RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

[Don Draper]

Similar issue - losing WAN access repeatedly, router crashing. Reset and rebuilt multiple times. New modem from ISP, new cables, new AX86U through warranty. Still occurring until disabling of AiCloud. Odd thing is while monitoring logs a line regarding tainted PPTP VPN caught my eye. I have never enabled the PPTP VPN ...I may have flipped the switch by accident while configuring WireGuard or something one of the hundred times I factory reset and rebuilt this past month. Disabling AiCloud has since solved my issue, but it's been less than 24hrs. Changed 26 character router login, DDNS, eliminated port forwarding.

 

[LexLuthor]

Same issue with my RT-AC86U. Someone in another forum pointed me to this thread last week. I turned off AiCloud at that point and things were better. Turned it back on today and after a bit, I noticed the huge upload. Turned it off and rebooted and I'm good again. I guess I'll wait to turn AiCloud back on until Asus and then Merlin issues some sort of update.

 

[Tech9]

I would start looking for AiCloud alternatives instead. It’s obviously one of the targeted by hackers features in Asuswrt.

 

[jksmurf]

Quick Q; when folks are saying they "Disabled AIcloud", what exactly are they disabling?

I do not have any of the services on, I do not allow WAN access to my Router, but (via Tailscale and sometimes Wireguard) I access my Routers remotely using a VPN. Tailscale does NOT need a DDNS, but Wireguard does, which is why I have left my DDNS operational (backup VPN).

I do not use AICloud to access my Router via the Asus AICloud App or a URL to the ddnsname.asuscomm.com web address..

As DDNS shows up on that AICloud 2.0 Tab, is that considered part of AICloud or "not really" as it is just a DDNS? i.e. do I need to disable that too (and use a different DDNS?)

k.

 

[Depthcommaoutof]

For me, the only difference between being infected and running for a week plus with no further signs of trouble was turning off "AiCloud Disk". Turn off "AiCloud Disk", delete /tmp/hklp and reboot.

I do have DDNS enabled along with remote ssh access.

RT-AX88U Pro
Current Version : 3004.388.8_2

 

[bennor]

Tailscale does NOT need a DDNS, but Wireguard does, which is why I have left my DDNS operational (backup VPN).

I do not have DDNS enabled or active when using Wireguard server on a RT-AX86U Pro running 3004.388.8_2. Wireguard server seems to run fine with no issues that I've experienced when accessing via remote Wireguard VPN. My broadband IP address rarely if ever has changed so I don't see the need to enable DDNS. As always YMMV.

 

[jksmurf]

I do not have DDNS enabled or active when using Wireguard server on a RT-AX86U Pro running 3004.388.8_2. Wireguard server seems to run fine with no issues that I've experienced when accessing via remote Wireguard VPN. My broadband IP address rarely if ever has changed so I don't see the need to enable DDNS. As always YMMV.

That’s interesting, thanks. You’re right, many use cases differ, but I do it because of what I read here:

• https://tailscale.com/kb/1122/wireguard-dynamic-ip

and saw here (it’s Ubiquiti: but same principle for WG).

It’s what attracted me to TS initially, but I do like WG as a backup, which only works if I can rely on the IP address.

 

[pgn674]

I've got an Asus RT-AX3000 (RT-AX58U) with firmware 3.0.0.4.388_25127 and Entware. I think I've got it so that Entware is enabled after a reboot only if I SSH in and run some ln and mount commands. My router joined the botnet starting yesterday morning, and I'm glad I found this thread.

The malware runs 4 processes in a parent/child chain, replaces the stat process names with "sshd", and removes the cmdline from the process tables. I can tell which process is doing the work by running top and seeing which one is using up CPU, and the timing lines up with my internet connection degrading severely. I tried finding out more about what this malware is doing using ps, pstree, and netstat, but didn't get very far. But then I tried tcpdump, and I was able to see in Wireshark that my router was part of a botnet sending a TCP ACK flood with 1360 bytes of junk payload to a hosting provider named HostSG out of Singapore (IP addresses 203.175.172.0 - 203.175.173.255).

I feel bad for the hosting provider. My ISP gives me 20 Mbps upstream bandwidth, but this malware was able to hit 650 Mbps as seen on the router's Traffic Monitor page. I think my ISP gives me bursting upload speed too, which the malware took advantage of by doing the flood for just 20 seconds or so and then waiting 2 or 3 minutes before flooding again.

Anyways, I turned off Asus AiCloud 2.0 Cloud Disk and rebooted the router, but I got hacked again 3 hours later. I've now also turned off Asus AiCloud 2.0 Smart Access and rebooted, and so far I've gone the longest yet without any malware running. Fingers crossed that I'm free and clear now.

