[Solved] Sudden loss of Wi-Fi security

[TheLyppardMan]

While I was retuning my son's TV this morning, I noticed that my usual two SSIDs had disappeared and two generic ASUS Wi-Fi networks had appeared. I then did a quick scan using inSSIDer and that reported that both of the new SSID were open , i.e., no security. On logging in to my router, I could see that that was indeed the case. This is very worrying, so I'm wondering how this could have occurred all on its own. Can anyone advise me please? I'm using an ASUS RT-AC86U with firmware 384.7

 

[JDB]

Sounds like a factory reset has been done.
So either the router was compromised and someone reset it, or someone physically held the reset button.


Sent from my iPhone using Tapatalk

 

[TheLyppardMan]

No-one had phyically touched the router and only I have the log-in details. Could someone have hacked into the router via the port forwarding route? I had my security cameras, Synology Diskstation and the Plex server (on the NAS) port forwarded, but I've disabled that now, just in case. Would the router logs give any further insight into this and if so, what should I search for in the log file that I have exported?

 

[ColinTaylor]

If the SSIDs have changed then at the very least you will see the wireless subsystem being restarted in the log. But I'd guess the whole router might have been restarted. Again this will be obvious from the log. That should give you to time that it happened which might give you clues.

 

[JDB]

I’m assuming SSH/HTTP is allowed only on LAN, not WAN?


Sent from my iPhone using Tapatalk

 

[sfx2000]

No-one had phyically touched the router and only I have the log-in details. Could someone have hacked into the router via the port forwarding route? I had my security cameras, Synology Diskstation and the Plex server (on the NAS) port forwarded, but I've disabled that now, just in case. Would the router logs give any further insight into this and if so, what should I search for in the log file that I have exported?

Check your cameras and disk station - if someone got into the router, good change other items might also be compromised...

 

[TheLyppardMan]

If the SSIDs have changed then at the very least you will see the wireless subsystem being restarted in the log. But I'd guess the whole router might have been restarted. Again this will be obvious from the log. That should give you to time that it happened which might give you clues.

There are quite a few entries about the wireless being restarted, but I'm not sure what it means or whether it is relevant.

 

[TheLyppardMan]

Check your cameras and disk station - if someone got into the router, good change other items might also be compromised...

There's nothing in the diskstation logs that I can see to indicate anyone outside my network has accessed the NAS.

 

[TheLyppardMan]

I’m assuming SSH/HTTP is allowed only on LAN, not WAN?


Sent from my iPhone using Tapatalk

Yes to both questions.

 

[ColinTaylor]

There are quite a few entries about the wireless being restarted, but I'm not sure what it means or whether it is relevant.

If you open the syslog file in something other than notepad (like wordpad) it will be easier to read. Look at the timestamps. If you're the only person with the router's login password then you should know when and what you were doing on the router. Anything else would be suspicious activity.

But apart from the SSID's changing were all the other settings on your router the same or did they reset as well?

Don't rule out scenarios like:

Me: Did you touch the router?
Wife: Of course not!
Me: Are you sure?
Wife: Absolutely. But I did clean it 'cos it was covered in dust. Those little buttons were especially dirty.

 

[martinr]

While I was retuning my son's TV this morning, I noticed that my usual two SSIDs had disappeared and two generic ASUS Wi-Fi networks had appeared. I then did a quick scan using inSSIDer and that reported that both of the new SSID were open , i.e., no security. On logging in to my router, I could see that that was indeed the case. This is very worrying, so I'm wondering how this could have occurred all on its own. Can anyone advise me please? I'm using an ASUS RT-AC86U with firmware 384.7

You wrote “on logging in to my router”; did you use the default admin/admin username and password to login, which a factory default reset would have required, or did you login using your personal credentials? Had any other settings defaulted to factory ones or were your settings such as DNS, AIProtection, WAN....... still there.

Other than a factory reset, I’ve no idea how your SSIDs changed, but I noticed you didn’t mention any other settings had changed.

 

[TheLyppardMan]

You wrote “on logging in to my router”; did you use the default admin/admin username and password to login, which a factory default reset would have required, or did you login using your personal credentials? Had any other settings defaulted to factory ones or were your settings such as DNS, AIProtection, WAN....... still there.

Other than a factory reset, I’ve no idea how your SSIDs changed, but I noticed you didn’t mention any other settings had changed.

Log-in and other settings remain untouched. It was only the Wi-Fi settings that had changed.

 

[TheLyppardMan]

If you open the syslog file in something other than notepad (like wordpad) it will be easier to read. Look at the timestamps. If you're the only person with the router's login password then you should know when and what you were doing on the router. Anything else would be suspicious activity.

But apart from the SSID's changing were all the other settings on your router the same or did they reset as well?

Don't rule out scenarios like:

Me: Did you touch the router?
Wife: Of course not!
Me: Are you sure?
Wife: Absolutely. But I did clean it 'cos it was covered in dust. Those little buttons were especially dirty.

I'll check the logs again later this evening using a different program as you suggest. Thanks.

 

[JDB]

Log-in and other settings remain untouched. It was only the Wi-Fi settings that had changed.

If your login was unchanged then it’s not wildly surprising if someone found a way in


Sent from my iPhone using Tapatalk

 

[martinr]

If your login was unchanged then it’s not wildly surprising if someone found a way in


Sent from my iPhone using Tapatalk

TheLyppardMan will probably clarify, but I’m sure that when he wrote: “Login and other settings remain untouched”, he meant as they were before the wifi glitch occurred, as opposed to unchanged from factory default username and password. That’s how I understood it, anyway.

 

[TheLyppardMan]

TheLyppardMan will probably clarify, but I’m sure that when he wrote: “Login and other settings remain untouched”, he meant as they were before the wifi glitch occurred, as opposed to unchanged from factory default username and password. That’s how I understood it, anyway.

That's exactly what I meant; unchanged from the last time I logged in and before the problem with the Wi-Fi security issue occurred.

 

[TheLyppardMan]

I've checked the log in Wordpad and I can't see anything about the Wi-Fi being changed, but then again, I can't see any mention of my changing it back again either. It does show some restarts on the Wi-Fi, but I'm guessing that that was when I briefly turned on the WPS feature to try to connect my son's Sony TV (it didn't work anyway, just as it didn't work with my new JVC TV).

 

[ColinTaylor]

In which case maybe there's a bug whereby when you enable WPS it resets the SSID's. That would be pretty easy to check.

 

[bitmonster]

Can you connect without WPS? It's a known vulnerability anyway so I have never used it.

Sent from my SM-G965F using Tapatalk

 

[TheLyppardMan]

I've found the answer. I must have pressed the reset button on the WPS page (I seem to recall that at the time, I thought it would restart the WPS function).