What's new

Asus RT-AX86U How to stop hackers...Nothing works

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rick Dean

Occasional Visitor
I've tried everything but still my 86U is taken over within hours of a hard reset. Appears to me the certificate is being replaced. My passwords are 32 characters generated. It's like an evil spirit has taken over the router. Been thru all the settings and have contacted Asus with little luck. Would Merlin firmware do better? For complete logs check out my Drive link. Your thoughts are much appreciated. Rick from Kansas

May 5 00:05:07 kernel: klogd started: BusyBox v1.24.1 (2022-12-13 05:13:08 CST)
May 5 00:05:07 kernel: Linux version 4.1.52 (gitserv_asus@bpza001bud) (gcc version 5.5.0 (Buildroot 2017.11.1) ) #2 SMP PREEMPT Tue Dec 13 06:54:38 CST 2022
May 5 00:05:07 kernel: CPU: AArch64 Processor [420f1000] revision 0
May 5 00:05:07 kernel: Kernel command line: root=ubi:rootfs_ubifs ubi.mtd=0 rootfstype=ubifs coherent_pool=4M cpuidle_sysfs_switch pci=pcie_bus_safe rootwait
May 5 00:05:07 kernel: Virtual kernel memory layout:
May 5 00:05:07 kernel: vmalloc : 0xffffff8000000000 - 0xffffffbdffff0000 ( 247 GB)
May 5 00:05:07 kernel: vmemmap : 0xffffffbe00000000 - 0xffffffbfc0000000 ( 7 GB maximum)
May 5 00:05:07 kernel: 0xffffffbe00000000 - 0xffffffbe00e00000 ( 14 MB actual)
May 5 00:05:07 kernel: fixed : 0xffffffbffabfd000 - 0xffffffbffac00000 ( 12 KB)
May 5 00:05:07 kernel: PCI I/O : 0xffffffbffae00000 - 0xffffffbffbe00000 ( 16 MB)
May 5 00:05:07 kernel: modules : 0xffffffbffc000000 - 0xffffffc000000000 ( 64 MB)
May 5 00:05:07 kernel: memory : 0xffffffc000000000 - 0xffffffc040000000 ( 1024 MB)
May 5 00:05:07 kernel: .init : 0xffffffc000736000 - 0xffffffc000770000 ( 232 KB)
May 5 00:05:07 kernel: .text : 0xffffffc000080000 - 0xffffffc0007352b4 ( 6869 KB)
May 5 00:05:07 kernel: .data : 0xffffffc000771000 - 0xffffffc000945540 ( 1874 KB)
)
 
May 5 is the date before the router gets the time from NTP servers - during the boot process. Nothing is hacked there, but you better remove your shared link with tons of other information facilitating eventual real hacking. There are things there you don't have to or want to share on Internet.
 
May 5 is the date before the router gets the time from NTP servers - during the boot process. Nothing is hacked there, but you better remove your shared link with tons of other information facilitating eventual real hacking. There are things there you don't have to or want to share on Internet.
Thanks. Just removed the link. But I have to ask. Why is Busybox being used that appears for uploading a new certificate? If you'd like I could pm you a private link of my drive link for a better look. Thanks, Rick
 
What are you experiencing that makes you think you've been hacked? I looked at your latest log file (before you deleted it) and there was nothing unusual there.

The router's operating system is built around busybox.
 
Local network fellow says all our computers and phones are being used as a repository for malicious purposes. Clean the phones and it repopulates via the desktops. The Mspy crap cannot be removed from our S10 phones even after a factory reset. I've tried many times. Rick
 
Phones get hot, obvious clicking when talking on phones and over 60k photos uploaded from my computer. All backed up though. Seems whomever was using my wife's phone to initiate the uploads. I'll send you a link to that log.... Rick
 
Local network fellow

Ask your local network fellow for help. I see nothing wrong with your router. What's happening to your clients - I don't know. Just minutes ago you have posted online your entire router configuration with files and GUI screenshots. Perhaps you need some safer Internet use advice first. Not trying to offend you, but the best protection is safe practices. No hardware or software can protect you when you don't know well what are you doing online.
 
Have you run a capture with Wireshark ?

On the desktop that you suspect malicious activity
 
Not familiar with Wireshark. Is it a software download?
Yes.
But it may be to overwhelming at first for you.
No offense intended.
Try downloading it and running it.
It will capture your traffic.
You might be able to pinpoint a source ip of the offending traffic.
Are you running other counter measures ?
Spybot search and Destroy comes to mind.
I would also try running a stand alone Trojan horse detector. Your issue may not be the router ..
Hitman Pro comes to mind for the Trojan horse check.
 
Local guy is the Radio Shack manager.

If this local guy thinks something is wrong he probably has better ideas what to help you with. I believe he wants you to help him with your Credit Card. Scare tactics are good sign. The file with Google services accessed means nothing. Phones and tablets may automatically upload pictures and videos to corresponding cloud storage and depending on user settings. The same devices may contact preset servers multiple times a day and this is how they work normally. The scare tactics work well and you're saving mostly unrelated to any hacking information. Seems like the Radio Shack manager is winning.
 
I had no idea Radio Shack was still in business. :) I used to spend a lot of time in one back in the 70s and 80s.
 
radioshack3.gif
 
I had no idea Radio Shack was still in business. :) I used to spend a lot of time in one back in the 70s and 80s.
Back again....hacking still happening.
I had no idea Radio Shack was still in business. :) I used to spend a lot of time in one back in the 70s and 80s.
Back agin....Hacking still going on. This time with Linux. Any help would be appreciated. Why us this hacker so determined? Photos of yesterday's action. (Files may not be in order)
 

Attachments

  • 20230612_093159.jpg
    20230612_093159.jpg
    94.5 KB · Views: 167
  • 20230612_093212.jpg
    20230612_093212.jpg
    87 KB · Views: 162
  • 20230612_093225.jpg
    20230612_093225.jpg
    80.5 KB · Views: 119
  • 20230612_093249.jpg
    20230612_093249.jpg
    97.1 KB · Views: 164
Back again....hacking still happening.

Back agin....Hacking still going on. This time with Linux. Any help would be appreciated. Why us this hacker so determined? Photos of yesterday's action. (Files may not be in order)
Sorry, but your pictures are very difficult to read. Can you explain what part of that you think is a problem?

I can see that there are some connection attempts from 167.248.133.51. This is from the Censys port scanner. This is perfectly normal because your exposing your router's VPN server to the internet.
 
Last edited:
I don't see anything there that could be interpreted as hacking.Standard random internet probes.

Typo corrected******
 
Last edited:

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top