Compromised Router with Hacked PPTP VPN User

[857pt]

I just noticed today that a PPTP VPN Server was running on my router along with a hacked Username i8661053. Concerned, I checked my logs and found multiple instances of this user attempting to access the VPN unsuccessfully. The IP addresses appears to be coming from Russia (92.63.194.85), and China (60.191.52.254).

I updated my firmware to Merlin RT-AC68U_384.14_2 on Jan 2 just as a frame of reference. I did run a shasum -a 256 from the OSX command line to verify the checksum before updating the firmware. Before that I was running a firmware version that dated back to July 2018 , RT-AC68U_384.6. (Yes, I’m a dumbass for not updating more frequently)

My logs are odd - There is a bunch of activity starting on Jan 2, and entries are populated for every day since. However, before Jan 2 the previous log entries are May 5 ( just on may 5th). I don’t remember cleaning my logs, but I very easily may have purged my logs when I updated the firmware last week.

The first mention of pptp in the logs starts on Jan 4.

Jan  4 01:08:04 pptpd[29125]: CTRL: Client 92.63.194.81 control connection started
Jan  4 01:08:04 pptpd[29125]: CTRL: Starting call (launching pppd, opening GRE)
Jan  4 01:08:04 pptp[29126]: Plugin pptp.so loaded.
Jan  4 01:08:04 pptp[29126]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
Jan  4 01:08:04 pptp[29126]: pppd 2.4.7 started by admin, uid 0
Jan  4 01:08:04 pptp[29126]: Using interface pptp0
Jan  4 01:08:04 pptp[29126]: Connect: pptp0 <--> pptp (92.63.194.81)
Jan  4 01:08:08 pptp[29126]: No CHAP secret found for authenticating user
Jan  4 01:08:08 pptp[29126]: Peer user failed CHAP authentication
Jan  4 01:08:08 pptpd[29125]: CTRL: EOF or bad error reading ctrl packet length.
Jan  4 01:08:08 pptpd[29125]: CTRL: couldn't read packet header (exit)
Jan  4 01:08:08 pptpd[29125]: CTRL: CTRL read failed
Jan  4 01:08:08 pptpd[29125]: CTRL: Client pppd TERM sending
Jan  4 01:08:08 pptpd[29125]: CTRL: Client pppd finish wait
Jan  4 01:08:08 pptp[29126]: Terminating on signal 15
Jan  4 01:08:08 pptpd[29139]: CTRL: Client 92.63.194.82 control connection started
Jan  4 01:08:08 pptpd[29139]: CTRL: Starting call (launching pppd, opening GRE)
Jan  4 01:08:08 pptp[29141]: Plugin pptp.so loaded.
Jan  4 01:08:08 pptp[29141]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
Jan  4 01:08:08 pptp[29141]: pppd 2.4.7 started by admin, uid 0
Jan  4 01:08:08 pptp[29141]: Couldn't allocate PPP unit 10 as it is already in use
Jan  4 01:08:08 pptp[29141]: Using interface pptp1
Jan  4 01:08:08 pptp[29141]: Connect: pptp1 <--> pptp (92.63.194.82)
Jan  4 01:08:09 pptp[29141]: appear to have received our own echo-reply!
Jan  4 01:08:09 pptp[29141]: No CHAP secret found for authenticating vpn
Jan  4 01:08:09 pptp[29141]: Peer vpn failed CHAP authentication
Jan  4 01:08:09 pptpd[29139]: CTRL: EOF or bad error reading ctrl packet length.
Jan  4 01:08:09 pptpd[29139]: CTRL: couldn't read packet header (exit)
Jan  4 01:08:09 pptpd[29139]: CTRL: CTRL read failed
Jan  4 01:08:09 pptpd[29139]: CTRL: Client pppd TERM sending
Jan  4 01:08:09 pptpd[29139]: CTRL: Client pppd finish wait
Jan  4 01:08:09 pptp[29141]: Terminating on signal 15
Jan  4 01:08:09 pptpd[29153]: CTRL: Client 92.63.194.83 control connection started
Jan  4 01:08:10 pptpd[29153]: CTRL: Starting call (launching pppd, opening GRE)
Jan  4 01:08:10 pptp[29154]: Plugin pptp.so loaded.
Jan  4 01:08:10 pptp[29154]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
Jan  4 01:08:10 pptp[29154]: pppd 2.4.7 started by admin, uid 0
Jan  4 01:08:10 pptp[29154]: Couldn't allocate PPP unit 10 as it is already in use
Jan  4 01:08:10 pptp[29154]: Couldn't allocate PPP unit 11 as it is already in use
Jan  4 01:08:10 pptp[29154]: Using interface pptp2
Jan  4 01:08:10 pptp[29154]: Connect: pptp2 <--> pptp (92.63.194.83)
Jan  4 01:08:10 pptp[29154]: appear to have received our own echo-reply!
Jan  4 01:08:10 pptp[29154]: No CHAP secret found for authenticating Admin
Jan  4 01:08:10 pptp[29154]: Peer Admin failed CHAP authentication
Jan  4 01:08:10 pptpd[29153]: CTRL: EOF or bad error reading ctrl packet length.
Jan  4 01:08:10 pptpd[29153]: CTRL: couldn't read packet header (exit)
Jan  4 01:08:10 pptpd[29153]: CTRL: CTRL read failed
Jan  4 01:08:10 pptpd[29153]: CTRL: Client pppd TERM sending
Jan  4 01:08:10 pptpd[29153]: CTRL: Client pppd finish wait
Jan  4 01:08:10 pptp[29154]: Terminating on signal 15
Jan  4 01:08:12 pptpd[29165]: CTRL: Client 92.63.194.85 control connection started
Jan  4 01:08:12 pptpd[29165]: CTRL: Starting call (launching pppd, opening GRE)
Jan  4 01:08:12 pptp[29166]: Plugin pptp.so loaded.
Jan  4 01:08:12 pptp[29166]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
Jan  4 01:08:12 pptp[29166]: pppd 2.4.7 started by admin, uid 0
Jan  4 01:08:12 pptp[29166]: Couldn't allocate PPP unit 10 as it is already in use
Jan  4 01:08:12 pptp[29166]: Couldn't allocate PPP unit 11 as it is already in use
Jan  4 01:08:12 pptp[29166]: Couldn't allocate PPP unit 12 as it is already in use
Jan  4 01:08:12 pptp[29166]: Using interface pptp3
Jan  4 01:08:12 pptp[29166]: Connect: pptp3 <--> pptp (92.63.194.85)
Jan  4 01:08:12 pptp[29166]: appear to have received our own echo-reply!
Jan  4 01:08:12 pptp[29166]: No CHAP secret found for authenticating 11
Jan  4 01:08:12 pptp[29166]: Peer 11 failed CHAP authentication
Jan  4 01:08:12 pptpd[29165]: CTRL: EOF or bad error reading ctrl packet length.
Jan  4 01:08:12 pptpd[29165]: CTRL: couldn't read packet header (exit)
Jan  4 01:08:12 pptpd[29165]: CTRL: CTRL read failed
Jan  4 01:08:12 pptpd[29165]: CTRL: Client pppd TERM sending
Jan  4 01:08:12 pptpd[29165]: CTRL: Client pppd finish wait
Jan  4 01:08:12 pptp[29166]: Terminating on signal 15
Jan  4 01:08:13 pptpd[29178]: CTRL: Client 92.63.194.31 control connection started
Jan  4 01:08:13 pptpd[29178]: CTRL: Starting call (launching pppd, opening GRE)
Jan  4 01:08:13 pptp[29179]: Plugin pptp.so loaded.
Jan  4 01:08:13 pptp[29179]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
Jan  4 01:08:13 pptp[29179]: pppd 2.4.7 started by admin, uid 0
Jan  4 01:08:13 pptp[29179]: Couldn't allocate PPP unit 10 as it is already in use
Jan  4 01:08:13 pptp[29179]: Couldn't allocate PPP unit 11 as it is already in use
Jan  4 01:08:13 pptp[29179]: Couldn't allocate PPP unit 12 as it is already in use
Jan  4 01:08:13 pptp[29179]: Couldn't allocate PPP unit 13 as it is already in use
Jan  4 01:08:13 pptp[29179]: Using interface pptp4
Jan  4 01:08:13 pptp[29179]: Connect: pptp4 <--> pptp (92.63.194.31)
etc..

