What's new

YazFi mystery SSID keeps appearing and disappearing and changing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

randomised

Occasional Visitor
Hello,
I have a weird problem, I first noticed a strange SSID sometimes being detected and then disappearing again, I noticed it had the same Mac address as my router but I could not find it in the GUI at all.
I contacted ASUS support which was useless they told me it's not my router and stopped responding to emails. I started reading through all the forums here and worked out that it's indeed my router and when I do a nvram getall listing I can see it configured, Asus support just ignored that part and no longer respond. (great job Mr Kator).
Anyway I installed Merlin and Yazfi but still can't find this SSID in the GUI, however I did find it with Yazfi terminal script.....

Screenshot_20230418_181433_JuiceSSH.png


As you can see, number 3 is missing and number 4 is the mystery SSID, the SSID changes constantly but keeps the same format, I can edit it here or directly in nvram and even delete it from nvram but it just keeps coming back despite many factory reset and that nuclear reset, WPS hard resets and the firmware recovery tool I've used as well. I've installed the very first ASUS firmware and then upgraded from it but this still exists along with a number of other settings and config that I don't recognise including a completely different MAC address for the router itself and a number of vlan subnet and virtual server names that I don't recognise or know how it got there and seems to be able to survive every reset method.

the router is RT - AX58U it's was brand new last year I think,

I would like to ask for some help in finding where this is coming from and how it can survive it's almost like it's part of the hardware and I wonder if this router is compromised. I've never enabled remote access. I did play around with Google assistant integration a bit but that's been disabled and useless long ago.

at the moment, it's got the latest Merlin installed and WPS hard reset done and setup from scratch.

thanks for any help in advanced
 
What firmware are you running on the RT-AX58U? How is the router configured (WiFi router, AP mode, media bridge, etc.)? Are you using any sort of AI Mesh? Is the AX58U a AiMesh node? How is the WiFi configured on the router? Have you activated any Guest Networks? If you have installed YazFi, Check the YazFi configuration file using the CLI to see if there are any errors like SSID entries and IP addresses.
 
it's the latest Merlin as of last night, but it doesn't matter which version it's always got this SSID no matter which version I use.
normal wifi router, no mesh, I have 2 guest networks turned on, the 3rd seems to conflict with this mystery SSID and doesn't work. I installed Yazfi last and it was the only thing that actually show me the SSID existed other than looking directly in the nvram config, the Yazfi config did not have anything like this in it, it existed before I installed Yazfi and didn't go away when I applied the Yazfi settings after installed it.

when ever I change any wifi setting, and the wifi disconnected to enable the setting is the only time the SSID is discovered by any client it then disappears and is not seen again until I change any setting so it was fun trying to find it first time. it's not hidden it's just there lurking in the background
 
when ever I change any wifi setting, and the wifi disconnected to enable the setting is the only time the SSID is discovered by any client it then disappears and is not seen again until I change any setting so it was fun trying to find it first time. it's not hidden it's just there lurking in the background
Is WPS and WDS disabled on the router?
When you were doing a hard factory reset were you importing a saved router CFG file that was previously exported from that router? If so don't, instead manually reconfigure without importing a saved router CFG file.

You could try seeing what ifconfig lists from the SSH command line and see what it lists for WiFi adapters on the router..

You could dump the NVRAM to a text file and review to see if that SSID shows up.

Was the router purchased new or used? Has it run any other firmware on it besides Asus-Merlin or Asus stock?

Do you have the V1 or V2 version of the RT-AX58U?
 
WPS is disabled (but in nvram this SSID has this set to on)
WDS is disabled

I never do a restore settings I never back them up I always setup from scratch to avoid problems being carried over.

according to Yazfi the offending SSID is wl0.4
ifconfig output is below

MVRAM does have it all as this was the first place I could find evidence of it, I can delete it from nvram but it just comes back again every time I reboot or apply firmware, that's why I was thinking it's built into the router somehow.

it was a new router V1, it's only had Merlin or Asus as far as I know, but I'm thinking perhaps it's been remotely tampered with.
the nvram contains a lot of other config that I don't think should be there almost like a second virtual router could exist just a wild guess

these I'll paste below are just a copy and paste from nvram of the config I don't recognise and I can't seem to remove it permanently or always comes back

the 101 submit I did not create it just there and I can't remove it.

the SSID is there and has changed again, something is changing it.

the Mac address starting with 06: is not my router but it's still there and can't remove it.

there is also a lot of VPN configuration in nvram that I don't recognise and I have no VPN setup currently.

