Possibly been hacked. Need assistant from senior users.

[Insight]

That is a highly unlikely scenario. Users can pick any DDNS providers, and each provider would have Asus router users + other users. That’s assuming the attacks are targeted of course.

And I’m not sure the ‘guts’ would reveal any useful information for attacking your router, you can scan the entire IPv4 space pretty easily these days. They *could* change your DDNS settings so all clients trying to reach the router reach the attacker instead but that’s attacking the clients not the router :/

I’d guess most if not all remotes attacks on Asus routers are via the web UI being exposed to the WAN.

Oh don't disagree that is unlikely. But the Asus app would force Asus' DDNS (not third party) and WAN access enabled without any consent. The routers DDNS can be identified here (http://iplookup.asus.com/nslookup.php). Why scan the whole internet if I can get whats needed from one source? The WAN IP is then known to be an ASUS router to attack.

The IoT is going to be a hot and heavy target for years to come. The convenience/security balance is gonna get interesting.

 

[kfp]

But the Asus app would force Asus' DDNS (not third party) and WAN access enabled without any consent. The routers DDNS can be identified here (http://iplookup.asus.com/nslookup.php).

Right, I’ve seen the DDNS entries but didn’t connect the dots. That makes sense, as in, this certainly speeds up targeting Asus router owners and exploiting an n-day. It’s almost cheating.

 

[elbubi]

Hello!

I'm seeing unusual entries flooding my log, don't know it ther are hijacking attempts but don't want to start a new thread only for this:

Jun  6 10:31:30 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39758 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:31:32 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:7c:1c:4e:35:0e:bd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=606 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=586
Jun  6 10:31:40 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:44:71:b5:75:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=331 TOS=0x00 PREC=0x00 TTL=64 ID=39194 PROTO=UDP SPT=68 DPT=67 LEN=311
Jun  6 10:31:42 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39760 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:31:43 kernel: DROPIN=ppp0 OUT= MAC= SRC=5.188.62.71 DST=181.90.222.74 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48459 PROTO=TCP SPT=44571 DPT=2392 SEQ=1601464921 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Jun  6 10:32:12 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39766 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:32:16 kernel: DROPIN=ppp0 OUT= MAC= SRC=103.29.69.96 DST=181.90.222.74 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=47680 DPT=554 SEQ=3381532960 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Jun  6 10:32:18 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39767 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:32:27 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39768 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:32:36 kernel: DROPIN=ppp0 OUT= MAC= SRC=5.188.62.172 DST=181.90.222.74 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=29866 PROTO=TCP SPT=47102 DPT=23501 SEQ=4271370541 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Jun  6 10:32:39 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39769 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:32:44 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:44:71:b5:75:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=331 TOS=0x00 PREC=0x00 TTL=64 ID=39202 PROTO=UDP SPT=68 DPT=67 LEN=311
Jun  6 10:33:03 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:68:d9:3c:4d:2a:45:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=358 TOS=0x00 PREC=0x00 TTL=255 ID=47509 PROTO=UDP SPT=68 DPT=67 LEN=338
Jun  6 10:33:04 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:68:d9:3c:4d:2a:45:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=358 TOS=0x00 PREC=0x00 TTL=255 ID=47510 PROTO=UDP SPT=68 DPT=67 LEN=338
Jun  6 10:33:09 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39775 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:33:13 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:74:d4:35:12:78:99:08:00 SRC=192.168.1.107 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=6223 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:33:15 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39776 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:33:18 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19194 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:33:19 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19197 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:33:20 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19198 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:33:24 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39781 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:33:36 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39783 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:33:48 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:44:71:b5:75:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=331 TOS=0x00 PREC=0x00 TTL=64 ID=39207 PROTO=UDP SPT=68 DPT=67 LEN=311
Jun  6 10:33:59 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=380 TOS=0x00 PREC=0x00 TTL=128 ID=16068 PROTO=UDP SPT=68 DPT=67 LEN=360
Jun  6 10:34:05 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19208 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:06 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19209 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:06 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:82:0b:fc:1e:08:00 SRC=192.168.1.100 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0xC0 TTL=250 ID=39788 PROTO=UDP SPT=68 DPT=67 LEN=368
Jun  6 10:34:06 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19216 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:06 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19217 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:06 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19218 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:06 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19219 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:07 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19221 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:07 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19222 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:07 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19223 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:08 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19225 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:08 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19226 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:08 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:a0:af:bd:ac:22:ea:08:00 SRC=192.168.1.113 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=19227 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun  6 10:34:08 kernel: DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:6c:4d:73:63:55:ad:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=359 TOS=0x00 PREC=0x00 TTL=255 ID=55800 PROTO=UDP SPT=68 DPT=67 LEN=339

Extended log attached (10k character limit reached here)

I don't have any device in my net with 192.168.1.xxx ip address.

