Deleted content

[cubimol]

Deleted content

 

[ColinTaylor]

1.- For years I have used the asuscomm.com DDNS service for my OpenVPN server on my Asus router, in the default port 1194.

This has nothing to do with DDNS. Exposing a common port like 1194 is a magnet for every port scanner and script kiddie on the planet. Once something like SHODAN gets any kind of response from your IP address it will get more aggressive and persistent.

Likewise, you can't stop the bots speculatively attempting Netcore backdoor attacks on every possible IP address, regardless of the fact that you personally don't have a Netcore router.

 

[RMerlin]

I insist, the existence of a website that publishes the IP addresses of Asus routers is not good.

Anyone with a computer can obtain the exact same information by using nslookup. This website is just a web frontend for it.

Sent from my SM-T720 using Tapatalk

 

[RMerlin]

They may not find my router because they are using the obsolete IP address.

Or because they are using the DDNS hostname which you are no longer updating to the new IP...

This is just a web-based interface for nslookup (heck, even the PHP script is called nslookup.php). I just tested it with a test hostname I used a few weeks ago, and both the webui and nslookup return the exact same IP. It's just that Asus refreshes the zone with the last known IP until the account expires - just like every other DDNS providers out there.

 

[RMerlin]

Now I no longer use DDNS hostname, only the IP address, but the website http://iplookup.asus.com/nslookup.php remembers my last DDNS name and my last IP address that are no longer valid.

I don't think you have read what I just wrote - re-read the second paragraph.

Or even try it yourself with nslookup - it's also available under Windows.

 

[RMerlin]

Here's an example, with my old AsusDDNS account which I haven't used for years (so, it's also returning an outdated IP address):

As you can see, nslookup returns the same information as the website.

One potential reason why you were getting more traffic is because it's possible hackers might be trying to lookup random hostnames within the asuscomm.com domain name, knowing that these are definitely running an Asus router. Once they find an hostname that exists, then they can try to access services that are potentially accessible by an Asus router.

They don't need a website to do that however, they can easily automate it by using nslookup with a script, for example.

That's one potential reason to avoid using asus's DDNS, not because of specific security issues related to the DDNS service, but because if someone can guess a hostname, they already know their target is running Asuswrt. It narrows things down when trying to exploit known security issues. Best to use a DDNS service with a more generic domain name IMHO.

 

[AndreiV]

On my Asus router for months I have suffered netcore backdoor attacks and exploit scripts. I think they were intercepted by AiProtection but these things always create concern.

Hmm, if you read the forums you would see that anyone using AiProtection sees the same "exploits" shown as blocked.

It has absolutely nothing to do with asus ddns.

When I ran AiProtection I saw these "events" and "exploits " every day and I have NEVER used asus ddns.

All you are seeing is "bots" and back scatter on the net, half the exploits shown never related to an ASUS router anyway.

TrendMicro updated AiProtection with all these fancy charts and lists and caused hysteria like this, the previous version simply worked silently without listing all the supposedly dangerous stuff.

I dropped TrendMicro from my router 18 months ago , have I been hacked?

Have any of the other 22 routers I watch over had any issues running with or without TM AiProtection ? No not once.

 

[AndreiV]

So you know, the netcore exploits you think were attacking you were patched long long ago and as Colin pointed out to you , you are not using a Netcore router , the exploit couldn't affect you and could not be " a personalised attack".

AiProtection is giving wrong information and making you paranoid.

 

[PolarBear]

This has nothing to do with DDNS. Exposing a common port like 1194 is a magnet for every port scanner and script kiddie on the planet. Once something like SHODAN gets any kind of response from your IP address it will get more aggressive and persistent.

^This

Starting about 18 months ago, I began to receive an attempted log in to OpenVPN on port 1194 once every day. I have *never* used asuscomm.com DDNS.

When I changed away from the default port 1194 (follwing the advice of ColinTaylor and others) the attempted logins stopped.

The theory is that the bad guys scan for the commonly used ports, because they are the low-hanging fruit, and this method will give them their desired results quickly. They figure it's not worth trying all 65536 ports.

 

[MichaelCG]

After more than a month without attacks, or rather, with attacks intercepted 100% by the Skynet firewall, I think I understand how direct backdoor and exploit attacks to the router work without being detected by Skynet.

You don't.

1.- Ba

ckdoor and exploit attacks are personalized, not indiscriminate, for this reason, attacking IPs do not appear on Skynet's banning lists.

Highly unlikely anything is personalized to you. Very unlikely you as a specific individual provide enough value for a personalized attack.

2.- The attackers have some type of information about us and access to some of our account from which they obtain the IP address of our router, whether personal or work.

Always possible...but unlikely. This is all probably generic scripts.

3.- The default configuration of the main browsers synchronizes our information and our passwords in the cloud. If the attackers have access to a main account or email then they could have access to a lot of information.

If the attack has access to your browser and your Chrome or FireFox sync, it is pretty much game over.

Actions to perform:

1.- Remove all addons from your browser and disable password synchronization. If you cannot remove any addon, reinstall the OS with the default values. Repeat this in all browsers.

One thing I do agree with if you suspect compromise.

2.- Use a password manager to generate new passwords. I recommend Chrome's internal password manager (because it also works on Android) and another one, of the freeware type, to be used when Chrome's doesn't work.

Can't argue here...any "proper" password manager will do here. I personally use Password Safe mostly since it itself is not cloud based.

3.- With the help of the password manager, change the passwords of your main accounts, although in the end you will have to change all. Activate two-step verification with your mobile phone.

Agreed. Be aware using SMS or phone calls provides limited security value. SS7 is NOT a secure protocol and a true targeted and dedicated attack can hijack your SMS.

