Possibly been hacked. Need assistant from senior users.

[Rubenel]

Here is the syslog along with other photos of the current configurations.


https://drive.google.com/file/d/1C5pW4gJnWHj-7-i3xfAU2O4aaacFd2Or/view?usp=drivesdk

Sent from my SM-G950U using Tapatalk

 

[Rubenel]

More pictures.

Sent from my SM-G950U using Tapatalk

 

[Rubenel]

More.....

Sent from my SM-G950U using Tapatalk

 

[ColinTaylor]

There's not a lot to see in your syslog for that period. We can see the PPTP and OpenVPN (were you using OpenVPN?) servers starting as the router is rebooted. There were a lot of disk errors prior to the reboot so I'm guessing that it was you that rebooted it? If that is the case then it's possible that the VPN changes were made at an earlier time but only became active when the router was rebooted.

Everything else looks normal. Given that the latest firmware has patched some vulnerabilities I don't think there's much more you can do at the moment other than updating the firmware and changing your router password (and disabling WAN http/s access of course).

 

[Rubenel]

I didn't setup the PPTP VPN, not did I activate the AiDisk or the PPTP VPN.


Also when I looked at the services, ssh and WAN access is off.


So who gain access found a vulnerability in the firmware.


I'm going to contact the creator of Merlin to let him know. This has to be patched.

Sent from my SM-G950U using Tapatalk

 

[RMerlin]

I can't patch "something" without any indication as to what there is to patch.

Also for starter, you are not running the latest version. There were a number of security issues fixed by Asus and myself since the 380.69 version you show in your screenshot. The first thing to do is to update to an up-to-date version.

 

[Rubenel]

I can't patch "something" without any indication as to what there is to patch.

Also for starter, you are not running the latest version. There were a number of security issues fixed by Asus and myself since the 380.69 version you show in your screenshot. The first thing to do is to update to an up-to-date version.

Outside of the firmware not being up to date, is there any way to confirm this isn't a vulnerability in the firmware that may not be patched as of today. Can I perform a system dump, if possible?

SSH, WAN ACCESSS were both off.

How can I determine how they gained access to the router?

Sent from my SM-G950U using Tapatalk

 

[RMerlin]

How can I determine how they gained access to the router?

It's not really possible. If for instance a web vulnerability was used to retrieve or replace your password, then there won't be any trace of it in the system log. Also, the log you posted is over 5 weeks old, so it's unlikely to contain any information either - he probably erased the current log, leaving you with only the older entries.

WAN access can possibly have been unknowingly enabled if you used Asus's mobile app - it had a tendency to do that according to many users.

The default firewall rules do not expose anything to the WAN - everything is blocked by default, unless a feature is specifically enabled. So either webui access was unknowingly enabled, or you were compromised from the inside (through visiting a malicious website, or someone connecting to your wifi network - probably unlikely).

 

[Rubenel]

I need the router to be in operations again.
I am going to wipe and reload the firmware and update.
I will report back with any suspicious activities.
Thanks guys.

 

[Rubenel]

It's not really possible. If for instance a web vulnerability was used to retrieve or replace your password, then there won't be any trace of it in the system log. Also, the log you posted is over 5 weeks old, so it's unlikely to contain any information either - he probably erased the current log, leaving you with only the older entries.

WAN access can possibly have been unknowingly enabled if you used Asus's mobile app - it had a tendency to do that according to many users.

The default firewall rules do not expose anything to the WAN - everything is blocked by default, unless a feature is specifically enabled. So either webui access was unknowingly enabled, or you were compromised from the inside (through visiting a malicious website, or someone connecting to your wifi network - probably unlikely).

Thanks

 

[RMerlin]

Addendum: I see you have AiCloud enabled. That's something that is open to the Internet. Asus has fixed a number of security issues in it over the years. AiCloud being closed source, I can't tell much more about it, except that I don't fully trust its security either. It's possible that it could have been used as an attack vector since you aren't running an up-to-date firmware.

 

[Rubenel]

Addendum: I see you have AiCloud enabled. That's something that is open to the Internet. Asus has fixed a number of security issues in it over the years. AiCloud being closed source, I can't tell much more about it, except that I don't fully trust its security either. It's possible that it could have been used as an attack vector since you aren't running an up-to-date firmware.

They got into the router, assigned their PPTP VPN, shut down my VPN and enabled AiDisk. They were after my 1TB attachment.

Luckily, AiDisk doesn't work in a multi-nat environment, so their effort wasn't fruitful.

Sent from my SM-G950U using Tapatalk

 

[Rubenel]

Anyways, thanks Merlin for the attention and contributions. I'm going to wipe the router and update.

Sent from my SM-G950U using Tapatalk

 

[sfx2000]

@hoorah Did you buy your router from China? If you didn't the default language should match your region (i.e. English probably).

What router model and firmware version did you have?

Just to clarify a minor point - the language and character set in the screenshots is Korean.

 

[s_Fanous]

The exact same thing happened to me last week and I also had SSH and HTTPS WAN access

I'm running a "modified" 380.65. Time to say good bye to the "modifications" I guess.

 

[sfx2000]

There's not a lot to see in your syslog for that period. We can see the PPTP and OpenVPN (were you using OpenVPN?) servers starting as the router is rebooted. There were a lot of disk errors prior to the reboot so I'm guessing that it was you that rebooted it? If that is the case then it's possible that the VPN changes were made at an earlier time but only became active when the router was rebooted.

I see a subtle hint that someone's TimeMachine backup is about to go *poof*

So once the security concern is dealt with, sort out that disk situation...

 

[Rubenel]

Just to clarify a minor point - the language and character set in the screenshots is Korean.

Yes sorry. I wasn't 100 percent. I believe I said Asian region in one of my post.

I've got the router operating after a wipe and refresh of the firmware and update.



Sent from my SM-G950U using Tapatalk

 

[Rubenel]

I see a subtle hint that someone's TimeMachine backup is about to go *poof*

So once the security concern is dealt with, sort out that disk situation...

I've formatted the disk and will back up my MacOS once again.


Thanks.

Sent from my SM-G950U using Tapatalk

 

[sfx2000]

I've formatted the disk and will back up my MacOS once again.

Consider something else for TimeMachine - initially it'll work well, until the TimeMachine client starts trimming things, and Linux runs out of file handles. It'ssort of a known issue with non-Apple implementations of TimeMachine backup stuff...

The best TimeMachine host is a direct attached disk, followed by OSX Server, and then Airport TimeCapsule/Airport AirDisk - Apple doesn't publish how TimeMachine works, so everything else is reverse engineered, and Apple changes the client every time OSX does a major release.

 

[Stephen Harrington]

The access from WAN was enabled automatically because I used the app on my smartphone to access the router.

I think it is a very large security hole that the ASUS app opens up WAN Access automatically without people necessarily being aware of how insecure this is.
ASUS should address it!

StephenH