Possibly been hacked. Need assistant from senior users.

[Treadler]

I believe I was recently compromised as well.
My settings were as follows:
Firmware version: 384.3_0
Web UI Disabled
Remote web services Disabled
SSH Disabled
DDNS: Active
100 bit strength password Alpha, Numeric, symbol password. With default login changed.
DMZ Disabled
UPnP Disabled

No active VPN's PPTP or L2TP clients were observed.

I've attached a picture of the Firewall Notifications; the newest notifications were from the 28th but they are just repeating previous attacks.

I combed through my log file and wasn't able to find anything of value. The only thing I could find was information related to the initial setup of the new 384 version type in early Feb. I'll attach the code for good measure.
https://pastebin.com/57p5LKYX

I'm honestly pretty baffled. Is the most likely attack vector an infected computer at this point, or has a vulnerability been established for the 384 firmware?

I may migrate my Firewall setup onto a dedicated Ubiquity or Cisco unit.

Your image looks remarkably like that of my router.
I think it’s just a log, not something to be worried about so long as firmware is kept up to date, & strong security settings are maintained in the router.
Just there to remind us of all the bad stuff going on in cyber space. ;-)

 

[JaimeZX]

Rough month for us I guess? I'm at 157 hits since 1 March.

Running 384.3; I'd like to update to 384.4 but my wife is out of town using the VPN and I'm worried about screwing that up if there's a problem with the update.

 

[Treadler]

Rough month for us I guess? I'm at 157 hits since 1 March.

Running 384.3; I'd like to update to 384.4 but my wife is out of town using the VPN and I'm worried about screwing that up if there's a problem with the update.

I get 15 - 20 hits per day normally. Just lucky I guess!

 

[vango44]

I don't get that many hits and I have everything on the Wan side disabled except a VPN server but I think the Trend-Micro page could do a better job showing that these attempts were successfully blocked. I do appreciate the level of detail describing the attacks though.

 

[sfx2000]

'm honestly confused, and trying to learn. How was that password no more secure then your example. If we follow the general formula for permutations n^r where (n= max length) (r = number of combinations) an alpha numeric only combination gives us 16^36 possible permutations, while an Alpha, numeric, symbolic (10 symbols) gives is 16^46. Assuming random generation of course.

Is there something I'm missing?

Hard to remember passwords are just as bad as easy passwords... the one i suggested is actually not that bad to memorize....

Getting towards good passphrases - consider this... from XKCD, and it's good stuff...

 

[sfx2000]

I think it’s just a log, not something to be worried about so long as firmware is kept up to date, & strong security settings are maintained in the router.
Just there to remind us of all the bad stuff going on in cyber space. ;-)

there's going to be a lot of door knockers checking the firewall...

Even with a strong FW approach, limiting connections, and adaptively fire-walling them, they're will still try...

Key thing - don't expose services you don't need to expose - and have a plan for those you want or need to...

