Possibly been hacked. Need assistant from senior users.

[Rubenel]

Hey guys, I'm using my Asus AC68u with 380.69 firmware.

I've logged on today and noticed my language was changed to the Asian region.
Someone also set up a PPTP and a DDNS.

I have the router offline, but I haven't altered anything.
Can someone assist me. I can send logs and other info to help chase this issue.

Sent from my SM-G950U using Tapatalk

 

[Rubenel]

Admins, can we move the thread to Asus Merlin.

Thanks.

Sent from my SM-G950U using Tapatalk

 

[Adamm]

Update to 384.4 - Factory reset - Disable SSH access from WAN

 

[VANT]

Remote Access Config
Enable Web Access from WAN - No

not only ssh

 

[CooCooCaChoo]

And use a better password possibly. When you are done configuring the router, turn off SSH and telnet for added measure.

 

[ColinTaylor]

@Rubenel If you could post the complete syslogs that you have to somewhere like pastebin we could have a look and try and determine what happened. After preserving a copy of your logs do as the others have said and factory reset the router and set it up again manually. Don't enable router access from the WAN.

What is interesting is your WAN address is 192.168.100.1, so unless that is something you have just changed it would imply that your router is behind another NAT device. This is not a problem, but usually that would make it a lot harder for someone to hack your router from the internet. Unless you had enabled WAN access on the router and setup port forwarding on the other device. Did you do that?

If you didn't already have WAN access working on the router that might suggest that your router was hacked from inside your network.

EDIT: Also notice how you also have a DDNS account setup on the WAN page (and the "!" indicating that you are behind a NAT). Did you setup that DDNS account?

 

[hoorah]

I made an account today to say that Ive just seen the same thing. I had some issues with internet connections going very slow, so after logging into the router and looking at a few things I noticed a VPN username I didn't recognize. It was very suspect, but I wasn't sure if the router was just going 'wonky'. I deleted the VPN user and a few days later we are still having connection issues and when I login I see that the language has been set to chinese. Still not sure if this is an intrusion or just a reversion to factory default mode, I set the language back and updated the firmware and started researching. Then I found this.

Before I updated the firmware, I did not check to see if telnet access had been granted (I hadn't turned it on) but after updating firmware, it is not enabled. Also, HTTP access (vs HTTPS) has been disabled. I suspect this is a known issue.

 

[ColinTaylor]

@hoorah Did you buy your router from China? If you didn't the default language should match your region (i.e. English probably).

What router model and firmware version did you have?

 

[hoorah]

No, didn't buy router from china. Don't remember where actually but probably amazon or newegg.

In retrospect, it doesnt look like a 'factory default' mode, now it looks more like a hack, I just wasnt suspecting it at the time.

Since I've updated the firmware, I don't recall what the firmware version was that was running when it happened, but I will admit I had not updated it in quite some time. So....old.

Even though I've updated the firmware, there is old data in the system log. I saved it, but I don't see anything in the logs about logins, access, etc. Not sure Im looking in the right place.

 

[ColinTaylor]

Did you previously have HTTP/S access from the WAN enabled?

 

[hoorah]

Did you previously have HTTP/S access from the WAN enabled?

*hangs head in shame*. Yes. I was not aware of the vulnerabilities (no excuse, I know). I wasn't using the default password (not that it makes it much better), just giving you all the info.

 

[Rubenel]

Update to 384.4 - Factory reset - Disable SSH access from WAN

Thanks for the contribution. I'll grab the system logs and all valuable info and post it on here for analysis.

Sent from my SM-G950U using Tapatalk

 

[ColinTaylor]

*hangs head in shame*. Yes. I was not aware of the vulnerabilities (no excuse, I know). I wasn't using the default password (not that it makes it much better), just giving you all the info.

It's not your fault, blame Asus.
Also bear in mind that HTTPS is equally as vulnerable as HTTP.

 

[Rubenel]

@Rubenel If you could post the complete syslogs that you have to somewhere like pastebin we could have a look and try and determine what happened. After preserving a copy of your logs do as the others have said and factory reset the router and set it up again manually. Don't enable router access from the WAN.

What is interesting is your WAN address is 192.168.100.1, so unless that is something you have just changed it would imply that your router is behind another NAT device. This is not a problem, but usually that would make it a lot harder for someone to hack your router from the internet. Unless you had enabled WAN access on the router and setup port forwarding on the other device. Did you do that?

If you didn't already have WAN access working on the router that might suggest that your router was hacked from inside your network.

EDIT: Also notice how you also have a DDNS account setup on the WAN page (and the "!" indicating that you are behind a NAT). Did you setup that DDNS account?

Hey Collin,

I did setup the router to be behind my FiOS router, so I am operating behind a NAT.

My other issue is that I placed the Asus IP address in the DMZ of the FiOS router.

I did not setup the DDNS, or the PPTP account, that was setup by the intruder.


I have the system logs preserved.
What else should I provide to better help chase the issue.

Thanks for your contribution and time.

Sent from my SM-G950U using Tapatalk

 

[ColinTaylor]

@Rubenel Thanks for the clarification about your NAT and DMZ settings. That explains how you could be attacked from the WAN-side.

TBH I doubt that the syslog will show much but it's the only thing we've got to look at. At least it should show the date/time of the intrusion (because it should show the VPN starting up).

Did you have HTTP or HTTPS access from WAN enabled? Firmware version 380.69_2 fixed some vulnerabilities there.

 

[hoorah]

Rubenel,

I'm far from an expert, but what I did was did a search on the username created in the VPN access list in the system logs. From there you should see login attempts and from which IP addresses they came from (mine were from China).

All I see is one relatively short login and nothing after that, however, that login was from back in early Feb, and my router language page didn't change to chinese until relatively recently (last week or so). So possibly they were accessing via telnet, not really sure. Do telnet logins show in the logs?

 

[Rubenel]

@Rubenel Thanks for the clarification about your NAT and DMZ settings. That explains how you could be attacked from the WAN-side.

TBH I doubt that the syslog will show much but it's the only thing we've got to look at. At least it should show the date/time of the intrusion (because it should show the VPN starting up).

Did you have HTTP or HTTPS access from WAN enabled? Firmware version 380.69_2 fixed some vulnerabilities there.

Hi colin,

The access from WAN was enabled automatically because I used the app on my smartphone to access the router.

I'll have system logs ready in 15 minutes.

Thanks.

Sent from my SM-G950U using Tapatalk

 

[ColinTaylor]

Do telnet logins show in the logs?

Do you mean Telnet or SSH?

 

[Rubenel]

Rubenel,

I'm far from an expert, but what I did was did a search on the username created in the VPN access list in the system logs. From there you should see login attempts and from which IP addresses they came from (mine were from China).

All I see is one relatively short login and nothing after that, however, that login was from back in early Feb, and my router language page didn't change to chinese until relatively recently (last week or so). So possibly they were accessing via telnet, not really sure. Do telnet logins show in the logs?

My logs show Feb 11 too.....
Logs will be posted.

Sent from my SM-G950U using Tapatalk

 

[hoorah]

Do you mean Telnet or SSH?

I am showing my ignorance here, but Im afraid I don't know the difference.

Regardless, are there separate logs for either telnet or SSH that I might determine when connections were made?