Asus RT-N66U 378.56_2 hacked?

[TheGlow]

Is there a security flaw with this version?
It looks like my router has been hacked within the last 48 hours.
My kids went to stay over my in laws on Tuesday. I know it had to be good then because their 3DS's connect via 2.4Ghz.
They came back today and they told me they cant connect.
I logged into the router and to my horror the 2.4Ghz channel was set to broadcast SSID and was named "free".
My user name was default admin, but password was not. It wasnt complicated but it wasn't default. I have no guest wifis so just 2 SSIDs, 1 for 2.4Ghz and 1 for 5Ghz. Both were set to not broadcast, WPA2.

Are there logs to show changes like that? Is there a known loophole in this firmware that I should upgrade asap?

Any settings I should be wary of looking for? I'd rather not have to redo all my portforwards and DHCP reservations, but I saw a DDNS setting to tunnel broker. I've used tunnelbroker for IPv6 but I dont recall using any DDNS through them.

 

[RMerlin]

378.56_2 is old. Asus did resolve various XSS vulnerabilities since then, you need to update in case one of these older flaws has been exploited.

 

[TheGlow]

378.56_2 is old. Asus did resolve various XSS vulnerabilities since then, you need to update in case one of these older flaws has been exploited.

Thanks, I'll do that as soon as I get home. What kind of access did it grant? Full access to the settings?
I'm paranoid what else I may need to change. Should I go so far as changing SSID's and passwords again? Was that compromised originally?

 

[L&LD]

Thanks, I'll do that as soon as I get home. What kind of access did it grant? Full access to the settings?
I'm paranoid what else I may need to change. Should I go so far as changing SSID's and passwords again? Was that compromised originally?

If the ssid was changed, they had full access to the router.

I would take the router offline (disconnect from your ISP) and use a friends internet to download the latest firmware (make sure you verify the hash of the file you download).

With it disconnected from the internet;

Do a full reset to factory defaults. I might even do this twice (once via the gui and afterwards, once with the reset button method). I would also clear the NVRAM and then Format JFFS partition at next boot too (make sure you reboot two times afterwards, waiting 5 minutes in between to setup the JFFS partition up again), in between those resets, and also do a 'hard reboot' by pulling the power from the router as a final step, here.

Flash the latest firmware and do another reset to factory defaults, clearing the NVRAM and Format JFFS partition at next boot (and rebooting 2 times once more, waiting 5 minutes after each reboot).

Do a minimal and manual configuration to secure your router and connect to your ISP (only here would I connect to the internet with the router again).

Use a new username, password, ssid's (and passwords), making sure they are all alphanumeric with no symbols or reserved characters.

Don't use a backup config file or you'll overwrite all the work you did above.


http://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/

http://www.snbforums.com/threads/noob-definition-of-minimal-and-manual-configuration.27115/

 

[TheGlow]

If the ssid was changed, they had full access to the router.

I would take the router offline (disconnect from your ISP) and use a friends internet to download the latest firmware (make sure you verify the hash of the file you download).

With it disconnected from the internet;

Do a full reset to factory defaults. I might even do this twice (once via the gui and afterwards, once with the reset button method). I would also clear the NVRAM and then Format JFFS partition at next boot too (make sure you reboot two times afterwards, waiting 5 minutes in between to setup the JFFS partition up again), in between those resets, and also do a 'hard reboot' by pulling the power from the router as a final step, here.

Flash the latest firmware and do another reset to factory defaults, clearing the NVRAM and Format JFFS partition at next boot (and rebooting 2 times once more, waiting 5 minutes after each reboot).

Do a minimal and manual configuration to secure your router and connect to your ISP (only here would I connect to the internet with the router again).

Use a new username, password, ssid's (and passwords), making sure they are all alphanumeric with no symbols or reserved characters.

Don't use a backup config file or you'll overwrite all the work you did above.


http://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/

http://www.snbforums.com/threads/noob-definition-of-minimal-and-manual-configuration.27115/

Thanks. Im still at work so I dl'd the firmware and xferred to my phone. in retrospect I could have also dl'd straight to phone. I'll follow those steps and redo my settings. I took screenshots of the forwards and what not. I just dislike having to go back to the devices and changing ID's around.

 

[hggomes]

Avoid having the router WEBUI exposed to the Internet, several security fixes happenned in the past versions and still happen nowadays at every new released but even if they exist and you don't have it available to the world you will be fine.