BTW, I've got the router log going to my Raspberry Pi through rsyslog, and I noticed in there that the weekly Let's Encrypt and dynamic DNS refresh ran just minutes before the very first time my internet connection degraded (I'm running SmokePing on my Pi). But that could be a coincidence. In the log, the refresh starts with "cmd service restart_letsencrypt" and ends with "Listening for NAT-PMP/PCP traffic".

 

[postoronnim-v]

In general terms, the string "Tainted:" (usually followed by a series of one-letter "taint flags") in a crash report means that the kernel has been marked and is considered to be in an "unknown state" (i.e. "tainted state")

Spoiler: syslog

Oct 25 03:09:12 kernel: CPU: 1 PID: 1872 Comm: dcd Tainted: P           O    4.1.52 #2
Oct 25 03:09:12 kernel: Hardware name: Broadcom-v8A (DT)
Oct 25 03:09:12 kernel: task: ffffffc010455440 ti: ffffffc009554000 task.ti: ffffffc009554000
Oct 25 03:09:12 kernel: PC is at 0x29d34
Oct 25 03:09:12 kernel: LR is at 0x29fb4
Oct 25 03:09:12 kernel: pc : [<0000000000029d34>] lr : [<0000000000029fb4>] pstate: 200f0010
Oct 25 03:09:12 kernel: sp : 00000000ff8dfb00
Oct 25 03:09:12 kernel: x12: 00000000000a211c
Oct 25 03:09:12 kernel: x11: 0000000000081d6c x10: 0000000000000005
Oct 25 03:09:12 kernel: x9 : 0000000000000003 x8 : 0000000000000005
Oct 25 03:09:12 kernel: x7 : 00000000f5dfe1e4 x6 : 0000000000000035
Oct 25 03:09:12 kernel: x5 : 000000000000003a x4 : 00000000f5dfe244
Oct 25 03:09:12 kernel: x3 : 0000000000000000 x2 : 0000000000000004
Oct 25 03:09:12 kernel: x1 : 000000000000000d x0 : 0000000000000000

Can you tell me if this log entry means that the device is also infected?

 

[jacklul]

BTW, I've got the router log going to my Raspberry Pi through rsyslog, and I noticed in there that the weekly Let's Encrypt and dynamic DNS refresh ran just minutes before the very first time my internet connection degraded (I'm running SmokePing on my Pi). But that could be a coincidence. In the log, the refresh starts with "cmd service restart_letsencrypt" and ends with "Listening for NAT-PMP/PCP traffic".

You should check if the attacker didn't connect their mobile app to your router.

I'm unsure but I think you can disable Asus remote management service (thus preventing access vis mobile app) with "aae_disable_force=1" nvram variable.

 

[ColinTaylor]

It looks like Asus pushed out an update to asd a few days ago to address this malware, at least in the short term. I did have to reboot my router to pick it up though.

 

[ATLga]

It looks like Asus pushed out an update to asd a few days ago to address this malware, at least in the short term. I did have to reboot my router to pick it up though.

Wonder why a reboot was necessary for the asd. If that’s the case, most people aren’t gonna get it unless the power blinks and it reboots

 

[FernandoF]

It looks like Asus pushed out an update to asd a few days ago to address this malware, at least in the short term. I did have to reboot my router to pick it up though.

Can you please confirm those are the files found in /jffs/asd? Here's what I see for my RT-AX86U Pro with 388.8_2. I did not have to manually reboot the router. Thanks in advance.

 

[ColinTaylor]

@FernandoF Yes, those are the same filenames as I'm seeing. Perhaps I just needed to have waited a bit longer for it to update by itself.

 

[virus_59]

I think this is the solution - https://www.snbforums.com/threads/b...g-network-with-upload-flood.92242/post-931970

 

[ATLga]

I think this is the solution - https://www.snbforums.com/threads/b...g-network-with-upload-flood.92242/post-931970

Botnet, hmm

Wish all these different threads with this same issue were merged into one

 

[Ripshod]

Botnet, hmm

Wish all these different threads with this same issue were merged into one

They tried merging them, then more popped up. Something like this is hard to keep up with.

 

[sorachan]

It looks like Asus pushed out an update to asd a few days ago to address this malware, at least in the short term. I did have to reboot my router to pick it up though.

I didn’t have any issues with the problem discussed in this thread, as I generally try to minimise the exposure of programs running on my router. However, I’m now facing serious issues with this new ‘virus’ signature, it keeps blocking my script and its related components. I’m not sure how ASUS determines what counts as a virus, but I’m removing everything related to ASD from my router

 

[bluzfanmr1]

I was just able to update via the router GUI without a reboot. The new signature version shows 2.428.

 

[ATLga]

I was just able to update via the router GUI without a reboot. The new signature version shows 2.428.

I think you're talking about Trend Micro update. Not aware of a way to update asd from the gui manually, it runs automatically in the middle of the night by itself. Unless something has changed...