Possibly been hacked. Need assistant from senior users.

[RMerlin]

Asus recently fixed a number of issues in AiCloud.

 

[Colin1313]

Happened to me too. Like a dope I had been using the Asus app for iPhone to manage my router remotely. Only discovered problem when app would no longer connect. I logged into router and saw all in Korean. So far I have updated the firmware but haven't factory reset.

 

[Rubenel]

Happened to me too. Like a dope I had been using the Asus app for iPhone to manage my router remotely. Only discovered problem when app would no longer connect. I logged into router and saw all in Korean. So far I have updated the firmware but haven't factory reset.

Thanks Collin for the post.

Sent from my SM-G950U using Tapatalk

 

[Daspied]

I believe I was recently compromised as well.
My settings were as follows:
Firmware version: 384.3_0
Web UI Disabled
Remote web services Disabled
SSH Disabled
DDNS: Active
100 bit strength password Alpha, Numeric, symbol password. With default login changed.
DMZ Disabled
UPnP Disabled

No active VPN's PPTP or L2TP clients were observed.

I've attached a picture of the Firewall Notifications; the newest notifications were from the 28th but they are just repeating previous attacks.

I combed through my log file and wasn't able to find anything of value. The only thing I could find was information related to the initial setup of the new 384 version type in early Feb. I'll attach the code for good measure.
https://pastebin.com/57p5LKYX

I'm honestly pretty baffled. Is the most likely attack vector an infected computer at this point, or has a vulnerability been established for the 384 firmware?

I may migrate my Firewall setup onto a dedicated Ubiquity or Cisco unit.

 

[sfx2000]

100 bit strength password Alpha, Numeric, symbol password. With default login changed.

How do you know that PW is strong? You'd be surprised there...

Here's a few samples of strong passwords... they're broken since I'm publishing them now, but they were robust until now...

What I worry is that some think that a non-A thru Z, 0-9, is not strong enough, and this forces folks into a habit - because we run out of space to remember things.

Hoo6Faixoo7ein3c saaj4eiYi9Ezoolo eethaemae3OZ1ome ieGeeh7eeca2aaru
PePh2way2shoNgeb ooceisheuthuDah9 ach7ji5eP3eisohf Chei2chohreehur9
osaegaiX6Raipooh nui7fiik6etaChei Dai5dae4aephahgh engoob5ashop4Ouf
ATaeth6ohlaeKieg Aquuvaiya3xooD5l oobas8soo3Si3mei zooh5ChaeSi0Phoh
oemieGae2Fohsiqu thoh9naTimei3aep foo9eeMae0quie8l NaePh7eiluaz0haf
loosoo2doo4ien9C nai6Einoweelae9b ohkohgieNgae0lee muo8Tahx9iesePh7
ahlaeD5lohchaiBe cei6ChohGhoox9oz EeQuai3Bie9phae9 Ieher8fee9ho8epe
ieBeigaing8kiur2 aeweekae2maiF5Po ich0ahwuiN4Xepah iud1eiphe0Cooche
beefoh7ich7uQua1 AhmeiS0IdoosaeYu eiyaiT3uSayeig9n TuiSh4Ooro7gie6s
veiPeebouqu6oul1 jailohng6taBo4zo ebeivoCh1waiT9ki oereipheiV5aif2g
uGeuCo9eiw3Ieph3 ooShoipeeZaex1ei yu7shahh6pohShei aiph2Fohvee9chi7
bohZae1Aagoo3ahd fiuH4Chue3phicee ooNohw8fi6eugh3J gi1maedaXoiz6iuz
jieth6aePie3vah9 auw6tohsee9teeCh AiMaeg4Xoofoon1w aeshoh2iBah9Shoh
Ohc7pahsh3doPeeT ahrook3Niak2theu Ha6eeyoomurahs2d ieloh1iopieyeeQu
TheiZei1ziukebeo oz4niemo7haiLeek Ja7Eish8aiquoZ6e Eow0Chaecae2ohgi
Uo5aida6eengiuth oGhua7paeNao3wei eenaeChah5ohghei oteoXa6yu0xeipai
Ait7cheibo4AeNg2 ojaikaequosei8uH ohmieJi1emium5oo Eehauz1joogheiwi
ahze9eeD2ohngoo4 Hoax3roosh2Ahz0I Ne9vuquuvai6aeTh iochoo8Quoo0Poh5
Sae0reevo2yo3xel Xudae1gu1yaeNgul eethi4aiKi1aFevu eat7ieWohhughoht
bee9ietheeTaepai phomaLeirohf0ohc EB2yohetoiGhaega eicah1Ohthahx3iu

 

[Daspied]

How do you know that PW is strong?

I'm using Keepass, Password manager.

An Example would be DSF,?ZlQ&V'X"iYh

 

[sfx2000]

DSF,?ZlQ&V'X"iYh

is no more secure than this - bee9ietheeTaepai

character set is the same..

 

[Wutikorn]

@Daspied Factory reset, flash to 384.4_2,(possibly another factory reset) restart, and then manually config everything again. 384.4_2 contains some security fixes over 384.3

 

[Colin1313]

Any suggestions for me on N66U?