[B]$[/B] sudo ufw status numbered
Status: active
    To                         Action      From
   --                         ------      ----
[ 1] OpenSSH                    DENY IN     124.158.124.9             
[ 2] OpenSSH                    DENY IN     78.41.207.224             
[ 3] OpenSSH                    DENY IN     128.199.35.247            
[ 4] OpenSSH                    DENY IN     181.50.122.237            
[ 5] OpenSSH                    DENY IN     88.87.202.71              
[ 6] OpenSSH                    DENY IN     103.94.42.70              
[ 7] OpenSSH                    DENY IN     106.75.216.151            
[ 8] OpenSSH                    DENY IN     218.38.121.17             
[ 9] OpenSSH                    DENY IN     183.82.0.15               
[10] OpenSSH                    DENY IN     35.198.247.106            
[11] OpenSSH                    DENY IN     138.68.7.146              
[12] OpenSSH                    DENY IN     119.28.43.188             
[13] OpenSSH                    DENY IN     43.231.114.64             
[14] OpenSSH                    DENY IN     64.41.86.129              
[15] OpenSSH                    DENY IN     122.224.203.228           
[16] OpenSSH                    DENY IN     95.173.160.115            
[17] OpenSSH                    DENY IN     93.99.147.90              
[18] OpenSSH                    DENY IN     92.63.197.29              
[19] OpenSSH                    DENY IN     92.222.26.122             
[20] OpenSSH                    DENY IN     91.62.27.12               
[21] OpenSSH                    DENY IN     91.121.105.20             
[22] OpenSSH                    DENY IN     87.201.9.242              
[23] OpenSSH                    DENY IN     82.200.205.71             
[24] OpenSSH                    DENY IN     81.130.146.18             
[25] OpenSSH                    DENY IN     69.162.101.38             
[26] OpenSSH                    DENY IN     61.82.251.224             
[27] OpenSSH                    DENY IN     61.220.209.219            
[28] OpenSSH                    DENY IN     61.178.220.148            
[29] OpenSSH                    DENY IN     61.175.120.66             
[30] OpenSSH                    DENY IN     60.250.168.200            
[31] OpenSSH                    DENY IN     60.174.165.20             
[32] OpenSSH                    DENY IN     58.87.67.254              
[33] OpenSSH                    DENY IN     54.37.224.232             
[34] OpenSSH                    DENY IN     49.156.54.172             
[35] OpenSSH                    DENY IN     49.156.148.212            
[36] OpenSSH                    DENY IN     41.223.142.211            
[37] OpenSSH                    DENY IN     41.138.51.69              
[38] OpenSSH                    DENY IN     37.230.233.50             
[39] OpenSSH                    DENY IN     35.231.21.205             
[40] OpenSSH                    DENY IN     35.200.124.223            
[41] OpenSSH                    DENY IN     221.146.5.81              
[42] OpenSSH                    DENY IN     220.82.47.6               
[43] OpenSSH                    DENY IN     220.133.39.3              
[44] OpenSSH                    DENY IN     219.148.149.90            
[45] OpenSSH                    DENY IN     216.13.179.108            
[46] OpenSSH                    DENY IN     212.129.39.121            
[47] OpenSSH                    DENY IN     211.238.147.197           
[48] OpenSSH                    DENY IN     202.29.233.50             
[49] OpenSSH                    DENY IN     202.114.200.61            
[50] OpenSSH                    DENY IN     193.93.13.50              
[51] OpenSSH                    DENY IN     193.70.85.206             
[52] OpenSSH                    DENY IN     193.70.46.201             
[53] OpenSSH                    DENY IN     192.169.155.230           
[54] OpenSSH                    DENY IN     191.232.180.127           
[55] OpenSSH                    DENY IN     188.187.55.243            
[56] OpenSSH                    DENY IN     188.166.248.103           
[57] OpenSSH                    DENY IN     188.166.178.152           
[58] OpenSSH                    DENY IN     185.48.207.32             
[59] OpenSSH                    DENY IN     182.61.42.204             
[60] OpenSSH                    DENY IN     180.76.56.154             
[61] OpenSSH                    DENY IN     18.219.26.199             
[62] OpenSSH                    DENY IN     179.228.242.120           
[63] OpenSSH                    DENY IN     178.19.130.191            
[64] OpenSSH                    DENY IN     169.255.104.20            
[65] OpenSSH                    DENY IN     166.62.41.196             
[66] OpenSSH                    DENY IN     162.243.86.122            
[67] OpenSSH                    DENY IN     161.139.115.25            
[68] OpenSSH                    DENY IN     142.4.204.122             
[69] OpenSSH                    DENY IN     139.59.244.27             
[70] OpenSSH                    DENY IN     123.59.135.58             
[71] OpenSSH                    DENY IN     123.207.161.189           
[72] OpenSSH                    DENY IN     123.183.209.140           
[73] OpenSSH                    DENY IN     123.176.11.54             
[74] OpenSSH                    DENY IN     119.56.45.47              
[75] OpenSSH                    DENY IN     119.29.154.229            
[76] OpenSSH                    DENY IN     119.28.52.41              
[77] OpenSSH                    DENY IN     119.235.21.178            
[78] OpenSSH                    DENY IN     118.89.199.198            
[79] OpenSSH                    DENY IN     118.45.190.133            
[80] OpenSSH                    DENY IN     118.25.44.247             
[81] OpenSSH                    DENY IN     118.24.64.214             
[82] OpenSSH                    DENY IN     118.24.21.151             
[83] OpenSSH                    DENY IN     118.184.53.50             
[84] OpenSSH                    DENY IN     117.50.10.38              
[85] OpenSSH                    DENY IN     117.0.3.46                
[86] OpenSSH                    DENY IN     116.196.72.140            
[87] OpenSSH                    DENY IN     116.101.88.181            
[88] OpenSSH                    DENY IN     115.159.93.210            
[89] OpenSSH                    DENY IN     115.146.127.201           
[90] OpenSSH                    DENY IN     111.50.77.56              
[91] OpenSSH                    DENY IN     111.200.217.242           
[92] OpenSSH                    DENY IN     110.10.189.182            
[93] OpenSSH                    DENY IN     110.10.189.108            
[94] OpenSSH                    DENY IN     109.254.93.167            
[95] OpenSSH                    DENY IN     104.1.88.158              
[96] OpenSSH                    DENY IN     103.235.227.33            
[97] 22/tcp                     LIMIT IN    Anywhere                  
[98] Anywhere                   ALLOW IN    192.168.1.0/24            
[99] 22/tcp (v6)                LIMIT IN    Anywhere (v6)             
[100] Anywhere (v6)              ALLOW IN    fe80::/64

