System Error Message
Part of the Furniture
Even with an openVPN box behind, it is still exposed. This malware or hack works by exploiting the VPN implementations (if your VPN server is badly coded for example or just brute force username and passwords). Looking at the log from the first post, someone did login and changed settings. However since you're reset and flashed the firmware it should be fine.Nope, my router wasn't hacked into. I've had couple of people who work in IT sector look at everything, there was absolutely nothing out of ordinary, not even in log files. Besides, since then, I've completely disabled VPN (don't really need it, or use it anymore). Router reset to factory defaults numerous time since then, since I updated it with new Merlin releases (I almost always do factory reset afterwards), and changed my router password to pretty messy and long one now
Cheers!
Perhaps now is the day where extra security measures are needed at home because every router has to communicate to the internet through DNS for things to work well unless you enjoy typing numbers. So theres a lot that can be exploited even NAT as well as the NAT has to be coded. A lot of routers that rely on hardware acceleration will surely have a NAT that is coded as you wont be able to use IPTables for this or another existing solution. I do like configurable routers and IPTables as the firewall tends to be well coded so sometimes you can use the firewall rules as a way around a problem.
Any service the router requires like DNS, NTP, any proprietary thing that may connect to the manufacturer for example can be exploited (Dlink's own service was exploitable too). Many routers not only run network services but can also run media server, file server and much more as well and many consumer routers may lack the ability to properly secure themselves or may not have a rigid base firewall rules applied. Even NAT can be exploited but not to the router, the device sitting behind it as if the traffic is known and the software is known, an exploit can be found as well. Theres no need for a full level of paranoia but if responses could at least contain the corresponding IP it would make firewalls much easier to keep software secured too. For instance i've tried only whitelisting connections from the destination that originated from the network, many websites dont work as they tend to send data from another host instead.
One way to check is to use shodan or a full fledged scanner and see what is visible to your router, you can check every single port as well just to make sure. Most hacks dont bother to scan your router, they may just have a pre assigned port they will go for straight which can make some firewall rules unable to block it at first if you rely on auto blocking hosts that try to connect directly by trying different ports.
If shodan or a port scanner can see any detail of what runs at that port, or if it is a port used for the service by default despite receiving no data then you should take steps further to secure things. You should consider knocking as well as a means for securing your VPN where you are allowed once you do some actions beforehand
