Off the wall, outside the box question on problems with 384

[cmkelley]

Given the number of reports of issues with 384, and also some reports of routers suddenly changing the language to a presumed Asian language, is it _possible_ that through some as-yet undetected vulnerability, hackers are gaining access to routers, installing a firmware "rootkit"?? Something that for some reason doesn't interfere with the 380 series but causes issues with 384?? And survives a firmware flash? Would there be any way to even check and see if something like this has been done?

I realize it's a zany and highly improbable idea, but so is the fact that large numbers of people are having no problems with 384, but a sizable minority are. I'm not anywhere near smart enough about routers and such to know if this is even in the realm of possibility, so go easy on me if this is technically impossible.

As an aside, I did have my AC3200 suddenly come up in what I think was Korean one day, and I couldn't log in. I had no servers accessible from the WAN, and WAN access to SSH and the web interface were turned OFF. Thinking a hack might have been possible*, I decided to factory reset and then flash 384 without first verifying the thing worked, other than logging in (everything was back to English). So I don't know if the sudden change to Korean was due to an overheating issue (cats sitting on router, solved by replacing the router with an AC86U) or a hack.

*further complicating this, I had let a friend (who's not anywhere near knowledgeable enough to cause problems knowingly) log into our wireless to avoid data charges on their iPhone right before the language change occurred. It seems highly improbable that they had some virus that also attacked routers, but in this day and age, who knows?

 

[Netbug]

Most problems are or can be related to enabling web access from wan and using that aicloud which i would not even dream of using, just search previous vulnerabilities asus has has with it.

always use a vpn to access network on the go, no if's no but's. ensure web access from wan is disabled, ssh lan only if using, disable upnp, wps and all that insecure nonsense as i like to look at it as. Keep ai protection on, it certainly does block all sorts of exploits, do not enable services you will not be using or no longer using like ftp, vpn servers/clients or anything that you do not use should be disabled in my opinion unless there is no way of disabling.

Nobody can tell you what happened in your situation, there's simply no logs/evidence if you like. There's no way of knowing of a vulnerability until it's picked up by someone and if you look at recent and previous issues like heart bleed bug these went unnoticed for years, same with intel cpu's etc, list goes on.

Your friends device may have had something malicious on there device or they may have not. Use guest network for friends etc, i believe devices on guest network are blocked from accessing other devices on local network.

I had a bit of a scare earlier but turned out be norton security app on my phone, if i suspect something fishy going on generally i save router log to computer if possible, check out ai protecting tab, factory reset, start from scratch basically and check all devices you have control of and perform virus/malware scans on devices etc.

Thing is by holding off from updating you are making your device more vulnerable if there are security patches after the firmware version you have installed, which from 380 to 384 there has been security fixes. Check merlin firmware logs, in fact everybody should as it always gives full details on what's changed, been fixed, dropped, security fixes etc as best way of keeping up to date with firmware upgrades and on this forum obviously, you also generally tend to also miss out on newer features, not much of a problem if no interest to you.

Personally i like to keep my router and anything else for that matter up to date and i am always on this forum reading the threads, listening and taking advice, i find if you don't do this sort of thing and only come on forum from time to time when you see things like 'my router has been hacked' it causes alarm bells to ring and panic.

If there is a vulnerability then it can only be dealt with when it's known and generally companies like and try to keep this stuff from being released until a firmware with a fix is available and if you keep an eye on the forums, have check for updates turned on and take the general advice above which i would say applies to majority then i would not worry and just update.

Be happy until an exploit is found then we all panic, sometimes for nothing, then we await a fix, then we update and be happy again lol until the next time It's like a constant game of cat and mouse.

 

[RMerlin]

The issue is most likely tied to a security issue with the web server. Exposing it to the WAN could allow an attacker to take control of the router. The issue was fixed in some devices in 384.4, and fixed for the rest of them in 384.4_2.

Ultimately, people should not open the webui to the WAN interface.

 

[cmkelley]

I've never had the webui accessible over the WAN; I've never seen the need. Maybe the friend's device was infected (or maybe it was just heat), but lesson learned, set up guest wifi.

I'm still wondering if the equivalent of a rootkit is even possible on Asus routers? If you assume an exploitable vulnerability, of course.

 

[RMerlin]

I'm still wondering if the equivalent of a rootkit is even possible on Asus routers? If you assume an exploitable vulnerability, of course.

Rootkits themselves aren't even necessary, since the majority of services already run with root privileges. Anything that can exploit an issue in the httpd server for example for remote code execution will run that code as root.

Downgrading privileges of the httpd server is not possible, since that server is also responsible for configuration management (unlike a traditional web server which only serves up pages).

 

[cmkelley]

Do you think it's possible something could be installed that would survive a factory reset?

 

[RMerlin]

Do you think it's possible something could be installed that would survive a factory reset?

Technically, yes, as it's possible that the bootloader might be compromised. However it's highly unlikely, as such an exploit would need to be model-specific. Might be used if someone might be specifically targeting YOU, but not with an automatically spread malware.

 

[jappish84]

You can put me on the list now to. Just saw that the language changes on my router to some Asian language.

I'm running 380.69 Merlin on a RT-AC3200
WEBUI from WAN is and has always been enabled with a strong password

Sent from my LG-H815 using Tapatalk

 

[cmkelley]

I think the weaknesses is in the web server itself, a strong password is irrelevant.

 

[JaimeZX]

So from multiple threads now we're hearing about people having issues when WebUI-from-WAN is enabled.
Bottom-line: should be disabled immediately; I guess unless this device is already inside another firewall.

The other folks reporting an issue have been using the phone app to control their router... which enables WebUI-from-WAN.

 

[jappish84]

Ok, so I thought I'd go and disable wan access, to my surprise, access was already disabled

I can't remember disabling it, but it kinda makes me wonder if that's the vulnerability being used?

Sent from my LG-H815 using Tapatalk