If I’m reading that correctly, it doesn’t appear the hacker was able to connect. I’m not sure why.

Multiple attempts were made on Jan 4 and at least one attempt has been made every day since.

This is the only mention in the logs of the Chinese IP address on Jan 6th

Jan  6 15:20:34 pptpd[576]: MGR: dropped small initial connection
Jan  6 15:20:34 pptpd[29664]: CTRL: Client 60.191.52.254 control connection started
Jan  6 15:20:34 pptpd[29664]: CTRL: EOF or bad error reading ctrl packet length.
Jan  6 15:20:34 pptpd[29664]: CTRL: couldn't read packet header (exit)
Jan  6 15:20:34 pptpd[29664]: CTRL: CTRL read failed
Jan  6 15:20:34 pptpd[29664]: CTRL: Client 60.191.52.254 control connection finished

What doesn’t make sense:

1. My default language was never changed from English
2. AiCloud 2.0 services are all disabled
3. Administration>System>Enable Web Access from WAN is disabled (and has been for a long time)
4. I don’t use any apps that connect to my router
5. I do use OpenVPN, but only to connect to my network from my iPhone
6. SSH is disabled

What is interesting:

1. Router Login Name is admin and no password is set, I did have a password set at one time
2. My credit card has been hacked from online purchases four times in the past year. I suspected MacOS at first, but couldn’t find any viruses or malware. Could my router be the source and, if so, how can a compromised router obtain credit card information?
3. I have noticed that some specific websites are redirecting safari to fake Adobe Flash Player update malware sites. The issue seems to have stopped since I updated my router firmware on Jan 2nd. Could this also be caused by a compromised router?

