Password auth succeeded for 'admin'

[berez]

I have strong password in my RT-AC68U, but in logs I see "Password auth succeeded for 'admin'"

What this means? Someone log-in to my router? What is "dropbear"?

Jun 5 10:11:31 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 10:11:33 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 10:11:36 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 10:11:38 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 10:11:40 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 10:11:41 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 10:11:44 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 10:11:46 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 10:11:47 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 10:11:49 dropbear[3828]: Bad password attempt for 'admin' from 182.33.229.11:56390
Jun 5 11:32:23 dropbear[7850]: Login attempt for nonexistent user from 5.188.10.249:44256
Jun 5 11:32:23 dropbear[7850]: Login attempt for nonexistent user from 5.188.10.249:44256
Jun 5 11:32:25 dropbear[7851]: Login attempt for nonexistent user from 5.188.10.249:44557
Jun 5 11:32:25 dropbear[7851]: Login attempt for nonexistent user from 5.188.10.249:44557
Jun 5 11:32:26 dropbear[7852]: Login attempt for nonexistent user from 5.188.10.249:44855
Jun 5 11:32:26 dropbear[7852]: Login attempt for nonexistent user from 5.188.10.249:44855
Jun 5 11:32:27 dropbear[7853]: Login attempt for nonexistent user from 5.188.10.249:45145
Jun 5 11:32:27 dropbear[7853]: Login attempt for nonexistent user from 5.188.10.249:45145
Jun 5 11:32:29 dropbear[7854]: Login attempt for nonexistent user from 5.188.10.249:45372
Jun 5 11:32:29 dropbear[7854]: Login attempt for nonexistent user from 5.188.10.249:45372
Jun 5 11:32:30 dropbear[7855]: Login attempt for nonexistent user from 5.188.10.249:45670
Jun 5 11:32:30 dropbear[7855]: Login attempt for nonexistent user from 5.188.10.249:45670
Jun 5 11:32:32 dropbear[7856]: Login attempt for nonexistent user from 5.188.10.249:45968
Jun 5 11:32:32 dropbear[7856]: Login attempt for nonexistent user from 5.188.10.249:45968
Jun 5 11:32:33 dropbear[7877]: Login attempt for nonexistent user from 5.188.10.249:46295
Jun 5 11:32:33 dropbear[7877]: Login attempt for nonexistent user from 5.188.10.249:46295
Jun 5 11:32:34 dropbear[7878]: Bad password attempt for 'admin' from 5.188.10.249:46517
Jun 5 11:32:36 dropbear[7879]: Login attempt for nonexistent user from 5.188.10.249:46832
Jun 5 11:32:36 dropbear[7879]: Login attempt for nonexistent user from 5.188.10.249:46832
Jun 5 11:45:29 dropbear[8466]: Password auth succeeded for 'admin' from 46.35.80.176:40722
Jun 5 11:52:02 dropbear[8789]: Password auth succeeded for 'admin' from 83.249.237.101:35679
Jun 5 12:22:10 dropbear[10272]: Bad password attempt for 'admin' from 186.58.20.21:52285
Jun 5 12:22:11 dropbear[10272]: Bad password attempt for 'admin' from 186.58.20.21:52285
Jun 5 12:22:11 dropbear[10272]: Bad password attempt for 'admin' from 186.58.20.21:52285
Jun 5 12:22:12 dropbear[10272]: Bad password attempt for 'admin' from 186.58.20.21:52285
Jun 5 12:22:13 dropbear[10272]: Bad password attempt for 'admin' from 186.58.20.21:52285
Jun 5 12:22:13 dropbear[10272]: Bad password attempt for 'admin' from 186.58.20.21:52285
Jun 5 12:22:14 dropbear[10272]: Bad password attempt for 'admin' from 186.58.20.21:52285
Jun 5 12:22:14 dropbear[10272]: Bad password attempt for 'admin' from 186.58.20.21:52285
Jun 5 12:22:15 dropbear[10272]: Bad password attempt for 'admin' from 186.58.20.21:52285

 

[microchip]

dropbear = ssh

better use ssh keys instead of passwords and restrict ssh to LAN only if you don't need it to be accessible on the WAN side

 

[berez]

OK, now I have blocked access via SSH from WAN.