 

[Mikiya]

Hard to remember passwords are just as bad as easy passwords... the one i suggested is actually not that bad to memorize....

Getting towards good passphrases - consider this... from XKCD, and it's good stuff...

View attachment 12530

You are right IF you try to remember it ... The main purpose of Keepass is to do not remember very strong passwords so 16/20 chars randomly generated with special char, ect... can be used without being a pain.

Does everyone being "hack" (at least their language change) is using AiCloud ? I do not use AiCloud, WAN Web or WAN SSH but with these reports, i check my router everyday until we can find the cause of that

 

[sfx2000]

You are right IF you try to remember it ... The main purpose of Keepass is to do not remember very strong passwords so 16/20 chars randomly generated with special char, ect... can be used without being a pain.

Keychain apps are a good place to be - not saying they're not...

I bounce across many machines from both a client and a host - so I have my strategy that works - and it's compatible with the keychain apps.

pwgen is a good thing...

 

[lukaszzsch]

I just noticed that somebody from China was scanning my router two days ago.
There were 40 trials of accessing to my router.
Also wan access has been enabled.

Firmware 384.4.2 . Strange. I usually upgrade the router firmware same day it is released.

 

[DonnyJohnny]

I just noticed that somebody from China was scanning my router two days ago.
There were 40 trials of accessing to my router.
Also wan access has been enabled.

Firmware 384.4.2 . Strange. I usually upgrade the router firmware same day it is released.

You are just waiting to be hack with Wan access open...
Pls format your jffs and do factory reset, then re-flash firmware...

If a hacker are able to enter, do you think they will let you know? They would have delete log and trace of entry. Those trend micro blocking are just basic protection but they aren’t going to protect you if you leave your door half open...

 

[SMS786]

there's going to be a lot of door knockers checking the firewall...

Even with a strong FW approach, limiting connections, and adaptively fire-walling them, they're will still try...

Key thing - don't expose services you don't need to expose - and have a plan for those you want or need to...

