Asus EULA now requiring explicit user consent

[siena]

I've just become aware that my Asus RT-AX86U which is running the latest Merlin firmware (3004.388.9) might be compromised. Potentially by TheMoon malware or Alogin. I was made aware that port 53 is open, however, I don't have any port forwards enabled for 53 so I can't see why it would be open.

This seems highly suspicious. Furthermore, it appears that I'm serving DNS because if I run dig as follows I get this result:

~$ dig +short @119.2xx.xxx.xxx google.com
142.251.221.78

That seems like it should not be happening and is a red flag to me.

Then if I look in IPTables I see some entries that look really suspect, too:

Chain OUTPUT_IP (1 references)
target     prot opt source               destination        
logdrop_ip  all  --  anywhere             193.201.224.0/24  
logdrop_ip  all  --  anywhere             245-120-15-51.instances.scw.cloud
logdrop_ip  all  --  anywhere             li1019-134.members.linode.com
logdrop_ip  all  --  anywhere             190.115.18.28      
logdrop_ip  all  --  anywhere             51-159-52-250.rev.poneytelecom.eu
logdrop_ip  all  --  anywhere             190.115.18.86

And this too:

Chain PTCSRVWAN (0 references)
target     prot opt source               destination        
DROP       tcp  --  92.255.85.107        anywhere             tcp dpt:ssh
DROP       tcp  --  92.255.85.253        anywhere             tcp dpt:ssh
DROP       tcp  --  185.42.12.240        anywhere             tcp dpt:ssh
DROP       tcp  --  92.255.85.37         anywhere             tcp dpt:ssh
DROP       tcp  --  185.7.214.37         anywhere             tcp dpt:ssh

I had a quick look for obvious signs of TheMoon in find/tmp and didn't see anything obvious - paste here https://pastebin.com/LR3CJzpf

Also, taking a look at the output of 'ps' I didn't see .nttpd or .sox running which is the normal culprit. Of course a newer/better variant of TheMoon might just be better disguising itself so here's my 'ps' output if anyone wants to look - https://pastebin.com/MiAHgyP4

I don't have my admin gui open to the WAN and never did so in the past. I do run IPsec and OpenVPN and I'm also seeing some suspicious login attempts via IPSec.

I'd really like to know what is going on and try to figure out the source/vector for this. I'm also unsure how to clean this up, but I suspect factory reset, flashing again and another factory reset should do the job?

tried to upgrade but I am being asked a bunch of questions and served a few pages of text to read and something about ID? what the heck is this? ASUS=spyware?

 

[bennor]

tried to upgrade but I am being asked a bunch of questions and served a few pages of text to read and something about ID? what the heck is this? ASUS=spyware?

Post a screen shot of what you are referencing or seeing so others can understand what you are talking about.
If you are talking about the End User License Agreement and the Asus Notice that appear when you first access the router's QiS page (either new) or after a reset, that is expected behavior. Asus started including the agreement notices last year. There is lots of prior discussion about the notices and option to either agree or disagree with them that can be found using the forum search feature.

 

[siena]

Post a screen shot of what you are referencing or seeing so others can understand what you are talking about.
If you are talking about the End User License Agreement and the Asus Notice that appear when you first access the router's QiS page (either new) or after a reset, that is expected behavior. Asus started including the agreement notices last year. There is lots of prior discussion about the notices and option to either agree or disagree with them that can be found using the forum search feature.

thank you bennor. i was up to date on my upgrades and have never seen these; only this last upgrade. I am going through the discussions now to have an idea what it is all about.

 

[siena]

I reverted to the earlier version and reloaded my settings. The first notice is about age, what is this all about, years after owning the router? The second one I refused and saw some warning about google and some others; i just went back to the previous firmware as in any case I do not use any AiCloud services. But still this does not fix the vulnerability or bug. Any firmware out there without these impositions?

 

[bennor]

The first notice is about age, what is this all about, years after owning the router? The second one I refused and saw some warning about google and some others;

What specific router and specific firmware are you running where you see these notices?
Post a screen shots of what you are seeing.

Edit to add: Made a couple of prior posts about the Asus notices appearing in recent firmware, see here and here.
Note what RMerlin, the Asus-Merlin firmware developer, posted recently about these notices in another firmware discussion when downgrading the firmware was mentioned.

That will not change anything on the router's behaviour beside Asus not telling you to accept what they may be collecting. The EULA does not indicate any change in behaviour, only that Asus are now asking for consent, to comply with some regional laws that are stricter. And since it's written by lawyers, they will try to be as broad as possible just to cover their asses.

The question is not whether someone wants to accept a EULA or not. The question is whether you want to accept what they _might_ be doing. And that hasn`t changed in these newer firmware releases.

 

[siena]

What specific router and specific firmware are you running where you see these notices?
Post a screen shots of what you are seeing.

Edit to add: Made a couple of prior posts about the Asus notices appearing in recent firmware, see here and here.
Note what RMerlin, the Asus-Merlin firmware developer, posted recently about these notices in another firmware discussion when downgrading the firmware was mentioned.