I've tried to tell this to ASUS but it's a dead end


wgn_brif_rulelist=<br1>192.168.101.1/24><br2>192.168.102.1/24>
wl0.4_akm=psk2
wl0.4_ap_isolate=0
wl0.4_auth=0
wl0.4_auth_mode=none
wl0.4_auth_mode_x=psk2
wl0.4_bridge=
wl0.4_bss_enabled=1
wl0.4_bss_maxassoc=128
wl0.4_bw_dl=
wl0.4_bw_enabled=0
wl0.4_bw_ul=
wl0.4_closed=0
wl0.4_crypto=aes
wl0.4_dwds=1
wl0.4_expire=0
wl0.4_hwaddr=04:42:1A:58:3B:7C
wl0.4_ifname=wl0.4
wl0.4_infra=1
wl0.4_key=1
wl0.4_key1=
wl0.4_key2=
wl0.4_key3=
wl0.4_key4=
wl0.4_lanaccess=on
wl0.4_macmode=disabled
wl0.4_maxassoc=128
wl0.4_mcast_regen_bss_enable=1
wl0.4_mfp=0
wl0.4_mode=ap
wl0.4_net_reauth=3600
wl0.4_preauth=
wl0.4_radio=1
wl0.4_radio_pwrsave_enable=0
wl0.4_radio_pwrsave_level=0
wl0.4_radio_pwrsave_pps=10
wl0.4_radio_pwrsave_quiet_time=1800
wl0.4_radio_pwrsave_stas_assoc_check=1
wl0.4_radius_ipaddr=
wl0.4_radius_key=
wl0.4_radius_port=1812
wl0.4_rxchain_pwrsave_enable=1
wl0.4_rxchain_pwrsave_pps=10
wl0.4_rxchain_pwrsave_quiet_time=1800
wl0.4_rxchain_pwrsave_stas_assoc_check=1
wl0.4_ssid=27A813D5BF623F5804A6C2A9926BBE80
wl0.4_sta_retry_time=5
wl0.4_txbf_bfe_cap=15
wl0.4_unit=0.4
wl0.4_wep=disabled
wl0.4_wep_x=0
wl0.4_wfi_enable=0
wl0.4_wfi_pinmode=0
wl0.4_wme=on
wl0.4_wme_bss_disable=0
wl0.4_wmf_bss_enable=1
wl0.4_wmf_psta_disable=
wl0.4_wpa_gtk_rekey=3600
wl0.4_wpa_psk=A152DA69C5E761C4F494A149CDF359E4
wl0.4_wps_mode=enabled
wl0.5_akm=
wl0.5_auth=0
wl0.5_auth_mode=none
wl0.5_hwaddr=06:42:1A:58:3B:7D
wl0.5_maclist=
wl0.5_macmode=disabled
wl0.5_preauth=
wl0.5_txbf_bfe_cap=15
wl0.5_wep=disabled
wl0.6_akm=
wl0.6_auth=0
wl0.6_auth_mode=none
wl0.6_hwaddr=06:42:1A:58:3B:7E
wl0.6_maclist=
wl0.6_macmode=disabled
wl0.6_preauth=
wl0.6_txbf_bfe_cap=15
wl0.6_wep=disabled
wl0.7_akm=
wl0.7_auth=0
wl0.7_auth_mode=none
wl0.7_hwaddr=06:42:1A:58:3B:7F
wl0.7_maclist=
wl0.7_macmode=disabled
wl0.7_preauth=
wl0.7_txbf_bfe_cap=15
wl0.7_wep=disabled
wl0.8_akm=
wl0.8_auth=0
wl0.8_auth_mode=none
wl0.8_hwaddr=06:42:1A:58:3B:80
wl0.8_maclist=
wl0.8_macmode=disabled
wl0.8_preauth=
wl0.8_txbf_bfe_cap=15
wl0.8_wep=disabled
wl0.9_akm=
wl0.9_auth=0
wl0.9_auth_mode=none
wl0.9_hwaddr=06:42:1A:58:3B:81
wl0.9_maclist=
wl0.9_macmode=disabled
wl0.9_preauth=
wl0.9_txbf_bfe_cap=15
wl0.9_wep=disabled
wl0.10_akm=
wl0.10_auth=0
wl0.10_auth_mode=none
wl0.10_hwaddr=06:42:1A:58:3B:82
wl0.10_maclist=
wl0.10_macmode=disabled
wl0.10_preauth=
wl0.10_txbf_bfe_cap=15
wl0.10_wep=disabled
wl0.11_akm=
wl0.11_auth=0
wl0.11_auth_mode=none
wl0.11_hwaddr=06:42:1A:58:3B:83
wl0.11_maclist=
wl0.11_macmode=disabled
wl0.11_preauth=
wl0.11_txbf_bfe_cap=15
wl0.11_wep=disabled
wl0.12_akm=
wl0.12_auth=0
wl0.12_auth_mode=none
wl0.12_hwaddr=06:42:1A:58:3B:84
wl0.12_maclist=
wl0.12_macmode=disabled
wl0.12_preauth=
wl0.12_txbf_bfe_cap=15
wl0.12_wep=disabled
wl0.13_akm=
wl0.13_auth=0
wl0.13_auth_mode=none
wl0.13_hwaddr=06:42:1A:58:3B:85
wl0.13_maclist=
wl0.13_macmode=disabled
wl0.13_preauth=
wl0.13_txbf_bfe_cap=15
wl0.13_wep=disabled
wl0.14_akm=
wl0.14_auth=0
wl0.14_auth_mode=none
wl0.14_hwaddr=06:42:1A:58:3B:86
wl0.14_maclist=
wl0.14_macmode=disabled
wl0.14_preauth=
wl0.14_txbf_bfe_cap=15
wl0.14_wep=disabled
wl0.15_akm=
wl0.15_auth=0
wl0.15_auth_mode=none
wl0.15_hwaddr=06:42:1A:58:3B:87
wl0.15_maclist=
wl0.15_macmode=disabled
wl0.15_preauth=
wl0.15_txbf_bfe_cap=15
wl0.15_wep=disabled
wl1.10_hwaddr=06:42:1A:58:3B:86
wl1.10_txbf_bfe_cap=15
wl1.11_hwaddr=06:42:1A:58:3B:87
wl1.11_txbf_bfe_cap=15
wl1.12_hwaddr=06:42:1A:58:3B:88
wl1.12_txbf_bfe_cap=15
wl1.13_hwaddr=06:42:1A:58:3B:89
wl1.13_txbf_bfe_cap=15
wl1.14_hwaddr=06:42:1A:58:3B:8A
wl1.14_txbf_bfe_cap=15
wl1.15_hwaddr=06:42:1A:58:3B:8B
wl1.15_txbf_bfe_cap=15