[B]$[/B] sudo ufw status numbered
Status: active
    To                         Action      From
   --                         ------      ----
[ 1] OpenSSH                    DENY IN     124.158.124.9            
[ 2] OpenSSH                    DENY IN     78.41.207.224            
[ 3] OpenSSH                    DENY IN     128.199.35.247           
[ 4] OpenSSH                    DENY IN     181.50.122.237           
[ 5] OpenSSH                    DENY IN     88.87.202.71             
[ 6] OpenSSH                    DENY IN     103.94.42.70             
[ 7] OpenSSH                    DENY IN     106.75.216.151           
[ 8] OpenSSH                    DENY IN     218.38.121.17            
[ 9] OpenSSH                    DENY IN     183.82.0.15              
[10] OpenSSH                    DENY IN     35.198.247.106           
[11] OpenSSH                    DENY IN     138.68.7.146             
[12] OpenSSH                    DENY IN     119.28.43.188            
[13] OpenSSH                    DENY IN     43.231.114.64            
[14] OpenSSH                    DENY IN     64.41.86.129             
[15] OpenSSH                    DENY IN     122.224.203.228          
[16] OpenSSH                    DENY IN     95.173.160.115           
[17] OpenSSH                    DENY IN     93.99.147.90             
[18] OpenSSH                    DENY IN     92.63.197.29             
[19] OpenSSH                    DENY IN     92.222.26.122            
[20] OpenSSH                    DENY IN     91.62.27.12              
[21] OpenSSH                    DENY IN     91.121.105.20            
[22] OpenSSH                    DENY IN     87.201.9.242             
[23] OpenSSH                    DENY IN     82.200.205.71            
[24] OpenSSH                    DENY IN     81.130.146.18            
[25] OpenSSH                    DENY IN     69.162.101.38            
[26] OpenSSH                    DENY IN     61.82.251.224            
[27] OpenSSH                    DENY IN     61.220.209.219           
[28] OpenSSH                    DENY IN     61.178.220.148           
[29] OpenSSH                    DENY IN     61.175.120.66            
[30] OpenSSH                    DENY IN     60.250.168.200           
[31] OpenSSH                    DENY IN     60.174.165.20            
[32] OpenSSH                    DENY IN     58.87.67.254             
[33] OpenSSH                    DENY IN     54.37.224.232            
[34] OpenSSH                    DENY IN     49.156.54.172            
[35] OpenSSH                    DENY IN     49.156.148.212           
[36] OpenSSH                    DENY IN     41.223.142.211           
[37] OpenSSH                    DENY IN     41.138.51.69             
[38] OpenSSH                    DENY IN     37.230.233.50            
[39] OpenSSH                    DENY IN     35.231.21.205            
[40] OpenSSH                    DENY IN     35.200.124.223           
[41] OpenSSH                    DENY IN     221.146.5.81             
[42] OpenSSH                    DENY IN     220.82.47.6              
[43] OpenSSH                    DENY IN     220.133.39.3             
[44] OpenSSH                    DENY IN     219.148.149.90           
[45] OpenSSH                    DENY IN     216.13.179.108           
[46] OpenSSH                    DENY IN     212.129.39.121           
[47] OpenSSH                    DENY IN     211.238.147.197          
[48] OpenSSH                    DENY IN     202.29.233.50            
[49] OpenSSH                    DENY IN     202.114.200.61           
[50] OpenSSH                    DENY IN     193.93.13.50             
[51] OpenSSH                    DENY IN     193.70.85.206            
[52] OpenSSH                    DENY IN     193.70.46.201            
[53] OpenSSH                    DENY IN     192.169.155.230          
[54] OpenSSH                    DENY IN     191.232.180.127          
[55] OpenSSH                    DENY IN     188.187.55.243           
[56] OpenSSH                    DENY IN     188.166.248.103          
[57] OpenSSH                    DENY IN     188.166.178.152          
[58] OpenSSH                    DENY IN     185.48.207.32            
[59] OpenSSH                    DENY IN     182.61.42.204            
[60] OpenSSH                    DENY IN     180.76.56.154            
[61] OpenSSH                    DENY IN     18.219.26.199            
[62] OpenSSH                    DENY IN     179.228.242.120          
[63] OpenSSH                    DENY IN     178.19.130.191           
[64] OpenSSH                    DENY IN     169.255.104.20           
[65] OpenSSH                    DENY IN     166.62.41.196            
[66] OpenSSH                    DENY IN     162.243.86.122           
[67] OpenSSH                    DENY IN     161.139.115.25           
[68] OpenSSH                    DENY IN     142.4.204.122            
[69] OpenSSH                    DENY IN     139.59.244.27            
[70] OpenSSH                    DENY IN     123.59.135.58            
[71] OpenSSH                    DENY IN     123.207.161.189          
[72] OpenSSH                    DENY IN     123.183.209.140          
[73] OpenSSH                    DENY IN     123.176.11.54            
[74] OpenSSH                    DENY IN     119.56.45.47             
[75] OpenSSH                    DENY IN     119.29.154.229           
[76] OpenSSH                    DENY IN     119.28.52.41             
[77] OpenSSH                    DENY IN     119.235.21.178           
[78] OpenSSH                    DENY IN     118.89.199.198           
[79] OpenSSH                    DENY IN     118.45.190.133           
[80] OpenSSH                    DENY IN     118.25.44.247            
[81] OpenSSH                    DENY IN     118.24.64.214            
[82] OpenSSH                    DENY IN     118.24.21.151            
[83] OpenSSH                    DENY IN     118.184.53.50            
[84] OpenSSH                    DENY IN     117.50.10.38             
[85] OpenSSH                    DENY IN     117.0.3.46               
[86] OpenSSH                    DENY IN     116.196.72.140           
[87] OpenSSH                    DENY IN     116.101.88.181           
[88] OpenSSH                    DENY IN     115.159.93.210           
[89] OpenSSH                    DENY IN     115.146.127.201          
[90] OpenSSH                    DENY IN     111.50.77.56             
[91] OpenSSH                    DENY IN     111.200.217.242          
[92] OpenSSH                    DENY IN     110.10.189.182           
[93] OpenSSH                    DENY IN     110.10.189.108           
[94] OpenSSH                    DENY IN     109.254.93.167           
[95] OpenSSH                    DENY IN     104.1.88.158             
[96] OpenSSH                    DENY IN     103.235.227.33           
[97] 22/tcp                     LIMIT IN    Anywhere                 
[98] Anywhere                   ALLOW IN    192.168.1.0/24           
[99] 22/tcp (v6)                LIMIT IN    Anywhere (v6)            
[100] Anywhere (v6)              ALLOW IN    fe80::/64

