Possibly been hacked. Need assistant from senior users.

[RMerlin]

I thought I read in these forums that they changed that recently? Of course that doesn't help people that had used it previously.

Yeah, I highly doubt it would revert the change, as it has no real way of knowing if WAN access was deliberately enabled by the end-user, or automatically by the application.

It's a shame, because overall I thought Asus' mobile app looked pretty good when I tried it out around when it originally launched. If they can sort out these types of issues, people should be good.

 

[nobody13]

After first use and sincing of app it ask for enabling services. I've got ac68u with merlin fw 384.5beta1 in that moment and after dont accept it doesn't enable acces from wan.

 

[xtropodx]

On Version 384.4_2 & this has happened again just now (language changed). Happily browsing the web & my Norton has a fit & goes into meltdown & my connection from my PC to my router no longer works. This despite fact I can connect to my router & network via my mobile. And no, I don't have the ASUS Router APP being used anymore on my mobile since last update/issue. My PC couldn't connect to my router & had to reboot my PC in order to do so.

Had look at the most recent update & only thing that sticks out is;
- FIXED: Security issue related to webui logging in (Asus bug)

Does this fix address this particular issue? Because if not, there's some other problem.
On side note I also have Skynet plugged in (& running, I think), if that makes any difference.
EDIT: seems my Skynet was not actually running after all.

 

[ColinTaylor]

@xtropodx Did you have Web Access from WAN enabled?

 

[xtropodx]

No absolutely not, not even from a specified IP. After had this happen previously, I went through everything & tightened everything up.

EDIT: I've just saved/exported the settings, opened up settings.cfg file, & whole thing is in Chinese/Korean .

 

[Insight]

So, enabling WAN HTTPS access without the user knowing while using the mobile app is not good. When I first ran the app from a mobile network and tried to connect it worked. This was surprising. While looking into it the DDNS was turned on and WAN HTTPS access enabled without my consent.

I don't think this is a good move on Asus' part. As a minimum a warning needs to be given addressing the security hole that is being opened up from using the app. As it seems, many user are starting to notice strange things and post here which is good but how many people are unaware and have a breach on their hands?

 

[ColinTaylor]

@Insight From what I've read in these forums the app now gives those warnings.

 

[Insight]

@Insight From what I've read in these forums the app now gives those warnings.

Glad to hear. My time frame was >6 weeks ago.

 

[RMerlin]

Had look at the most recent update & only thing that sticks out is;
- FIXED: Security issue related to webui logging in (Asus bug)

No, it's a different issue, and I don't want to divulge any additional information about it because Asus won't have it fixed in the stock firmware until 384.210xxx. That's why I kept the changelog entry intentionally vague.

 

[dOOmer_1980]

Hi All,

Thank you very much for this thread. I have encountered the same issue (my router RT - AC66U), the language was switched and all some of the WAN option enabled which haven't been enabled (by me at least).

I did the following:

1. Reset the RT-AC66U to factory settings.
2. Download the latest firmware 3.0.0.4.382_50470
3. Changed router login name/password (strong)
4. In the IOS App - Advanced settings enabled PIN code so iTouch needs to be invoked every time I use the ASUS router App.

The reason I still use the app is because I have several Asus routers in my network and since I am the family "network support" all other family members also have Asus-routers.

# Is it possible for any skilled security person to make a setting list for the Asus routers to "tight" things up more than the default settings and still keep it simple & easy for novice people like me?

# Is there a summary setting replay in this particular thread?

BR
//LK

 

[fantom]

# Is it possible for any skilled security person to make a setting list for the Asus routers to "tight" things up more than the default settings and still keep it simple & easy for novice people like me?

Security AND convenience... Hmmm... Not possible! This is a key piece of your network: easy for you, easy for hackers.
I was running this firmware for a long time, but switched to a full open source one. Among things I do is only allowing router management from a dedicated LAN port, etc, etc.
How often do you need access to your familiy’s routers? Why is it so difficult to ask them to run a TeamViewer session for you once in a while? Why is an always on / real time access required?