What do these entries mean? Don't get why are broadcast mac's and local/broadcast ip's all around.

Thanks in advance!

 

[ColinTaylor]

I'm seeing unusual entries flooding my log, don't know it ther are hijacking attempts but don't want to start a new thread only for this:

It's not connected to this thread's topic. They aren't hacking attempts. It's just broadcast traffic floating around on the local segment of the ISP's network that you're plugged into. I used to see this sort of thing years ago from my ISP until they changed their network equipment to filter this stuff out. It's sort of interesting to see that there's always some people that have directly attached their PC's to the internet . I could even browse and access their shared drives in some cases . Anyway, it's of no concern to you as the router's firewall is doing its job and filtering out all this rubbish.

 

[elbubi]

Thanks for your kind reply Colin.

I see that sometimes source ip is external (SRC=95.215.0.167) and sometimes it seems like local (SRC=192.168.1.100/107/113/125). Just to learn, what are the different scenarios in this cases?

Thanks once again.

 

[ColinTaylor]

@elbubi The external traffic is coming from your ppp0 interface. So that looks like normal "internet noise". The other stuff looks like a DHCP server at 192.168.1.100. A device at 192.168.1.1 doing SSDP, so probably a gateway. And the rest is client devices either talking to the DHCP server or broadcasting NetBIOS traffic.

 

[elbubi]

Thanks once again Colin! I have my adsl pppoe modem set up as wan ip gateway at 192.168.1.1, so that seems to be the device generating this traffic. I had disabled its dhcp time ago when setting up bridge mode, but will look into its gui to minimize all generated traffic, if possible.

Once again, THANKS so much for healping me to learn.

 

[ColinTaylor]

@elbubi Ah, OK. That probably makes more sense. I had assumed you were using a cable modem. (I don't really know anything about bridged ADSL modems)

 

[eastavin]

On a version prior to 384.4_2 I was running the ASUS app, had WAN turned on etc, but after that got compromised all my router settings were tightened up harder than a nun & all passwords were changed & made to be extremely difficult.

I can relate to this. Last weekend we had a power failure. When the power came back up there was no Internet connection. So I went to investigate. I picked up an android smartphone I keep handy for these sort of things. Wifi was up, started the Asus router app. While I was waiting to see the status of the internet link in the app a popup window scared the heck out of me. It said in a white window in 3 rows something to the effect of: Activating Remote Web access, changing password and a third item I cant recall. My reaction was to instantly flip to the android pulldown menu where I shut off the Wifi.

Fortunately for me the internet link was still down and perhaps my quick reaction to shut off the smartphone wifi might have saved me. I have no idea where this came from. The one possible clue was I searched something up a week ago that when I clicked on the URL turned out to be bogus and my browser redirected itself to 192.168.1.1. Again I was fortunate that I dont have a default password and always logout of the router admin screen so no harm could be done. However it now seems possible that something may have been left behind from that event waiting for me to start the Asus router app.

From what I can tell nothing was changed. Maybe the message was a gag designed to scare me or I just got lucky and killed the wifi in time. In any event I logged in from a different machine and promptly reloaded the settings from a backup just in case.

So lesson I learned is do NOT leave such apps loaded with your user ID and password. Better yet delete the app.

 

[xtropodx]

Unlikely, since the modem sits on the WAN side of your router, therefore it's facing your router's firewall, not within it.

On the flip side, does that mean connected devices like IP cameras, PCs or bluray player sitting on your network would be an attack vector then? And if so how does one guard against that, given wanting/needing access to them remotely?

So lesson I learned is do NOT leave such apps loaded with your user ID and password. Better yet delete the app.

I've long since deleted the ASUS app, find it doesn't serve my uses anyway. But would this extend to the likes of OpenVPN connect app? I use it to connect to my IP cameras, as I'm sure many others do too.

 

[ColinTaylor]

On the flip side, does that mean connected devices like IP cameras, PCs or bluray player sitting on your network would be an attack vector then?

Of course! Network security people have been banging on about IoT devices for years. See Mirai.

And if so how does one guard against that, given wanting/needing access to them remotely?

Don't allow remote access to them. Lock them down tighter than a Gnat's Chuff.

 

[DonnyJohnny]

Seriously, Due to lack of IT security knowledge, IoT has been abused by hackers and have been creating new record of ddos traffic.
As mentioned locked down direct remote access of those IoT, use Openvpn and access via LAN.

But there are some IoT already built in with malicious coding (backdoor) by some vendors. So choose reliable source and product brand.

Using openvpn connect is fine so long as you don’t lose your log in devices. Lol.