What is best way to reset to 100% factory default? I would like to make sure that there is no backdoor.

Could someone recommend to me some alert-script when somone logon to router?

 

[martinr]

Best way to do a factory reset? Have a look at Merlin's FAQs here for starters:

https://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/

It's well worth reading the whole page, and occasionally re-reading it for all the little nuggets of good information therein.

By the way, note the you can (and should) change the username from 'admin', unlike some other routers where you can only change the default password.

 

[ColinTaylor]

OK, now I have blocked access via SSH from WAN.

Also disable HTTP(S) access from the WAN as well as this appeared to be common attack vector a few months ago.

What firmware version are you running? The most recent firmware has some important security fixes.

 

[berez]

Now I have newest Merlin Version, but when I detect attack I had 380.64 version.

I have readed FAQ few minutes ago. If I run over SSH, "nvram erase" command, then I can be 100% sure that I erased possible backdoors? Maybe attacker can override "nvram erase" comand?

 

[thelonelycoder]

Now I have newest Merlin Version, but when I detect attack I had 380.64 version.

I have readed FAQ few minutes ago. If I run over SSH, "nvram erase" command, then I can be 100% sure that I erased possible backdoors? Maybe attacker can override "nvram erase" comand?

The intruder got access through ssh, this means they have the same rights and access as you have.
Deleting the nvram is not going to remove everything that they may have done to your router.
A factory reset is your best option. And change the pw after that.
There are many exploit threads that discuss how to reset your router.

 

[berez]

Thanks for answer. I'm beginner, what is pw? Password?

If I install oryginal (from asus) firmware then factory reset will be done?

I'm confused, becouse in martinrs link (https://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/ ) I read that "nvram erase" command do factory reset

 

[thelonelycoder]

Thanks for answer. I'm beginner, what is pw? Password?

If I install oryginal (from asus) firmware then factory reset will be done?

I'm confused, becouse in martinrs link (https://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/ ) I read that "nvram erase" command do factory reset

I see. Only read the part how to factory reset. Do not restore settings from a previous save if you have it.
The best way is to reset it, then let it boot to the setup screen, pull the power plug and wait about five minutes.
Then plug it in and start setting up the router from scratch, using new passwords, especially for the admin account.
You can also change the name of the admin account, may be better, since the intruder knows it's admin.
Do not enable services that are accessible from WAN, especially the WebUI and SSH. If you must have access from WAN, use a VPN instead.

To add: if you have the jffs partition enabled, set it to format at next boot. Save it and reboot the router.

 

[redhat27]

To add: if you have the jffs partition enabled, set it to format at next boot. Save it and reboot the router.

@berez you also need to do this particularly. Anyone who had gained access earlier could easily leave a script that is called on startup that restores a compromised nvram.

 

[Xentrk]

Thanks for answer. I'm beginner, what is pw? Password?

If I install oryginal (from asus) firmware then factory reset will be done?

I'm confused, becouse in martinrs link (https://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/ ) I read that "nvram erase" command do factory reset

@berez, you may want to read thru this thread when you have time to gain more insight on the issue you reported.
https://www.snbforums.com/threads/was-my-routers-username-and-password-hacked.36602/

 

[berez]

Thanks to all for advices, especially about JFFS partition.
@Xentrk - Thanks for link - this topic is covered with my problem in 100%. I had set up SSH only LAN:22, and it Was changed by attacker to LAN+WAN:2222.

 

[florid]

Thanks to all for advices, especially about JFFS partition.
@Xentrk - Thanks for link - this topic is covered with my problem in 100%. I had set up SSH only LAN:22, and it Was changed by attacker to LAN+WAN:2222.

How they did that? Have you ever allowed management access from WAN?

 

[berez]

yes I had allowed access (web gui/android) from WAN, but I had strong password (14 non-dictionary charters). Everything match to posts from Xentrks link.

 

[hggomes]

The main reasons for such hack on device is:

1. You are using an old FW version. (CSRF, JSONP and XSS flaws not fixed)
2. You are exposing WEBUI Wordwide. (that's how the admin password is retrieved)