Thank you for your reply
I am now back on firmware 3004.388.8_4 on RT-AX86U
When I download Merlin's 3004.388.9 from GIT and upload it to the router, after it finishes installing and before opening the index page on the router, I get 2 notices. The first 1 scrolled all the way to the bottom and it was asking if I am over 16, which I clicked and clicked continue, another notice came up, that I did not read and dismissed, but something troubling about google and others showed up in the warning that followed.

Do you mean that you have not seen these notices on your firmware upgrade?

If you think these notices are unusual, I can re-apply the firmware and take pictures but to what end? How can this help?

 

[siena]

"quote"
Please be advised that disagreeing with ASUS PRIVACY NOTICE (for firmware/security upgrades) may result in the inability to update to the latest firmware version and unable to receive the most up-to-date protection on your ASUS Router; However, to protect the security of your router and ensure the compliance with laws, for upgrades addressing important security issues or meeting legal/regulatory requirements , those upgrades will still be downloaded and installed automatically.

Read Again I understood the risk
"unquote"

If this is not blackmail, I do not know what to call it, as to all the regulatory talk, it is just trash to cover-up the spying and selling of our data. I do not for an instant believe what they say. They are surely not to be trusted any more than apple or google or meta or hp and the list just goes on.

Maybe it's time to walk away from ASUS. There are surely other quality routers out there that will not spy on you by force.

 

[siena]

"quote"
Please be advised that disagreeing with ASUS PRIVACY NOTICE (for firmware/security upgrades) may result in the inability to update to the latest firmware version and unable to receive the most up-to-date protection on your ASUS Router; However, to protect the security of your router and ensure the compliance with laws, for upgrades addressing important security issues or meeting legal/regulatory requirements , those upgrades will still be downloaded and installed automatically.

Read Again I understood the risk
"unquote"

If this is not blackmail, I do not know what to call it, as to all the regulatory talk, it is just trash to cover-up the spying and selling of our data. I do not for an instant believe what they say. They are surely not to be trusted any more than apple or google or meta or hp and the list just goes on.

Maybe it's time to walk away from ASUS. There are surely other quality routers out there that will not spy on you by force.

and on top of that, they have no shame that THEIR system was hacked and used to hack their customers.

 

[bennor]

Do you mean that you have not seen these notices on your firmware upgrade?

As previously indicated in my prior post, I made mention of the new notices, EULA and agreement's here and here. Those earlier posts have examples of the text one, since mid last year, should now see when they either access a new router's QiS screen for the first time, or when one does a reset and accesses the router's QiS screen for the first time. Or you may see it if you hadn't seen them before due to upgrading from a earlier firmware version where the notices were not displayed up front upon first access.

As the developer of Asus-Merlin indicated (quoted above), nothing has changed other than Asus now tells you up front what they are doing. Previously they simply didn't tell you up front. Now they do. The consent (written by lawyers) may be done to comply with certain regional laws. As stated by the Asus-Merlin developer: "The question is whether you want to accept what they _might_ be doing. And that hasn`t changed in these newer firmware releases."

The choice is yours if you want to continue using Asus routers now that you've been made aware of what they've been doing for years. There is no blackmail and you are not being forced to do anything. Simply find another router (or smart phone, or smart TV, or streaming device, or streaming service, or the many other products and services) that doesn't do (data collection) what Asus/Trend Micro have long done. This data collection issue by Asus/Trend Micro is nothing new. Its been commented on from time to time for many years in these subforums.

Edit to add: The complaint and discussion about the notices, EULA and consent are fairly off topic from what the initial discussion was about, a user who thought they were infected with malware.

 

[siena]

As previously indicated in my prior post, I made mention of the new notices, EULA and agreement's here and here. Those earlier posts have examples of the text one, since mid last year, should now see when they either access a new router's QiS screen for the first time, or when one does a reset and accesses the router's QiS screen for the first time. Or you may see it if you hadn't seen them before due to upgrading from a earlier firmware version where the notices were not displayed up front upon first access.

As the developer of Asus-Merlin indicated (quoted above), nothing has changed other than Asus now tells you up front what they are doing. Previously they simply didn't tell you up front. Now they do. The consent (written by lawyers) may be done to comply with certain regional laws. As stated by the Asus-Merlin developer: "The question is whether you want to accept what they _might_ be doing. And that hasn`t changed in these newer firmware releases."

The choice is yours if you want to continue using Asus routers now that you've been made aware of what they've been doing for years. There is no blackmail and you are not being forced to do anything. Simply find another router (or smart phone, or smart TV, or streaming device, or streaming service, or the many other products and services) that doesn't do (data collection) what Asus/Trend Micro have long done. This data collection issue by Asus/Trend Micro is nothing new. Its been commented on from time to time for many years in these subforums.

Edit to add: The complaint and discussion about the notices, EULA and consent are fairly off topic from what the initial discussion was about, a user who thought they were infected with malware.

is there a topic about these?