I did save the JFFS backup. Is it worth uploading that to this forum? (Assuming someone here is able and willing to pick t through it and see what was done).

At this point I’m going to format JFFS, reset the router to factory default and re-flash the latest version of Merlin. I’m really posting this to just to understand:

1. How did this happen? I’m aware of similar hacks posted about in the past year - is this now a known vulnerability that has since been patched?
2. Is the firmware itself infected with the fake VPN accounts?
3. Is there any way to determine if the hacker accessed anything else in my network?

 

[elorimer]

A few things:

1. The May date in the logs is likely just log messages on initial boot before the ntp server kicked in.
2. I don't know if the behavior in PPTP is the same as OpenVPN, but if the only credentials needed are user name/password, then your admin user can login. Since you use OpenVPN, immediately change the name of your admin and add a password. URGENTLY. If you don't make that a hard password combo, then exclude that user from the ability to login. Also, make sure you also require certificates to login. Then, also, turn off the PPTP server. You aren't using it.
3. I don't know a lot about PPTP, but it didn't look like the attempts were successful. But if you think you are targeted intentionally, then harden your setup. All of us are targeted randomly.
4. PPTP is considered insecure. Never paid it enough attention beyond that to understand.

 

[857pt]

2. I have since wiped the router with a factory reset and JFFS format. I created a new user and difficult password for administration. I don't think the router admin user can log in with OpenVPN, however I do have ovpn disabled for now.

3. I think it was random, probably a script. I don't know how they got in though - they had to have gained access at least once to create the VPN user. I reinstalled the latest stable Merlin release and the PPTP VPN server was disabled with no users - so it wasn't included with the firmware update.

A few things:

1. The May date in the logs is likely just log messages on initial boot before the ntp server kicked in.
2. I don't know if the behavior in PPTP is the same as OpenVPN, but if the only credentials needed are user name/password, then your admin user can login. Since you use OpenVPN, immediately change the name of your admin and add a password. URGENTLY. If you don't make that a hard password combo, then exclude that user from the ability to login. Also, make sure you also require certificates to login. Then, also, turn off the PPTP server. You aren't using it.
3. I don't know a lot about PPTP, but it didn't look like the attempts were successful. But if you think you are targeted intentionally, then harden your setup. All of us are targeted randomly.
4. PPTP is considered insecure. Never paid it enough attention beyond that to understand.

 

[elorimer]

I don't think the router admin user can log in with OpenVPN

This is the thing, if you allow authentication by user/password only for OpenVPN (without a certificate), and you create complicated user/password combinations but have something stupid for the router, like admin/1234, then admin/1234 can login to OpenVPN server, too.

I think this is a big and underappreciated hole.

 

[kernol]

2. I have since wiped the router with a factory reset and JFFS format. I created a new user and difficult password for administration. I don't think the router admin user can log in with OpenVPN, however I do have ovpn disabled for now.

3. I think it was random, probably a script. I don't know how they got in though - they had to have gained access at least once to create the VPN user. I reinstalled the latest stable Merlin release and the PPTP VPN server was disabled with no users - so it wasn't included with the firmware update.

I strongly suggest you add both Diversion and Skynet to your router - will help tighten things up going forwards.
Start with amtm and a USB flash drive ... here https://www.snbforums.com/threads/amtm-the-snbforum-asuswrt-merlin-terminal-menu.42415/

 

[mike37]

2. I have since wiped the router with a factory reset and JFFS format. I created a new user and difficult password for administration. I don't think the router admin user can log in with OpenVPN, however I do have ovpn disabled for now.

3. I think it was random, probably a script. I don't know how they got in though - they had to have gained access at least once to create the VPN user. I reinstalled the latest stable Merlin release and the PPTP VPN server was disabled with no users - so it wasn't included with the firmware update.

This is scary; thanks for posting!!

ISTM this could be an inside job. Suggest you consider rebuilding the desktop as well as the router. At least check Safari for any strange addons (happened to a friend recently).

(Random Misc:
-Is(are) your LAN stuff up to date?
-IIUC, Safari has had some issues and a hack would explain the credit card compromise; changing the router configuration would be easy from there.
- FWIW, In the old days I'd use OVPN to connect on an oddball port (after using a "portknock" to "unstealth" the hidden port.) OVPN can be configured to allow LAN as well as WAN access, so check to see if OVPN can access LAN.)

Sigh!...At any rate I'd keep a very close eye on things for a while. Please keep us posted.

 

[Adamm]

This was a known exploit a few months back which mitigation's were put in place within Skynet for. I do suggest a full factory reset first before proceeding further. Morale of the story, always keep your firmware up to date.