 

[xtropodx]

Of course! Network security people have been banging on about IoT devices for years. See Mirai.
Don't allow remote access to them. Lock them down tighter than a Gnat's Chuff.

So I've set up VPN server, following these instructions https://ipcamtalk.com/threads/vpn-primer-for-noobs.14601/ which should be ok, right ? I get nothing is full proof though but how does one exactly lock down devices?

As mentioned locked down direct remote access of those IoT, use Openvpn and access via LAN.

Which is what I thought I had been doing (ie VPN server, connecting via OpenVPN connect). Is there somewhere that explains more details on how to do this, as the vpn primer referenced doesn't mention anything about accessing via LAN?

 

[kfp]

Is there somewhere that explains more details on how to do this, as the vpn primer referenced doesn't mention anything about accessing via LAN?

@DonnyJohnny just meant that access your IoT devices only through OpenVPN or from LAN.

 

[test011]

I think the first comment regarding WAN access is highly to be incorrect.

https://www.snbforums.com/threads/p...t-from-senior-users.45597/page-10#post-409101

You are right in general, but at least 3 people said they didn't turn on the WebGUI to WAN, including the one who opened this thread. They did not open it, but it got opened AFTER attack.

https://www.snbforums.com/threads/p...nt-from-senior-users.45597/page-3#post-392039

https://www.snbforums.com/threads/p...nt-from-senior-users.45597/page-3#post-392058

https://www.snbforums.com/threads/p...nt-from-senior-users.45597/page-4#post-393432

from another thread,
https://www.snbforums.com/threads/i...y-with-last-384-5-firmware.47071/#post-410355

And thus LAN attack was suggested at some point in the thread. One possible cause suggested was that using the ASUS app on a smartphone seems to open WebGUI to WAN at default.

To me most secure access seems SSH with public key pair. Maybe I can log on to the router with ssh and enable WebGUI to WAN with nvram commands manually, when I need it, then close it after.

Not really sure about VPN. PPTP seems less reliable now days. Maybe I should use openVPN instead of SSH key pair for initial remote access. I am care-taking 3 sites, so some kind of remote access is essential.

Or maybe a PortKnocker (dynamic whitelisting) is a good option. Despite the controversy, At personal level, I believe it's a mathematically sound solution. In Asterisk (on a small server) world, it's rather popular practice. Entware already has fwknop package.

 

[sfx2000]

I can relate to this. Last weekend we had a power failure. When the power came back up there was no Internet connection

Good reason to have the Modem and Router on a UPS - cable and telecom usually has battery backup or generators - so if you can keep the modem and router powered via the UPS, you likely will not lose connectivity.

At least for a short period - last outage I had for power was 4 hours, and never lost connectivity with a APC 1080 backup...

 

[Pila]

I peeked: Asus Android app connects to 210.65.113.169:443 and some addresses around it. Taiwan.

There is no Asus account defined anywhere in my app. Remote Connection is off in its settings.

Without that Taiwan connection allowed, the app will not be able to find a new router. Once allowed and connected to the router, it will work later with that router with no Internet access given to the app.

It will even connect to my remote Asus router if there is the VPN tunnel to it - if the app can connect to Taiwan. Without VPN, no connection to my remote router, Taiwan or not. So, it is not all bad.

Do you trust they are not saving your username and pwd in Taiwan, too? App will try to save corresponding WAN IP and DDNS too. Why it needs to connect to Taiwan? Not paranoid?

I used an older app version as the current would not run on my phone. I do not expect much has changed.

 

[DonnyJohnny]

I peeked: Asus Android app connects to 210.65.113.169:443 and some addresses around it. Taiwan.

There is no Asus account defined anywhere in my app. Remote Connection is off in its settings.

Without that Taiwan connection allowed, the app will not be able to find a new router. Once allowed and connected to the router, it will work later with that router with no Internet access given to the app.

It will even connect to my remote Asus router if there is the VPN tunnel to it - if the app can connect to Taiwan. Without VPN, no connection to my remote router, Taiwan or not. So, it is not all bad.

Do you trust they are not saving your username and pwd in Taiwan, too? App will try to save corresponding WAN IP and DDNS too. Why it needs to connect to Taiwan? Not paranoid?

I used an older app version as the current would not run on my phone. I do not expect much has changed.

Why go thru app when we can use use openvpn to connect to router.

 

[Pila]

People love theri apps and phones. Did you not notice the dissapearance act of computer monitor sized Web pages and emergence of the phone sized ones

From what I see, app is mostly useless. It can show what is connected to the network and bar their Inet access. Maybe turn the Guest network on and off and Parental control.

I do not see it would be usefull for any actual router or network managing. Or my needs just differ