 

[OOo]

I got hacked, language changed, WAN access was off although I think it was ON prior to hack.
I am on 380.69 Merlin version
Does anyone know if 380.69 _2 is good to flash too?
Also, be great if there was an email list to get a heads up on something like this. I was hacked last night but it seems it started Saturday. With some warning I could have stopped my hack.
Also, I have a thumb drive attached to my router running AB Solution and a Western Digital Drive with personal stuff. How do I know if they got my stuff?
Do I need to do anything to my drives in case they put a back door on them?
thanks

 

[ColinTaylor]

I believe I was recently compromised as well.

Why do you think that? There's nothing to indicate it in the information you've provided.

 

[rtn66uftw]

I got hacked, language changed, WAN access was off although I think it was ON prior to hack.
I am on 380.69 Merlin version
Does anyone know if 380.69 _2 is good to flash too?
Also, be great if there was an email list to get a heads up on something like this. I was hacked last night but it seems it started Saturday. With some warning I could have stopped my hack.
Also, I have a thumb drive attached to my router running AB Solution and a Western Digital Drive with personal stuff. How do I know if they got my stuff?
Do I need to do anything to my drives in case they put a back door on them?
thanks

Update to the latest firmware. There are tons of security fixes after 380.69_2

 

[OOo]

Update to the latest firmware. There are tons of security fixes after 380.69_2

Merlin shows on his site 380.69_2 is stable but are you saying I really should go to 384.4_2?

 

[ColinTaylor]

Also, I have a thumb drive attached to my router running AB Solution and a Western Digital Drive with personal stuff. How do I know if they got my stuff?

My guess, and it's just a guess, is that the perpetrator is using a vulnerability to "force" configuration changes onto the router without actually logging in. The main purpose appears to be the setting up of the VPN and associated login details. This would allow them to return at a later date and login through the VPN giving them full access to the router and LAN.

If this is the case then I would expect to see the normal PPTP VPN login entries in the syslog (not the failed ones from port scanners).

 

[OzarkEdge]

Noob question... please enlighten me...

If the router is fully locked down on a trusted LAN... all known attack vectors disabled... how is retaining the default admin name and a simple password (for convenience) a security risk?

Perhaps the keyword is 'known'.

OE

 

[DonnyJohnny]

Noob question... please enlighten me...

If the router is fully locked down on a trusted LAN... all known attack vectors disabled... how is retaining the default admin name and a simple password (for convenience) a security risk?

Perhaps the keyword is 'known'.

OE

How would you know it is fully locked down? There is such thing known as vulnerabilities and you never know when it will happen..

Question is security risk vs convenience. I would have chosen security. Even most applications/service have 2fa. The more layer of security the better?

To those who has been compromised. Please ensure you flushed out the jffs and do a factory reset. Imagine they may have some auto start up script somewhere during reboot. Back to square one.

Those who have yet to be compromised but have been having Wan GUI access. I recommend doing the above step and off WAN GUI access. Better to be safe than sorry.

I really hope more people is aware of how crazy the internet world is and don’t be part of the bonnet used to hack/Attack others. Please spread the awareness....

 

[gpz1100]

Been running various versions of this firmware for a long time. Had issues about 8 months ago with trying to do too many things on the router ultimately slowing everything down.

Figured it was time for something with more horsepower. Picked up a laptop in a box (qotom q355g4) which is an i5 5250u based box with 4 intel nics, 8gb ram. Goal was to install pfsense, but in the course of reading about it, came across sophos utm. The latter's UI made more sense to this novice. Been running it since the end of last summer.

The firewall logs are insane. Between 3000-5000 entries a day of inbound attempts. Upgrading firewall to this came to fruition when I got gigabit installed. L2TP/ipsec vpn is good for about 250 mbps, more than most cable connections I use to connect to it. No way would the rt-ac68u be able to handle that. The rt-ac68u's and r7000 have been relegated to AP duty.

I'm not saying everyone should replace their routers with a firewall appliance but incidents like this make me question just how secure they are. Wonder if there are similar instances with tomato/ddwrt....?

 

[rtn66uftw]

Merlin shows on his site 380.69_2 is stable but are you saying I really should go to 384.4_2?

View attachment 12522

I don't understand. 384.4_2 is also a stable release from your screenshot

 

[Deleted member 22229]

I don't understand. 384.4_2 is also a stable release from your screenshot

There both stable releases. 380 code has been replaced with 384 code. 380 code is being phased out by Merlin and 380.70 will be the last release. I recommend going to the 384 branch of code your going to have to sooner or later anyway.

 

[Daspied]

is no more secure than this - bee9ietheeTaepai
character set is the same..

I'm honestly confused, and trying to learn. How was that password no more secure then your example. If we follow the general formula for permutations n^r where (n= max length) (r = number of combinations) an alpha numeric only combination gives us 16^36 possible permutations, while an Alpha, numeric, symbolic (10 symbols) gives is 16^46. Assuming random generation of course.

Is there something I'm missing?

Why do you think that? There's nothing to indicate it in the information you've provided.

The screen shot I posted made it seem, or so when I read it, like there was an active attack on the router with a few different attacks(I received 13 in total on the 28th). The LAN Backdoor command execution, remote command shell script execution, and an attack on the netcore. The way it appeared to me (granted I'm an amateur) was that these attacks were successful. Although I suppose if a breach was made it would have been prudent for them to set up a VPN to their network, and wipe all the logs.

I also figured, being an amateur, it wouldn't hurt to have second eyes look and either confirm or deny. Just to edge on paranoia I did a hard reset/restore/ reset and set up my network again while upgrading my firmware.

Seriously, thank you both for the help and insight.