Just curious..which script did you use for checking those scans?

 

[retzer]

you know, I was going back and forth between different firmware builds and played around with a lot of settings over several days about a month ago trying to solve connection interruptions on my Win7. I saw the Asian font too but I just figured maybe something glitched because at one point I went through the language dropdown just to see what the different fonts looked like. Also, I was playing with the smartphone app out in the field a few times but never turned on outside permission and later noticed a big long alpha-numeric domain assigned to asuscom.com. I figured that was how I got into the router and it was automatically created by the app.

I never figured any of that as something malicious. I never saw anything odd in occasional perusals of the log (though my reading skills are rudimentary at best). And I never checked the AIProtection tabs because I was too preoccupied with solving my Win7 problem and never turned it on.

 

[lukaszzsch]

You are just waiting to be hack with Wan access open...
Pls format your jffs and do factory reset, then re-flash firmware...

If a hacker are able to enter, do you think they will let you know? They would have delete log and trace of entry. Those trend micro blocking are just basic protection but they aren’t going to protect you if you leave your door half open...

You are just waiting to be hack with Wan access open...
Pls format your jffs and do factory reset, then re-flash firmware...

If a hacker are able to enter, do you think they will let you know? They would have delete log and trace of entry. Those trend micro blocking are just basic protection but they aren’t going to protect you if you leave your door half open...

ok. I just followed with your suggestion. hopefully it will solve the problem.

but meanwhile..could someone to explain to such a 'internet security' noob why those Chinese guys want to take over of my router?

 

[ColinTaylor]

but meanwhile..could someone to explain to such a 'internet security' noob why those Chinese guys want to take over of my router?

I'm sure the criminal mind could think of all sorts of money-making reasons. Two that immediately come to mind are
1) the router becomes part of an "on-demand" botnet service (as we saw with Mirai), and
2) intercept or redirect your LAN traffic so as to steal your login details for sites like Amazon or eBay (as recently seen here).

 

[maxbraketorque]

Does this appear to be a vulnerability in an older firmware, or does it possibly apply to the latest firmware? I saw one person suggest that their router with very recent Merlin firmware got hacked.

