemon for multiple failed connection attempts. Disable SSH access from the WAN.

 

[spacemanspiff]

Thanks @RMerlin and @dave14305 - something seems strange.

Why is my router/IP answer DNS queries? I'm happy to PM the IP address if you want to test yourself.

Here's the IPtables output - https://pastebin.com/1QyQ5gg4

Also I have SSH disabled in the GUI, but I can confirm even with this turned off, it's still answering SSH from the WAN...which it shouldn't be doing, right?

 

[dave14305]

Also I have SSH disabled in the GUI, but I can confirm even with this turned off, it's still answering SSH from the WAN...which it shouldn't be doing, right?

You don’t seem to have any rules in the INPUT chain. That’s scary. I did already test your DNS claim. It resolved just fine, unfortunately.

Run service restart_firewall and check again.

 

[dave14305]

Have you enabled “Enable IPv4 inbound firewall rules” on the firewall page? I remember that was severely broken before.

 

[Treadler]

Have you enabled “Enable IPv4 inbound firewall rules” on the firewall page? I remember that was severely broken before.

I remember that. As I recall, enabling that, disabled the firewall.

 

[spacemanspiff]

That could be it. If the firewall is not running does that mean the router would have port 53 open and answer to public DNS queries?

 

[Treadler]

That could be it. If the firewall is not running does that mean the router would have port 53 open and answer to public DNS queries?

Try any online port checker, that should let you know if you have a problem.

 

[RMerlin]

That could be it. If the firewall is not running does that mean the router would have port 53 open and answer to public DNS queries?

Everything on your router would be accessible from the Internet. DNS, SSH, webui...

Post a screenshot of the Firewall settings page on your router.

 

[spacemanspiff]

Firewall page shows it is enabled, but I can still run dig remotely from external networks (testing from a remote session from my worksite computer).

 

[RMerlin]

Double check that the filter rules are properly created. Check the content of /tmp/filter_rules:

more /tmp/filter_rules

There should be a number of "-A INPUT" lines in it.

You can manually reapply them with:

iptables-restore < /tmp/filter_rules

Then see if they are present in the firewall:

iptables -L INPUT -vn

If they are now present, then check that you don't have a script that's flushing the content of the INPUT chain on firewall restarts. See if there are any suspicious script in /jffs/scripts/ .

 

[spacemanspiff]

tmp filters out here - https://pastebin.com/CanSDWY3

Seems to be a lot of -A INPUT entries, but I ran the other commands and received this output - https://pastebin.com/133pKd7a

This is a little over my head so not sure if that is what I should expect to be seeing.

There is nothing in JFFS except for my dns-o-matic script I have to facilitate my DDNS setup using Namecheap and the contents of that script are the same as when I set that up about 6 months ago?

@RMerlin or @dave14305 - Can you confirm that port 53 should NOT be open and answering public DNS queries if everything is correct?

 

[dave14305]

Can you confirm that port 53 should NOT be open and answering public DNS queries if everything is correct?

Correct. I can’t reach your router anymore, but that may only be because you manually applied the rules with iptables-restore. I would keep checking this throughout the day to see if INPUT disappears again.

But I would also wipe the router and configure from scratch to be sure there is nothing unwanted there.

 

[bennor]

I've just become aware that my Asus RT-AX86U which is running the latest Merlin firmware (3004.388.9) might be compromised.

If you suspect or think your router might have been compromised, have you done the first (or last) general troubleshooting step of performing a hard factory reset and manual configuration (do not import a saved router.cfg file) using different passwords and SSID's?

You didn't have AiCloud enabled did you? AiCloud was supposedly a vector for the recent malware attack on Asus routers.

Malware damaging ASUS routers?

This malware damaging Asus routers has to be described in a sticky thread with a warning sign! Update: Asus is releasing patched firmware for multiple models. Check for firmware updates! The changelog for most firmware releases contains the following: 1. Strengthened input validation and data...

www.snbforums.com

 

[spacemanspiff]

Have gone ahead and restored to factory and reconfigured manually. The person who pointed this out to me is a pretty experience networking guy and he said he was definitely able to use my IP address as an unauthenticated proxy before I reconfigured and they are 100% sure the router was compromised. Pretty scary. I don't really understand how it happened which bothers me since I don't really know what the vector was.

Didn't have AI Cloud enabled. I'm going to have to watch this thing like a hawk now to see if it comes back.

 

[dave14305]

The person who pointed this out to me is a pretty experience networking guy and he said he was definitely able to use my IP address as an unauthenticated proxy before I reconfigured and they are 100% sure the router was compromised.

Earlier, trying to browse your WAN IP redirected me to a wine-related site. Is that expected?

 

[RMerlin]

Have gone ahead and restored to factory and reconfigured manually

That was probably the safest solution. Something was flushing the content of your INPUT chain. It wasn't a firewall rule error, because that would have prevented the whole firewall from being configured, not just the INPUT chain.

Just to be safe, use a different password for your router's admin access, in case it was somehow compromised.