Has my RT-AC68U been hacked? Odd 2-Way IPS hits!

[Stuey3D]

Hi all.

I had a look at my RT-AC68u router firmware this morning and noticed under the 2Way IPS protection page that I have had some Client Device Infected hits. Well this sent me into panic mode thinking my laptop had some malware, however the laptop has had a full scan with latest definitions and appears clean and oddly enough nothing is being listed under the "Infected device prevention and blocking page" leading me to believe it could be the router itself.

There have been 59 hits from a 00.00.00.00.00.00 MAC address and the source IP address is my own external IP address and the target appears to be 2 IP addresses in Russia according the the IP lookup service and the security alert is listing "FTP Brute force login -2"

Worryingly my friend who has the same router as me has also got these security events and even more going back further (I factory reset mine a couple of weeks ago after some experimentation so my log has been cleared)

Is the ASUS firmware compromised as I know other router brands have had a high profile hack recently, or is it an unlikely coincidence that me and my friend both have the same hits.

Thankfully AI protect is doing its job it seems but the router shouldn't be doing this in the first place.

Anyone else having this issue, is there a known fix, is this something to worry about, am I going to have to buy a new router or flash it to DD-WRT or something drastic? As I've said my router has been fully factory restored recently after experimenting with stock and Merlin firmware and is currently running the latest stock firmware.


Thanks for looking, any help is greatly appreciated.

 

[ColinTaylor]

Do you have FTP enabled on the router?

 

[Stuey3D]

Yes I do, so did my friend.

However I would assume that stuff would attempt to dial in to the FTP from outside, not the FTP dial out?

 

[Stuey3D]

What’s worrying me most about these hits is that they appear to be something on my side trying to get out, rather than script kiddies trying to get in like every other 2way IPS hit that seems to be normal with these routers (multiple threads about 2way IPS all are external inwards)

 

[ColinTaylor]

Sorry, I can't comment because I can't read your screenshot. But from what you wrote it sounds like the attack is coming from outside.

 

[Stuey3D]

Sorry, I can't comment because I can't read your screenshot. But from what you wrote it sounds like the attack is coming from outside.

Ahh yes the screen shot is a bit small, although on my end it’s full size for some reason the forum won’t show it full size regardless of whether I choose full or thumbnail.

However the attacks appear to be going from inside out as the source IP is my own external IP (the blacked out box) and the destination IP’s are in Russia according to the Whois server.

 

[ColinTaylor]

It might just be misreporting the source and destination, FTP is a bit odd in the way it works.

I suggest that you disable FTP on the router and see if the messages go away.

BTW Did you realise that FTP is a totally insecure protocol?

 

[Stuey3D]

Hmm I’m hoping you are right and that it is AIProtect reporting it a bit wonky rather than the other way around.

I shall disable FTP as it wasn’t used a huge amount in the first place, and yes I knew it wasn’t the most secure but was hoping strong passwords might have mitigated it a bit. Didn’t realise it was totally insecure though.

Surprised that AI Protects router assessment doesn’t flag that up, the only security risk mark I have against the router in that list is UPNP still being enabled.

 

[ColinTaylor]

Perhaps I should qualify "totally insecure". That's not a comment on whether the FTP server can be hacked per se. But rather that when you transfer data over the internet using FTP all the information is sent in plain text, including user names and passwords.

So this means that theoretically if someone were to be sniffing your traffic while you were using FTP they could see everything. Given the amount of effort people on these forums go to to ensure everything they send over the internet is encrypted (i.e. using HTTPS, DNSSEC, VPN, etc.), unencrypted FTP is the opposite of this.

 

[Stuey3D]

FTP and all USB media serving has been stopped and the hard drive pulled, I have also disabled UPNP too but not sure if I will enable that again as I need to see if I break anything by having it disabled.

According to AIProtect the router has a full green secure setup, lets see if this stops those messages.