If you have / need it make sure you use HTTPS and a non-standard port.

 

[TheGlow]

Avoid having the router WEBUI exposed to the Internet, several security fixes happenned in the past versions and still happen nowadays at every new released but even if they exist and you don't have it available to the world you will be fine.


If you have / need it make sure you use HTTPS and a non-standard port.

Im fairly certain WebUI was disabled, only interal. The admin pass was part of the WPA key so I can only guess someone bruteforced or something the key and got on the network and took a guess at the admin credentials and got lucky.
Im just a little surprised they only changed the the SSID and Wpa key. I just recalled it wasnt set to open, but it was indeed still wpa2, just ssid set to broadcast, ssid changed, and passkey changed.

 

[RMerlin]

Thanks, I'll do that as soon as I get home. What kind of access did it grant? Full access to the settings?

I don't know, the only information Asus publishes on the changelog are terses "Fixed XSS vulnerability" and such.

Personally I find it odd if it was really compromised. A hacker would typically have changed the password to lock you out of your own router.

 

[hggomes]

Were the passwords complex? Or basic?

I see alot people using 12345678 or similar as a password.

 

[TheGlow]

I don't know, the only information Asus publishes on the changelog are terses "Fixed XSS vulnerability" and such.

Personally I find it odd if it was really compromised. A hacker would typically have changed the password to lock you out of your own router.

Hence I'm a little baffled. I recall a few years ago I used to leave winvnc up and my wife called asking if I was remoted in. I said no because someone had just gotten on. So I closed it and forgot it was in startup. Windows updated did a reboot over night or something. I wake up and see IE windows open. from what I can tell they only changed homepages and really generic redirectors. I reinstalled the OS to play it safe though.

Were the passwords complex? Or basic?

I see alot people using 12345678 or similar as a password.

it was a 4 letter word, repeated twice. Not a dictionary word, but again it would make sense they took a chance on that with admin/pass and it let them in.
Maybe it was more of a lesson or someone practicing. I always meant to look into seeing how hard it would be to sniff hidden SSIDs and hope on one as educational, not malicious.

 

[hw1380]

Did you configure ssh for access from WAN ?
Maybe by mistake?

 

[TheGlow]

No, I had all wan access disabled. If I'd ever need to connect I go in through teamviewer, then it becomes local.
I never liked vnc always being exposed. I used to get random port scans all the time back in the day. I like teamviewer keeps me a bit more anonymous.
I also recalled I had a Linksys E1000 with DDWRT. That had same admin/pass, similar ssid, just ended in a different number, but also wpa2 and same passkey. I changed that as well just in case. That was used more for the wired ports. Thick walls in apartment and many other WAPs give horrible connection on 2.4Ghz. I originally set it up for the kids to have a WAP in their room for 3ds's but it was too much headache as they would need to manually go to settings and change between depending the room they were in.

 

[nostalos]

Just throwing this in, not saying it's the culprit.

1. there is has been a rash of teamviewer hacks going on in the past couple of months http://arstechnica.com/security/201...ng-hacked-in-bulk-and-we-still-dont-know-how/

2. I've been the victim of browser "form fill" automation before as well. Not the use by a 3rd party mind you. But, Lastpass has been confused and dumped form fill data into my SSID/auth page when jumping in to enable "guest" ssid's for visitors.

Just food for thought. as others have said. sounds like you need to update your firmware and use a touch of paranoia.

 

[L&LD]

With this latest information (teamviewer being used), I would go much further than the suggestions in post 4 above.

Uninstall teamviewer (I'd consider it a permanent uninstall) and scan with free online scanners for virus or other malware.

Assuming your router is fully updated and secure by now, change all your passwords that you use to access anything from your computer(s) that had teamviewer installed. Including your computer login password, email, banking, websites, forums and any other online activity that requires personal information linked to a username and password.

If you have been using teamviewer after setting up the router from scratch and putting it back in use, I would first uninstall teamviewer, change the username, passwords, ssid's and those passwords too after the first online scanner found your system 'clean'.

I am also paranoid enough that after finishing a few online scans (with different tools), I would probably do a complete reset to factory defaults of the router once more with a whole new set of username/password and ssid/password combinations that are as different from what you were using previously as possible (don't be afraid; use the entire 16 character limit for your passwords).

While this may sound a bit over the top, it is the only real response to this very dangerous possibility of what may have happened on your system(s).