RT-AX86U running Merlin serving DNS - possible Malware infection

[Justinh]

Dunce question ... What does it mean for his router answering DNS requests? How is that tested? Is this DNS for devices on his internal network?

 

[dave14305]

What does it mean for his router answering DNS requests? How is that tested? Is this DNS for devices on his internal network?

The router’s dnsmasq instance was accessible from the internet and therefore able to answer DNS requests from strangers. It shouldn’t have been able to do that if the firewall had been running correctly.

 

[Viktor Jaep]

I've just become aware that my Asus RT-AX86U which is running the latest Merlin firmware (3004.388.9) might be compromised. Potentially by TheMoon malware or Alogin. I was made aware that port 53 is open, however, I don't have any port forwards enabled for 53 so I can't see why it would be open.

Congratulations! You were running a real live honeypot there for a short while! LOL

 

[Tech9]

I have some things to investigate because the two Asus routers I support remotely started heaving issues at the same time. Both still work, but the wireless speed doesn't go above 20Mbps and with crazy latency shooting over 1000ms on speed test. This was the owners' complaint - voice/audio, streaming doesn't work well. One is in my reach single unit ZenWiFi XT8, the other is far away RT-AC66U B1. Both run Asuswrt, seem normal in logs with exception of many ASD crashes. Another bad ASD update perhaps?

Stopped all Trend Micro stuff for now, kind of stable, one even reached 100Mbps over Wi-Fi... but something is definitely off.

 

[Tech9]

Hmm... both routers stable again after enabling Bandwidth Limiter in QoS (in order to force disable NAT acceleration). Speed test latency instantly went down and the throughput is back to expected for wireless connected devices. ISP lines 300Mbps so no big WAN throughput loss, but haven't seen this before. Will let the owners test the current configuration for some time, they say voice/audio and streaming works well now.

 

[spacemanspiff]

That was probably the safest solution. Something was flushing the content of your INPUT chain. It wasn't a firewall rule error, because that would have prevented the whole firewall from being configured, not just the INPUT chain.

Just to be safe, use a different password for your router's admin access, in case it was somehow compromised.

So just circling back after a few days to see if everything is ok. Having someone rescan my IP via TCP and UDP. TCP comes back the way I expect. However, running this nmap -sS -sU -T4 -A -v 101.100.xxx.xxx/32
And have gotten this response on Port 53. Why is it not responding with a ICMP Type3 port unreachable?

OUTPUT_DNS

Discovered open port 53/udp on 101.100.xxx.xxx
Discovered open|filtered port 53/udp on 101.100.xxx.xxx is actually open

Had a look at iptables for port 53 stuff and I see this entry, but I can't make sense of it...just want to confirm that this is expected?

[13882:1034069] -A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
[0:0] -A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS

Nmap is still running as I write this, but this is the only thing that has shown and it's about 60% complete so far....

 

[ColinTaylor]

Had a look at iptables for port 53 stuff and I see this entry, but I can't make sense of it...just want to confirm that this is expected?

[13882:1034069] -A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
[0:0] -A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS

Yes this is normal.

 

[spacemanspiff]

Thanks @ColinTaylor - nmap has completed and the only thing was that port 53 being open....that's ok, too? Just wondering why it shows open on 53.

 

[ColinTaylor]

Thanks @ColinTaylor - nmap has completed and the only thing was that port 53 being open....that's ok, too? Just wondering why it shows open on 53.

Port 53 is not normally open to the internet. What is 101.100.xxx.xxx? Where are you nmap'ing it from?

 

[ColinTaylor]

SSH into your router and post the output of this command:

netstat -nlp | grep :53

 

[spacemanspiff]

SSH into your router and post the output of this command:

netstat -nlp | grep :53

101.100.xxx.xxx is my ip address, I was just obfuscating the address since it's static and I didn't want to publicly post it. I'll DM it to you though. I was having my friend who is a network security professional in the USA run nmap on my IP. He's not familiar with Merlin or Asus routers and works exclusively on enterprise grade network appliances so he was wondering why it was showing up that way in his nmap scan of my ip

Here's the output:
admin@RT-AX86U-79A8:/tmp/home/root# netstat -nlp | grep :53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3965/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 3965/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 3965/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 3965/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2232/avahi-daemon:
admin@RT-AX86U-79A8:/tmp/home/root#

 

[ColinTaylor]

Here's the output:
admin@RT-AX86U-79A8:/tmp/home/root# netstat -nlp | grep :53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3965/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 3965/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 3965/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 3965/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2232/avahi-daemon:
admin@RT-AX86U-79A8:/tmp/home/root#

That all looks normal.

I've nmap'ed your address and I don't see it being open. nmap shows "open|filtered" for udp ports even though there's no response. I tried sending a DNS request to port 53 and got no response.