 

[Adamm]

I've added a setting in Skynet v6.2.3 to potentially help mitigate this attack. Skynet will now actively prevent SSH and the WebUI being exposed to WAN. Once I get some more information I can add other checks as detailed in the Skynet thread.

I've pushed v6.2.3

This adds a feature I call "secure mode". This feature will prevent both SSH and the WebUI being exposed to WAN. This feature was directly inspired by the recent wave of routers being compromised. Hopefully this prevents (or at least slows down) routers being taken over by immediately disabling these settings if they are toggled.

If anyone else has other IOC's (indicators of compromise) that are relevant to this exploit, let me know and I can add further checks. I know it also changes the language to Chinese, enables PPTP VPN server and DDNS but I need more information to detect this accurately (maybe they use a common PPTP/DDNS username).

To enable this feature;

sh /jffs/scripts/firewall debug securemode enable

 

[fantom]

I've added a setting in Skynet v6.2.3 to potentially help mitigate this attack. Skynet will now actively prevent SSH and the WebUI being exposed to WAN. Once I get some more information I can add other checks as detailed in the Skynet thread.

It is quite possible that the attack is coming from the LAN side via a malicious website or an infected advertisement or a spam email. Everyone is trying to secure their WAN side while assuming the other one is trusted, while it is not. It would be a good practice to limit the router access to just a few IPs (preferably wired). Better yet, limit to a single LAN port.

 

[Adamm]

It is quite possible that the attack is coming from the LAN side via a malicious website or an infected advertisement or a spam email. Everyone is trying to secure their WAN side while assuming the other one is trusted, while it is not. It would be a good practice to limit the router access to just a few IPs (preferably wired). Better yet, limit to a single LAN port.

Hard to say what is being exploited without more information, all we can do is mitigate the attack. I've just pushed another Skynet update which checks for suspicious PPTP VPN settings (compromised routers use a common string for the user/password). These new checks should effectively prevent a compromised router from being accessed from an outside source (in the exploits current form atleast).

 

[blueshark]

@Adamm, it’s AiProtection secure ?

 

[umarmung]

No, it's a different issue, and I don't want to divulge any additional information about it because Asus won't have it fixed in the stock firmware until 384.210xxx. That's why I kept the changelog entry intentionally vague.

Is there no broad mitigation against this new issue - something that doesn't require you having to reveal any details but would be part of best security practices?

 

[RMerlin]

Is there no broad mitigation against this new issue - something that doesn't require you having to reveal any details but would be part of best security practices?

Firmware update is the only real solution. Upgrade to 384.5.

 

[dOOmer_1980]

Security AND convenience... Hmmm... Not possible! This is a key piece of your network: easy for you, easy for hackers.
I was running this firmware for a long time, but switched to a full open source one. Among things I do is only allowing router management from a dedicated LAN port, etc, etc.
How often to you need access to your familiy’s routers? Why is it so difficult to ask them to run a TeamViewer session for you once in a while? Why is an always on / real time access required?

that's true...

 

[xtropodx]

No, it's a different issue, and I don't want to divulge any additional information about it because Asus won't have it fixed in the stock firmware until 384.210xxx. That's why I kept the changelog entry intentionally vague.

So you confirming then that this same issue/bug/flaw that everyone has posted about for last several pages here still exists in the firmware ?


I've just updated to 384.5 & an observation:
After updating and doing a Factory default restore AND Factory default initialize, AND format JFFS Partition AND reboot, saving settings is still resulting in the .CFG settings file containing chinese/korean garble after something else happens/changes. At one point the saved CFG file appears fine but then somewhere between doing these steps & changing something it's reverted back (let me know if you want CFG/LOG files).

On side note:
Can you possibly change firmware so that saving the log keeps its formatting/lineReturns? Opening it in notepad is different from copy/paste to/from system log.

Following seems new? My ISP doesn't require username/password & there was no other way to pass this other than just not using it ie Skip setup wizard

 

[ColinTaylor]

saving settings is still resulting in the .CFG settings file containing chinese/korean garble after something else happens/changes.

Are you talking about the "Save settings" file? If so then that file will always look garbled because it's encrypted.