subnet_rulelist=<192.168.101.1>255.255.255.0>1>192.168.101.2>192.168.101.254>86400>>>>>>1><192.168.102.1>255.255.255.0>1>192.168.102.2>192.168.102.254>86400>>>>>>1>
url_rulelist=
url_sched=000000
vlan_pvid_list=
vlan_rulelist=<1>501>0>0>FFFF>0002>0000>192.168.101.1/24>1>0>1><1>502>0>0>FFFF>0000>0002>192.168.102.1/24>1>0>1>
 
Might as well ping @RMerlin to see if he has any thoughts on your issue at least as it relates to his Asus-Merlin firmware.
 
Might as well ping @RMerlin to see if he has any thoughts on your issue at least as it relates to his Asus-Merlin firmware.
Time to call in Tier 2 support! LOL ;)

@randomised ... what other scripts or apps are you running on your router, other than YazFi? Have you looked in your start-up scripts, to see if anything is running unbeknownst to you? Have you checked the "top" or "htop" commands to see if you see any programs running that you may not be familiar with? Sometimes they show what command they're running that might give you more of a hint?

If worst comes to worst, have you tried a complete reset from scratch yet?
 
I have factory reset every method known, at the moment its a from scratch build as of the other night. with nothing special added, no restoring of settings ever

these settings survive everything

I've looked at those but I figured a fresh factory reset and fw update would have wiped everything, and I wouldn't know what should be there or shouldn't
 
there is also a lot of VPN configuration in nvram that I don't recognise and I have no VPN setup currently.
Could you elaborate or post some nvram info about this particular piece as well? I'm curious...
 
