RT-AX86U running Merlin serving DNS - possible Malware infection

[Justinh]

Dunce question ... What does it mean for his router answering DNS requests? How is that tested? Is this DNS for devices on his internal network?

 

[dave14305]

What does it mean for his router answering DNS requests? How is that tested? Is this DNS for devices on his internal network?

The router’s dnsmasq instance was accessible from the internet and therefore able to answer DNS requests from strangers. It shouldn’t have been able to do that if the firewall had been running correctly.

 

[Viktor Jaep]

I've just become aware that my Asus RT-AX86U which is running the latest Merlin firmware (3004.388.9) might be compromised. Potentially by TheMoon malware or Alogin. I was made aware that port 53 is open, however, I don't have any port forwards enabled for 53 so I can't see why it would be open.

Congratulations! You were running a real live honeypot there for a short while! LOL

 

[Tech9]

I have some things to investigate because the two Asus routers I support remotely started heaving issues at the same time. Both still work, but the wireless speed doesn't go above 20Mbps and with crazy latency shooting over 1000ms on speed test. This was the owners' complaint - voice/audio, streaming doesn't work well. One is in my reach single unit ZenWiFi XT8, the other is far away RT-AC66U B1. Both run Asuswrt, seem normal in logs with exception of many ASD crashes. Another bad ASD update perhaps?

Stopped all Trend Micro stuff for now, kind of stable, one even reached 100Mbps over Wi-Fi... but something is definitely off.

 

[Tech9]

Hmm... both routers stable again after enabling Bandwidth Limiter in QoS (in order to force disable NAT acceleration). Speed test latency instantly went down and the throughput is back to expected for wireless connected devices. ISP lines 300Mbps so no big WAN throughput loss, but haven't seen this before. Will let the owners test the current configuration for some time, they say voice/audio and streaming works well now.

 

[spacemanspiff]

That was probably the safest solution. Something was flushing the content of your INPUT chain. It wasn't a firewall rule error, because that would have prevented the whole firewall from being configured, not just the INPUT chain.

Just to be safe, use a different password for your router's admin access, in case it was somehow compromised.

So just circling back after a few days to see if everything is ok. Having someone rescan my IP via TCP and UDP. TCP comes back the way I expect. However, running this nmap -sS -sU -T4 -A -v 101.100.xxx.xxx/32
And have gotten this response on Port 53. Why is it not responding with a ICMP Type3 port unreachable?

OUTPUT_DNS

Discovered open port 53/udp on 101.100.xxx.xxx
Discovered open|filtered port 53/udp on 101.100.xxx.xxx is actually open

Had a look at iptables for port 53 stuff and I see this entry, but I can't make sense of it...just want to confirm that this is expected?

[13882:1034069] -A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
[0:0] -A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS

Nmap is still running as I write this, but this is the only thing that has shown and it's about 60% complete so far....

 

[ColinTaylor]

Had a look at iptables for port 53 stuff and I see this entry, but I can't make sense of it...just want to confirm that this is expected?

[13882:1034069] -A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
[0:0] -A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS

Yes this is normal.

 

[spacemanspiff]

Thanks @ColinTaylor - nmap has completed and the only thing was that port 53 being open....that's ok, too? Just wondering why it shows open on 53.

 

[ColinTaylor]

Thanks @ColinTaylor - nmap has completed and the only thing was that port 53 being open....that's ok, too? Just wondering why it shows open on 53.

Port 53 is not normally open to the internet. What is 101.100.xxx.xxx? Where are you nmap'ing it from?

 

[ColinTaylor]

SSH into your router and post the output of this command:

netstat -nlp | grep :53

 

[spacemanspiff]

SSH into your router and post the output of this command:

netstat -nlp | grep :53

101.100.xxx.xxx is my ip address, I was just obfuscating the address since it's static and I didn't want to publicly post it. I'll DM it to you though. I was having my friend who is a network security professional in the USA run nmap on my IP. He's not familiar with Merlin or Asus routers and works exclusively on enterprise grade network appliances so he was wondering why it was showing up that way in his nmap scan of my ip

Here's the output:
admin@RT-AX86U-79A8:/tmp/home/root# netstat -nlp | grep :53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3965/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 3965/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 3965/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 3965/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2232/avahi-daemon:
admin@RT-AX86U-79A8:/tmp/home/root#

 

[ColinTaylor]

Here's the output:
admin@RT-AX86U-79A8:/tmp/home/root# netstat -nlp | grep :53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3965/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 3965/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 3965/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 3965/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2232/avahi-daemon:
admin@RT-AX86U-79A8:/tmp/home/root#

That all looks normal.

I've nmap'ed your address and I don't see it being open. nmap shows "open|filtered" for udp ports even though there's no response. I tried sending a DNS request to port 53 and got no response.

