Merlin Asus RT-N66U Issue – А bad April fool's day joke or a real attack?

[AprilJokeOrNot]

[Google translate from Russian]
When I login web interface I saw 16 clients (usually 5-7). I began to update the value, and I had what I recorded on video (when the cursor approaches the topBanner, it freezes).
I immediately went to the system log to see there are hundreds of these posts (I do not remember exactly IP):
Mar 31 22:55:57 dropbear[1210]: Child connection from 225.*
Mar 31 22:55:59 dropbear[1210]: Login attempt for nonexistent user from 225.*
Mar 31 22:56:00 dropbear[1210]: Exit before auth: Exited normally
I went to shut off access to the administrator from the WAN
I downloaded the lastest merlin firmware and flashed;
Before flash nothing has changed.
Settings:

How to fix it?​

 

[KGB7]

Start with Disabling SSH.

http://forums.smallnetbuilder.com/showthread.php?t=16344

 

[RMerlin]

Or if you need SSH, enable brute force protection to prevent it from getting hammered, and potentially overloading your router.

 

[Adamm]

Either disable SSH access from WAN, enable bruteforce protection or use SSH keys and this won't be a problem. I personally do all three

 

[AprilJokeOrNot]

Or if you need SSH, enable brute force protection to prevent it from getting hammered, and potentially overloading your router.

I need to setup a local area network via SSH,so it turned on for local clients.
Allow SSH access from WAN deny & Enable SSH Brute Force Protection turned on before this situation.

but how I then got 16 clients?

 

[RMerlin]

I need to setup a local area network via SSH,so it turned on for local clients.
Allow SSH access from WAN deny & Enable SSH Brute Force Protection turned on before this situation.

but how I then got 16 clients?

If you mean clients listed on the first page, this has nothing to do with SSH. This only lists clients connected through either wifi or Ethernet.

Keep in mind also that disconnected clients will still be shown, until you refresh the list.

 

[RMerlin]

Way to ruin your credibility with the merlin builds.

His issue has nothing to do with the April 1st trick, which is entirely done through CSS.

Just like Google's...

 

[LoneWolf3574]

Never claimed to fully understand the firmware RMerlin has created, I use it as an improvement over the OEM because I have little understanding of this device. As I stated I've been having network issues lately (ended up rebuilding my NAS data over the last 2 days) and today I saw the banner drop like that so the first thing I thought was that I had been hacked. Then everything redirects to either the router logon or only permits access to sites containing sensitive personal & banking information, that all just makes for a very bad day so far. I can forgive the joke as it's not symptomatic of my redirect problem

 

[RMerlin]

Never claimed to fully understand the firmware RMerlin has created, I use it as an improvement over the OEM because I have little understanding of this device. As I stated I've been having network issues lately (ended up rebuilding my NAS data over the last 2 days) and today I saw the banner drop like that so the first thing I thought was that I had been hacked. Then everything redirects to either the router logon or only permits access to sites containing sensitive personal & banking information, that all just makes for a very bad day so far. I can forgive the joke as it's not symptomatic of my redirect problem

I certainly understand that it was just bad timing.

Based on what you describe, is it possible that you were only able to access HTTPS sites, and not HTTP sites? If so, sounds like something was blocking outbound access to port 80. Did you change anything that might involved port 80 (such as an OpenVPN server or client on port 80)?

 

[LoneWolf3574]

I changed only the admin password when this all started happening. Right now, I just reset to factory default settings, I had a couple of port forwarding rules regarding my Synology NAS, but I can live without any of it right now. I just want to get things back normal keel before I start with being able to access through the internet again.

EDIT - Telnet & SSH have been disabled as has WPS. Other than a being able to access a small USB drive from my LAN and the SSID, it's all default (admin password changes are a given).