 

[ColinTaylor]

Does this appear to be a vulnerability in an older firmware, or does it possibly apply to the latest firmware? I saw one person suggest that their router with very recent Merlin firmware got hacked.

The only confirmed reports I remember seeing so far are from people using 380.69 or earlier, although it's quite possible I missed some. Of course that doesn't mean that a different vulnerability will be discovered in the current firmware. It's a constant battle, but turning off all access from WAN will stop these sorts of attack.

 

[lukaszzsch]

Does this appear to be a vulnerability in an older firmware, or does it possibly apply to the latest firmware? I saw one person suggest that their router with very recent Merlin firmware got hacked.

it was me, sadly, I use to flash with the newest one immediately when it is released...with beta version as well.

Guys,

i use Skynet addon, there is AFAIK thhere is an option to block any chinese attemp of accessing. Should i set it and block whole China in such case?

 

[ColinTaylor]

it was me, sadly, I use to flash with the newest one immediately when it is released...with beta version as well.

Are you saying you got hacked on the latest firmware? I can't see anything you've posted that says that.

 

[PDinDetroit]

AFAIK, the Internet was designed to be OPEN not secure so pretty much everything is "bolt-on" after the fact...

As humans are fallible, everything created by them is also fallible too. The old adage is very true: If debugging is taking bugs out, then programming is putting them in. Not all of them are known at any specific time and some were put in ON PURPOSE (example: back-door access for testing or support).

Harden the system in layers and everything is subject to change, so vigilance and diligence are in order. What is secure now might not be in 2 months, 2 weeks, 2 days, or even 2 hours. Putting in specific, credible forensic information and tools can help greatly reduce the time taken to track down issues and determine mitigation/prevention steps. Even something as simple as a separate Syslog Server can be very useful, but you do have to weed through the "flotsam and jetsam" when necessary. Plenty here have addressed the main focus areas, so I will not dive in any further. Do note that providers of software/services may not secure everything to your liking!

On Two-Way IPS from Trend Micro, I was making a habit of contacting the "abuse contacts" for specific Source IP Address Ranges to let them know of possible attacks. I found a few, outside of Known Countries with Active Hacking "detachments", that actually had more traffic after my contact. I stopped contacting and since my router stops from "answering the door", I get fewer "knocking". Some of the Source Addresses were from my work computer for specific traffic related to Microsoft Azure, so these were a False Positive Finding but I did have to know how to track this information down. Since there were browser-based error messages and time-based information sources to go on, I was able to narrow my search down and determined the issues and remediation steps.

The following are a couple sources that I use:

Common Vulnerabilities and Exposures: http://cve.mitre.org/index.html
Common Vulnerability Scoring System Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
OWASP Top Ten Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

In the calculator, you can hover over each selection to help understand what each metric means. I have used this tool at times to understand specific vulnerability scoring for assessing potential risks to my computing activities. I have used the calculator to score specific vulnerabilities discovered through scanning tool activities related to SAST, DAST, etc. The tools used to determine vulnerabilities will sometimes rank findings higher and/or lower than a specific implementation would rank, so the calculator has helped in proper risk assessment.

Example: I set up a test network with no Internet connectivity, LAN and wireless access, and hosting a Test Desktop and HP TouchPad devices (some are dual-boot webOS/CyanogenMod and at least one is dual-boot webOS/LineageOS). The Test Desktop runs scanning tools and comes across a vulnerability specific to the version of CyanogenMod in use. The vulnerability is ranked HIGH but my scoring shows LOW due to use in a TEST ENVIRONMENT and NO INTERNET ACCESS. It does give more impetus to migrate from CyanogenMod though!

I hope this information is helpful.

 

[lukaszzsch]

Are you saying you got hacked on the latest firmware? I can't see anything you've posted that says that.

Can't fully confirm, but with the latest firmware 384,4_2 i found 45 trials of accesing to my router from China and simultanously somehow Accet to webGUI from WAN has been enabled..weird as hell
from the other hand VPN was not fixed, GUI language also... somebody suggested to do Factory reset twice and is is already done.