RT-87U Hacked?

[JGrana]

Interesting problem with my RT-87U running 376.47.

I noticed some choppy internet performance and investigated. I ran iftop (from ipkg) and sure enough it showed many connections between remote devices. Lots of:

astound-66-234-209.18.ca.astound <=> various IP addresses. This was monitoring Vlan2 (br0).

I then looked at the routing table. In addition to the normal route from my ISP (Time Warner Cable) and the 192.168.1.0 subnet, there is another route I didn't expect:

169.254.39.0 255.255.255.0 on br0

I then did netstat and again it showed various tcp ESTABLISHED connections between 169.254.39.189:608 to 169.254.39.93:813. Running netstat a few times showed similar connections with the port numbers changing.

Last, I did an ifconfig and I see this:

br0:0 inet addr:169.254.39.189 Bcast:169.254.39.255 Mask:255.255.255.0

I don't believe this should be there...


So far, this is what I have done:

1) Reloaded 376.47, cleared NVRAM.
no change
2) Turned off my local PC. Reboot router
no change
3) Enabled AIProtection. Reboot router
no change
4) Disabled UPnP. Reboot router
no change.

Any ideas on what to do next?

I have /jffs enabled and a few scripts in services-start. I check all of those scripts and I don't see any issues. They mount 2 remote devices (my NAS and a share on a local PC).

Help!!!

 

[RMerlin]

The 169.254.39.0 network is the network between the Broadcom and the Quantenna portions of the router. They are entirely internal to the router.

 

[JGrana]

The 169.254.39.0 network is the network between the Broadcom and the Quantenna portions of the router. They are entirely internal to the router.

Ahh, that makes sense given the architecture. Whew, I feel better.

One last question. When I run iftop, it opens vlan2 which looks to be the WAN side (the ip address is the Time Warner DHCP provided one). I see lots of chatter between "astound-66-234-209.18.ca.astound" and other ip addresses. Am I just seeing packets passing by? I.e. not destined or sourced from the RT-87U?

Thanks again for setting me straight on the internal networks!!!

 

[RMerlin]

Ahh, that makes sense given the architecture. Whew, I feel better.

One last question. When I run iftop, it opens vlan2 which looks to be the WAN side (the ip address is the Time Warner DHCP provided one). I see lots of chatter between "astound-66-234-209.18.ca.astound" and other ip addresses. Am I just seeing packets passing by? I.e. not destined or sourced from the RT-87U?

Thanks again for setting me straight on the internal networks!!!

That hostname is invalid, so it must be truncated, therefore no idea what it is. Port numbers are also necessary to be able to guess what this traffic might be.