 

[siena]

I've just become aware that my Asus RT-AX86U which is running the latest Merlin firmware (3004.388.9) might be compromised. Potentially by TheMoon malware or Alogin. I was made aware that port 53 is open, however, I don't have any port forwards enabled for 53 so I can't see why it would be open.

This seems highly suspicious. Furthermore, it appears that I'm serving DNS because if I run dig as follows I get this result:

~$ dig +short @119.2xx.xxx.xxx google.com
142.251.221.78

That seems like it should not be happening and is a red flag to me.

Then if I look in IPTables I see some entries that look really suspect, too:

Chain OUTPUT_IP (1 references)
target     prot opt source               destination        
logdrop_ip  all  --  anywhere             193.201.224.0/24  
logdrop_ip  all  --  anywhere             245-120-15-51.instances.scw.cloud
logdrop_ip  all  --  anywhere             li1019-134.members.linode.com
logdrop_ip  all  --  anywhere             190.115.18.28      
logdrop_ip  all  --  anywhere             51-159-52-250.rev.poneytelecom.eu
logdrop_ip  all  --  anywhere             190.115.18.86

And this too:

Chain PTCSRVWAN (0 references)
target     prot opt source               destination        
DROP       tcp  --  92.255.85.107        anywhere             tcp dpt:ssh
DROP       tcp  --  92.255.85.253        anywhere             tcp dpt:ssh
DROP       tcp  --  185.42.12.240        anywhere             tcp dpt:ssh
DROP       tcp  --  92.255.85.37         anywhere             tcp dpt:ssh
DROP       tcp  --  185.7.214.37         anywhere             tcp dpt:ssh

I had a quick look for obvious signs of TheMoon in find/tmp and didn't see anything obvious - paste here https://pastebin.com/LR3CJzpf

Also, taking a look at the output of 'ps' I didn't see .nttpd or .sox running which is the normal culprit. Of course a newer/better variant of TheMoon might just be better disguising itself so here's my 'ps' output if anyone wants to look - https://pastebin.com/MiAHgyP4

I don't have my admin gui open to the WAN and never did so in the past. I do run IPsec and OpenVPN and I'm also seeing some suspicious login attempts via IPSec.

I'd really like to know what is going on and try to figure out the source/vector for this. I'm also unsure how to clean this up, but I suspect factory reset, flashing again and another factory reset should do the job?

tried to upgrade but I am being asked a bunch of questions and served a few pages of text to read and something about ID? what the heck is this? ASUS=spyware?

 

[bennor]

tried to upgrade but I am being asked a bunch of questions and served a few pages of text to read and something about ID? what the heck is this? ASUS=spyware?

Post a screen shot of what you are referencing or seeing so others can understand what you are talking about.
If you are talking about the End User License Agreement and the Asus Notice that appear when you first access the router's QiS page (either new) or after a reset, that is expected behavior. Asus started including the agreement notices last year. There is lots of prior discussion about the notices and option to either agree or disagree with them that can be found using the forum search feature.

 

[siena]

Post a screen shot of what you are referencing or seeing so others can understand what you are talking about.
If you are talking about the End User License Agreement and the Asus Notice that appear when you first access the router's QiS page (either new) or after a reset, that is expected behavior. Asus started including the agreement notices last year. There is lots of prior discussion about the notices and option to either agree or disagree with them that can be found using the forum search feature.

thank you bennor. i was up to date on my upgrades and have never seen these; only this last upgrade. I am going through the discussions now to have an idea what it is all about.

 

[siena]

I reverted to the earlier version and reloaded my settings. The first notice is about age, what is this all about, years after owning the router? The second one I refused and saw some warning about google and some others; i just went back to the previous firmware as in any case I do not use any AiCloud services. But still this does not fix the vulnerability or bug. Any firmware out there without these impositions?

 

[bennor]

The first notice is about age, what is this all about, years after owning the router? The second one I refused and saw some warning about google and some others;

What specific router and specific firmware are you running where you see these notices?
Post a screen shots of what you are seeing.

Edit to add: Made a couple of prior posts about the Asus notices appearing in recent firmware, see here and here.
Note what RMerlin, the Asus-Merlin firmware developer, posted recently about these notices in another firmware discussion when downgrading the firmware was mentioned.

That will not change anything on the router's behaviour beside Asus not telling you to accept what they may be collecting. The EULA does not indicate any change in behaviour, only that Asus are now asking for consent, to comply with some regional laws that are stricter. And since it's written by lawyers, they will try to be as broad as possible just to cover their asses.

The question is not whether someone wants to accept a EULA or not. The question is whether you want to accept what they _might_ be doing. And that hasn`t changed in these newer firmware releases.