Could you elaborate or post some nvram info about this particular piece as well? I'm curious...
here is some of the VPN stuff in nvram

wgn_brif_rulelist=<br1>192.168.101.1/24><br2>192.168.102.1/24>
wgn_enabled=0
wgn_vlan_flag=0
wgs_addr=10.6.0.1/32
wgs_alive=25
wgs_dns=1
wgs_enable=0
wgs_lanaccess=1
wgs_nat6=1
wgs_port=51820
wgs_priv=
wgs_psk=0
wgs_pub=
wgs_unit=1

vpn_server2_nm=255.255.255.0
vpn_server2_pdns=0
vpn_server2_port=1195
vpn_server2_proto=udp
vpn_server2_r1=192.168.1.50
vpn_server2_r2=192.168.1.55
vpn_server2_remote=10.16.0.2
vpn_server2_remote6=
vpn_server2_sn=10.16.0.0
vpn_server2_sn6=fd00:ac68:2::/64
vpn_server2_state=0
vpn_server2_tls_keysize=0
vpn_server2_userpass_auth=1
vpn_server2_verb=3
vpn_server_c2c=0
vpn_server_ccd=0
vpn_server_ccd_excl=0
vpn_server_cipher=AES-128-CBC
vpn_server_client_access=0
vpn_server_comp=-1
vpn_server_crypt=tls
vpn_server_custom3=
vpn_server_dhcp=1
vpn_server_digest=default
vpn_server_hmac=-1
vpn_server_if=tun
vpn_server_igncrt=0
vpn_server_ip6=0
vpn_server_local=10.16.0.1
vpn_server_local6=
vpn_server_nat6=1
vpn_server_ncp_ciphers=AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:CHACHA20-POLY1305
vpn_server_nm=255.255.255.0
vpn_server_pdns=0
vpn_server_port=1195
vpn_server_proto=udp
vpn_server_r1=192.168.1.50
vpn_server_r2=192.168.1.55
vpn_server_remote=10.16.0.2
vpn_server_remote6=
vpn_server_sn=10.16.0.0
vpn_server_sn6=fd00:ac68:2::/64
vpn_server_tls_keysize=0
vpn_server_unit=2
vpn_server_userpass_auth=1
vpn_server_verb=3
vpn_serverx_start=
 
maybe related if I try to install Asus firmware over Merlin it fails, the only way to get back to ASUS original is to apply the very first firmware version listed on the Asus website
 
Might as well ping @RMerlin to see if he has any thoughts on your issue at least as it relates to his Asus-Merlin firmware.
@RMerlin
hi guys, after installing the latest firmware everything I removed from nvram came back again it's like the source info is changed where NVRAM is stored can you help me with that I'm kind of getting bit desperate now
 
HI

yeah I've done the nuke a few times,
Have you tried using a wifi network analyzer tool (like from a PC/mobile device) to determine if it sees this SSID, whether it's local or a distance away, to determine if this is something your router is producing or externally introduced? Might give you some more clues?
 
Have you tried using a wifi network analyzer tool (like from a PC/mobile device) to determine if it sees this SSID, whether it's local or a distance away, to determine if this is something your router is producing or externally introduced? Might give you some more clues?
hi

yes I've already done that it's in my routers nvram, it definitely my router
 
I'm curious what output you get from this command:
Code:
nvram show | grep _vif
hi,

output as follows

wl0_vifnames=wl0.1 wl0.2 wl0.3 wl0.4
wl0_vifs=wl0.1 wl0.2 wl0.4
wl1_vifnames=wl1.1 wl1.2 wl1.3
wl1_vifs=wl1.1 wl1.2
wl_vifnames=wl0.1 wl0.2 wl0.3 wl0.4
size: 75987 bytes (55085 left)
 
hi,

output as follows

wl0_vifnames=wl0.1 wl0.2 wl0.3 wl0.4
wl0_vifs=wl0.1 wl0.2 wl0.4
wl1_vifnames=wl1.1 wl1.2 wl1.3
wl1_vifs=wl1.1 wl1.2
wl_vifnames=wl0.1 wl0.2 wl0.3 wl0.4
size: 75987 bytes (55085 left)

As one of your steps have you tried doing the reset from within the GUI and checking off "initialize variables".

The other option is to do an "NVRAM Erase" from the CLI, then load the latest Asus or Merlin firmware, using recovery method and the restore tool if needed.

It certainly looks like you may have had some malware on that router at some point and factory reset isn't clearing all the leftover stuff, probably because it isn't using standard NVRAM variables.

I would start with just a very basic config after all the resets and see if any of the VLAN or wifi variables get recreated.
 
yes, I have done that also with the restore tool

in fact I only just did a factory reset few days ago

nvram erase I've done a few times and it just comes back the same again
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top