4.- Access your account settings (Google, Microsoft, Firefox, etc.), one by one, and close session for all devices. Repeat this process for configuring device access to the email service.

No argument.

5.- If you can, change the router's IP address by automatic daily restart.

This is pointless. If you are compromised, they don't need to find your IP....they are already on your network and have outbound comms already established.

6.- Optionally ban the filtered ISPs AS14061 (DigitalOcean), AS18779 (EGIHosting) and AS46844 (Sharktech) which are in https://mega.nz/#F!LMoiBAgb!DeLYHU3qe1fioO90F0xs5A, and add to your whitelist the domains you need use.

This will probably just be a game of whack-a-mole and provide limited value unless you try to maintain it daily. Trying to do a whitelist environment for home use rarely works out well.

7.- Do not forget to activate a good firewall on your router, for example, Skynet

No argument on use a good firewall. Not sure if Skynet really falls to that level or not. Anything is better than nothing.

 

[MichaelCG]

I'm sorry, I have not learned anything from what you said because you have just contradicted or doubted what I said with very few explanations.

You never asked a question, you were making statements that had flaws and provided zero background on what you were trying to accomplish and why.

What would you do if:

- You frequently receive backdoor or exploit attacks on your router that have not been filtered by the firewall Skynet, even if you change the router's IP address every day, having to intervene the firewall AirProteccion

If your router isn't vulnerable and you have no inbound NATs setup, who cares. The Internet is the Internet and you will be scanned all the time...constantly....every day....every hour....all the time.

- AirProtection security warnings for access to home network storage units (I always use read permissions only or no permissions for non-administrators) appear on your router of all multimedia devices in your home network that use the same secondary Google account, different from the main one

Do you have your home network storage units exposed inbound from the Internet? We need more background and information this to help here.

- You receive messages in your email about someone knowing a lot about you and asking you for bitcoins

Yes and I get Apple invoices, FedEx delivery notices, and lottery notices...doesn't mean I respond to any of them.

- Someone accesses your account in an important store and changes the shipping address
- In some of your email accounts there are unrecognized devices with open session
- In some of your secondary Google accounts there are also unrecognized devices with open session
- In the Chrome browser there is some addon that you have not installed

Sounds like you are probably sharing passwords between various services and possibly using the same usernames as well. More than likely you do for sure have at least one compromised device and until you figure that out, everything else is pointless.

You have plenty of insolence and you lack empathy.

Empathy for what? Again, you posted statements with no logic and/or reason behind them and they were not all correct.

 

[MichaelCG]

If I were in your shoes, here is what I would do.

1.) Unlplug your router
2.) Put your cell phones into airplane mode
- There should not be any devices of yours with any type of Internet access
3.) Go buy a cheap laptop/phone/chromebook
- DO NOT CONNECT TO YOUR HOME INTERNET
4.) Via new/fresh device, connect to a different WiFi source and work through the password resets of all of your accounts
- do not repeat/share passwords
- do not repeat/share usernames
- every single public account should use a different password
- do not use OAuth (using your FB, Google, etc account to access/register other services)
- Multi-Factor auth may be a challenge without your cell phone....so you may need to reset/wipe it first
- kick/kill any existing sessions linked to your accounts
5.) Reload all of your devices from scratch
- start with your computers
- wipe the router
- wipe your network storage devices
- wipe anything else that connects to your network
- do NOT allow remote access
- do NOT allow any inbound NATs
6.) Begin connecting the network back together
- keep non-critical devices off line initially
7.) Sign up for credit monitoring
- if you think someone has this much info on you, you should be watching for financial accounts being opened in your name
8.) Continue watching activity logs for various services

That should cover the basics. I'm sure there are a few things I missed. A few months back someone else had posted what they had done when they realized they had something on their network compromised. It is an absolute nightmare and I would never wish this upon anyone...ever.

 

[MichaelCG]

If your devices are compromised and being used to change passwords, you will just keep going in this loop. You must start from a known clean device.

 

[sfx2000]

On my Asus router for months I have suffered netcore backdoor attacks and exploit scripts. I think they were intercepted by AiProtection but these things always create concern.

TrendMicro cries wolf many times over - this is the engine that is underneath AIProtection.

Netcore was a specific backdoor attack towards certain network devices, and that bug was disclosed years ago...

 

[ColinTaylor]

The solution is to always check iptables on our router, a solution that surprises me that nobody mentioned.

Check iptables in what way? For what? This statement make no sense.

 

[ColinTaylor]

My INPUT iptables now, it works perfect

That looks just like everyone else's. What did yours look like before that was causing you problems?

 

[ColinTaylor]

... but I never got to see the iptables configuration.

Then it makes no sense to tell people "The solution is to always check iptables on our router" as you didn't do that yourself and therefore have no reason to believe that it would have shown you anything different. Additionally, the AiProtection/netcore messages are generated by a kernel module and have nothing to do with iptables.

 

[ColinTaylor]

I only know that now I don't have any alert from AiProteccion, none. Maybe it's because of the latest firmware update, I don't know.

Then you should remove your statement "The solution is to always check iptables on our router, a solution that surprises me that nobody mentioned" because it is incorrect as you don't know what the solution is/was.

 

[ColinTaylor]

Solving a firmware problem is not possible for a user, checking iptables is possible, is never bad, and allows a user to become aware of the weaknesses of their firewall.

But iptables has nothing to do with the problem you were having and is therefore not "a solution" for it.

 

[RMerlin]

Uh. Iptables isn't Shrodinger's cat. The firewall won't be both open and closed until you look at it