tnks, great job ! I'd be happy to help you too
1 - yes , i have some open ports (443 for sshd, sip port for my gigasetA510 and another port for my ipcam) and "respond to ping requests from wan" set to yes
2 - yes only DLNA, SMB and itunes (no upnp, aicloud, nfs, ftp, http, mail, etc)
3 - don't think so, router and wifi passwords are 13-20 chars passphrases with uppercase, lowercase, number and special char
4 - sorry, i no longer have the original files. I can assume that they were created in June this year
let me know if you need something else
If the router is still running the malware you can try to recover deleted binaries by copying /proc/PID/exe to another folder. You would need to know the process PID (probably the one that's written .nttpd.pid and .sox.pid), but you can also copy everything listed on /proc/ and find it afterwards.
Anyway, my best guess is that someone incorporated one of the public Asus exploits (e.g. https://github.com/jduck/asus-cmd) to some worm/botnet that's scanning the entire Internet for vulnerable devices.
If your router's UDP ports are not accessible externally (used by the infosvr UDP Broadcast exploit), it's also likely that someone exploited another device from your network (maybe the ipcam - https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack) and then scanned/exploited the router...
Last edited:
