What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

asus 68u port 18017 hack

S

snb82828

New Around Here
I've had someone breaking into my 68u router for some time now. The latest break-in from yesterday was on the 380.64 firmware build in which they have prerouted (port forwarding, even though I have port forwarding switched off) all traffic through ports 18017 (tcp) & 18018 (udp.) Googling asus routers and port 18017 hacks turns up results about an exploit that "...starts by default and binds a pseudo HTTP server on port 18017..."

Any thoughts?
 
Is the WebUI enabled from WAN?
Don't enable it after you have completely reset, flashed and setup your router from scratch.
See other hacked posts here.
 
WebUI is and was disabled. Whoever is hacking has spoofed the mac addresses and appears to be attempting to attack the router network "internally." Before the most recent breakin, the logs showed constant denied intrusion attempts from devices on my network using spoofed mac addresses and spoofed ip address(?)

Also, any posts about hacking that I should check out in particular? Thanks.
 
Port 18017 and 18018 are used internally by the router when you select 'Redirect to error page' for when the WAN or Link goes down. They are only opened when the WAN is inaccessible.
 
Houston - I think we might have a problem here...

This topic has popped up quite a bit in the last couple of days...
 
I updated firmware to the 380.64 build again just in case, reset to factory settings, and formatted jffs upon reboot. When I logged in 1st time, the port forward settings were still there. So they have made permanent changes to my router so far as I can tell.

AFAIK, there is no convenient way to block ports on the 68U other than telnet which presents its own problems because these port changes will revert to default any time the router is rebooted. I don't want to keep telnet on permanently but toggling this option will reboot the rooter.
 
What John said - port 18017 and 18018 aren't exploits, it's when the WAN goes down, and the router puts up an internal redirection page that shows the error message.
 
RMerlin said:
What John said - port 18017 and 18018 aren't exploits, it's when the WAN goes down, and the router puts up an internal redirection page that shows the error message.
Click to expand...

@RMerlin, @john9527 - looks like there is an active exploit targeting devices here... the reports here are looking to be a red-flag...

Enough noise to look at things - could be factory... could be something else...
 
sfx2000 said:
@RMerlin, @john9527 - looks like there is an active exploit targeting devices here... the reports here are looking to be a red-flag...
Click to expand...

Just because some users were compromised doesn't mean that THIS case is also the same thing. The description he gave is completely different, and has nothing to do with a router compromise. It's perfectly normal behaviour when the WAN interface goes down.
 
First of all, thanks for your help to everyone who replied here.
It should be noted that I am extra paranoid because my router was hacked a couple weeks ago using at the time the latest ASUS--but not Merlin--firmware; every sign of intrusion: settings changed, UPnP enabled, strange logins, and worst of all, blatant website redirects.

After I flashed to ASUS-merlin a fortnight ago, things seemed to be okay. The seemingly odd port forwarding messages I noticed yesterday were something I had not seen before and also coincided with some strange activity on my system logs as well as high latency in my internet connection which is normally quite stable. I haven't ruled out an intrusion, but the posts here alleviate some of my concerns. In any case, I appreciate everyone's input and if I see something out of the ordinary I will update this thread.

Happy belated New Year.
 
Whenever I shutdown my internet connection with the router still on (usually to test some things) and i click on a web browser, instead of opening to the last opened website, the browser defaults to my router address. What is even more odd is that it happens on all my devices (chrome on pc, safari on ipad.) Can someone explain what's going on?
 
You must log in or register to reply here.

Similar threads

L
A victim of prolonged hacks, intimidation and disruption
2
Replies
26
Views
12K
airgap
A
R
RT-AC68U port forwarding just won't work
Replies
9
Views
4K
ron_jeremy
R
S
Port forwarding doesn't seem to actually open ports
Replies
6
Views
3K
SKSSF
S
P
Can't Get DMZ Or Port Forwarding To Work ON ASUS DSL-AC68U
Replies
1
Views
2K
Phil Muir
P
B
Asus DSL-AC68U port forwarding not working
Replies
9
Views
4K
sniper99999
S
Similar threads
Thread starter Title Forum Replies Date
L ASUS RT-AX86U Network Share Problem Asuswrt-Merlin 6
R Asus Router with Eero pro max 7 Asuswrt-Merlin 5
W asus rt-ax88u ipv6 through wireguard client dhcp problem Asuswrt-Merlin 1
A Using Asus routers as VLAN-capable APs Asuswrt-Merlin 13
Philip Bondi Bell Fibe (Canada) with Asus RT-AX88U Pro running firmware 3004.388.8_4 appears throttled Asuswrt-Merlin 15
L Problems logging into ASUS Merlin Chrome 133? Asuswrt-Merlin 5
L ASUS Merlin + Nextcloud + DDNS Asuswrt-Merlin 1
G Setting up new ASUS RT-BE86U. Found worrying items in System Log. Can you reassure me? Asuswrt-Merlin 9
J Asus Zen XD4S suddenly not connecting via WiFi backhaul Asuswrt-Merlin 4
Muscless ASUS router VPN to NAS only? Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 524 (members: 12, guests: 512)
Back
Top