 

[siena]

is there a topic about these?

did you mention that you work for ASUS? I now notice your belittling this bombshell in other posts as well.

 

[bennor]

is there a topic about these?

There are a number of past discussions, going back years, that can be found using the forum search feature. For example...

Search results for query: data sharing

www.snbforums.com

Search results for query: trend micro EULA

www.snbforums.com

New to ASUS routers, freaked out by Trend Micro

Should I be concerned about this router's propensity to send data to Trend Micro? Couple Questions regarding Trend Micro and their EULA (which I have not read): 1. Is Trend Micro just another AV outfit like Kaspersky? 2. How is Trend Micro affiliated with ASUS? 3. Why do so many features like...

www.snbforums.com

Or you can start a new one.

 

[bennor]

did you mention that you work for ASUS? I now notice your belittling this bombshell in other posts as well.

For some of this, its not a bombshell. Its just not everyone takes the time to read the various links Asus throws up in their notices when they access the router for the first time or activate certain features like AiProtection (TrendMicro). Like indicated there are discussions going back years on some of this, particularly when one enables AiProtection or any other feature that triggers the TrendMicro feature of Asus routers.

And no I don't work for Asus. Pointing this stuff out doesn't mean one is defending Asus's actions or that they work for Asus. This issue of data collection by Asus and TrendMicro has been around publicly for years.

Does Trend Micro collect web browsing history through the AiProtection from Asus routers? – MBReviews

The answer is yes, but as all things in life, it's a bit more complicated. AiProtection was added to the Asus routers about five years ago when the Taiwanese

www.mbreviews.com

And if you think this is solely confined to Asus, it's not.

Netgear Enables User Data Collection Feature on Popular Router Model

The latest firmware update for Netgear NightHawk R7000 routers adds support and enables an "analytics system" that collects user data and sends it to the company's servers.

www.bleepingcomputer.com

 

[bennor]

From May 23, 2024:

ASUS Firmware update privacy policy?

I just upgraded my GT-AX-6000 to the latest ASUS firmware and was hit with the following splash screen upon trying to log in. It claims if I don't agree to it I won't get firmware or security updates anymore. Is this the Trend Micro agreement? I don't want to agree to that as I don't use it...

www.snbforums.com

Few other posts last year:
https://www.snbforums.com/threads/a...on-3-0-0-6-102_33308.88454/page-3#post-912873

ASUS ExpertWiFi EBG15

Wired Router ASUS ExpertWiFi EBG15 $89.00 5 Gigabit Ports 1 x WAN Port, 4 x LAN Ports (2 x WAN/LAN Ports) ASUS ExpertWiFi EBG19P $180+ 9 Gigabit Ports 1 x WAN Port, 8 x LAN Ports (2 x WAN/LAN...

www.snbforums.com

Security Upgrade option on RT-AX88U Pro

Hi, Sorry if this has already been answered but I haven't been able to find an answer to my question so far. I've just replaced my AC86U with a new RT-AX88U Pro and in the firmware settings, there's this option called "Security Upgrade" and it's not very clear what it does, even after reading...

www.snbforums.com

Beta - Asuswrt-Merlin 386.14 beta is now available

@RMerlin Hi, sorry for the tag. Do you know if there's a way to enable flow control with Merlin fw on routers? Is there a command code to enable it? On ASUS ROG GT-AX6000 (which I'm using right now) it's enabled by default, but not on the others (for example on GT-AXE16000). Read the first post...

www.snbforums.com

Release - ASUS RT-AX86U Pro Firmware version 3.0.0.6_102_34312 - 2024/05/09

Upgraded my network to ASUSWRT 5.0 and 2.5Mbps backhaul... not using IPv6. Traded in a burned out RT-AC86U to Best Buy for 15% off a new RT-AX86U Pro (2023 Vietnam) on sale for $209... and then I asked the BB sales rep if I could keep the three antennas and they let me... very much a 'best...

www.snbforums.com

Auto Firmware Upgrade made official - a new Note in Asus FAQ

In this Firmware Update FAQ: https://www.asus.com/support/FAQ/1008000/ ... a new Note appeared recently: This gives you an explanation why your router auto upgraded to different* Asuswrt version even with Auto Firmware Upgrade set to OFF. * - When/if it happens I'm assuming it will auto...

www.snbforums.com

 

[spacemanspiff]

Good posting @bennor - @siena please don't reply any further here - you've hijacked and derailed my thread and your queries are off-topic. If you have further replies or questions, please carry on in a new thread or one of the appropriate threads that @bennor linked.

 

[RMerlin]

Good posting @bennor - @siena please don't reply any further and open a new thread - you completely hijacked my thread and it's completely off-topic. Please carry on with any other questions in a new thread or one of the appropriate threads that @bennor linked.

I already moved the discussion about EULAs to its own topic - the one you are currently replying to.

 

[spacemanspiff]

Oops sorry! Thanka @RMerlin I guess I was auto-added to watched replies and didn’t see I was in a different thread!