New GT-AX6000 Maybe hacked with some custom firmware? HELP!

[KineticSloth]

So I just got a new GT-AX6000 to replace my RT-AC66_BU a couple months ago. A couple weeks ago, I got a hang up call on our fiber digital phone land line, and my wifi disconnected. About 4-5mins later, same number called & hung up again. About that time, since I couldnt reconnect to the wifi, I did a power-off reboot of the router. When it rebooted, I was able to get into the Admin pages. I looked thru the syslog, and saw stuff I've never seen before for just a reboot. Namely, that apparently, two seperate firmware files were uploaded & installed to the ROM chip. Both filenames were in a format I've not seen Asus/Asus Merlin use. The first started with "Blackfin", the 2nd was "Longfin". Also for a simple reboot, & even a standard firmware update, the syslog seemed *really* long, and again, had a ton of stuff I've never seen before.

So, over the next hour or so, I first tried to turn off the wifi, thinking maybe wifi was compromised, and I wanted to shut it off, then use ethernet to continue digging into my settings & config. However, when I turned off the 2.4G wifi, & hit apply, the router rebooted, and after, I couldnt connect to wifi again, and apparaently my 5G SSID had been changed, to "ASUS_XX", and was completely open, with no security/password assigned. So I powered it down, connected by ethernet, rebooted, and the 5G SSID had changed yet again to "Moving Castle". Checking the log again, it again re-flashed both firmware files. I immediately went to turn off the 5G, but hitting "Apply" and after a reboot again, the 5G SSID then changed to "Sam15". And again, the firmware was flashed again. At that point, i just disconnected it, left it off, and took it to a friend's house a week later.

I was then able to ethernet in, and reflash the latest AsusMerlin, and everything "seems" to be working normally. I havent tried hooking it up at home, to *my* fiber modem yet, tho.

Just wondering if it may have been hacked & now has backdoors installed.. ?? Gonna probably call Asus directly & see what they say.
I do have a copy of the first three syslogs, from when this first happened. I've scrubbed the first one for my IPs & MAC addresses, so i can share it if someone really knowledgeable with Merlin wants to poke it.

EDIT: Oh!, also, right before the weird phone call, then this all happening, my syslog shows my SmartTV was being authorized/deautherized, every hour, right up to just a few minutes before the phone call and the weird stuff happening..?? I just read another thread, where people are discussing the possibility of a recent IoT botnet attack/hack? Also, involving GT-AX600's?

Thanx for any thoughts or help.

 

[bennor]

Did you have AiCloud enabled on the Asus router when the issues started?

Malware damaging ASUS routers?

This malware damaging Asus routers has to be described in a sticky thread with a warning sign! Update: Asus is releasing patched firmware for multiple models. Check for firmware updates! The changelog for most firmware releases contains the following: 1. Strengthened input validation and data...

www.snbforums.com

 

[ColinTaylor]

Blackfin and Longfin are the names of Broadcom drivers. Nothing unusual there.

The changing SSIDs are worrisome but you'll need to post your syslogs if you want more analysis.

 

[bbunge]

Download firmware version 3.0.0.6.102_34810 from https://rog.asus.com/networking/rog-rapture-gt-ax6000-model/helpdesk_bios/
Flash the firmware to the router then do a reset with initialize and manually set the router up. Do not use a saved settings file. You should then be good to go.

 

[Ripshod]

ASUS_XX is the default ssid with that router.
Is your phone voip?
This has happened with my own router, though I missed over 100 calls before I actually watched it happen. It kept happening when I was rebuilding all my settings. Turning the voip phone off stopped it while I did a (successful) rebuild. There's a voip/sip setting on my Grandstream that I changed to block these calls and it's not happened again.
I know there's a lot of bots out there targeting port 5060,so maybe this is a new attack vector(?).

 

[KineticSloth]

Did you have AiCloud enabled on the Asus router when the issues started?

Malware damaging ASUS routers?

This malware damaging Asus routers has to be described in a sticky thread with a warning sign! Update: Asus is releasing patched firmware for multiple models. Check for firmware updates! The changelog for most firmware releases contains the following: 1. Strengthened input validation and data...

www.snbforums.com

No... Never used the function, even on my old RT-AC66_BU.

BTW, thinking of the AC66, and why i just had to replace it with the AX6000, last Oct, I had basically the same symptoms of the Wifi dropping in & out, and admin accessability getting progressively worse at every reboot & firmaware re-flash attempt, till i could no longer even get into the Admin pages via webui.

 

[KineticSloth]

Download firmware version 3.0.0.6.102_34810 from https://rog.asus.com/networking/rog-rapture-gt-ax6000-model/helpdesk_bios/
Flash the firmware to the router then do a reset with initialize and manually set the router up. Do not use a saved settings file. You should then be good to go.

Have already done that twice.

Attached my first syslog, when I think the initial issues started. I also have the next two, from right after, when I tried reflashing 3.0.0.6.102_34810.

 

[KineticSloth]

ASUS_XX is the default ssid with that router.
Is your phone voip?
This has happened with my own router, though I missed over 100 calls before I actually watched it happen. It kept happening when I was rebuilding all my settings. Turning the voip phone off stopped it while I did a (successful) rebuild. There's a voip/sip setting on my Grandstream that I changed to block these calls and it's not happened again.
I know there's a lot of bots out there targeting port 5060,so maybe this is a new attack vector(?).

Yes, thanx, I know the "ASUS_XX" is default SSID.. my concern was that it was completely open, with NO WEP/WPA assigned, even just using a default, initial password (ie the one printed on the sticker on the bottom of the router).

Hmm.. Idk about the phone. We have fiber coming into a small modem, then a hard phone line from that to a wireless phone base unit. Unfortunately, we have always been plagued with scam & bogus calls, up to 6-10 per day.

One thing I also thought weird about when this started happening, just a couple minutes after theweird incoming calls, the phone number calling in, was the same area code, and all the rest of the number were same digits as the customer service number for our fiber provider, just a couple in a different order.

Thanx for everones suggestions & ideas. I'll take a look at implementing/checking into them all.
If someone could please poke my attached log, I'ld be really interested in hearing if there *is* anything in there unusual. Like I said, I've never seen any of my syslogs this long, or include a bunch of stuff thats in there.

 

[ColinTaylor]

Attached my first syslog, when I think the initial issues started. I also have the next two, from right after, when I tried reflashing 3.0.0.6.102_34810.

There is nothing suspicious in this log file. It appears that you powered off the router (and the modem connected to its WAN port?) and then turned the router back on. There is no internet connection by the end of the log, presumably because you hadn't yet turned your modem back on.