jenny5353
New Around Here
Recently my router was hacked and I have been trying to recover it, but I suspect that somehow there is malicious code lurking in there somewhere. I have factory reset, hard factory reset, re-initialized settings, re-flashed various versions of both stock and Merlin firmware what feels like a thousand times now.
(Before this process started I knew I was hacked because someone managed to get past my ISP gateway firewall set to high, past my Asus firewall with Ai Protection turned on, and then past a Qubes firewall and deleted client information from my primary workstation.)
Now I understand that doing a factory reset, re-initializing the settings, and flashing the firmware is supposed to erase everything on the router and return it to factory condition, but that is not what is happening for me. Is it possible that somehow code could be added somewhere that would prevent a full reset from occurring?
Right after I realized I was hacked I immediately upgraded to the latest version of stock firmware (beta 9) and enabled Ai Protection. The next morning when I tried to check the logs I was locked out of my router and had to factory reset just to access the backend. Then I tried to upgrade to Merlin but it wouldn't accept the firmware. I ended up having to re-flash the last stable Asus firmware before I could upgrade to Merlin. I upgraded to Merlin starting with 386.1_0, but JFFS would not mount at all. (Tried several fixes from the forums.)
Next I upgraded to 386.2_2 but I found (quite by accident) that even though I had set a custom LAN IP, the router backend could be accessed from the custom LAN IP and both of the default LAN IPs (192.168.0.1 and 192.168.50.1). Note however that JFFS did mount with this version.
So then I upgraded to 386.2_4 yesterday and found the exact same problem. Only this time I realized that not only would the custom LAN IP and default LAN IPs work, but ANY IP I typed into the address bar would redirect to my router. I tried several random IP addys that I have never set before and sure enough they redirected me to router.asus.com . . .
Redirect webUI to router.asus.com was disabled in my settings.
Across all of these reset, re-initialize, re-flash processes I have been using the instructions that L&LD set down here: https://www.snbforums.com/threads/ax88-packet-loss.62891/#post-563326. The only difference is I let it 'rest' longer.
With some of these updates I get 100% packet loss, sometimes I get 0% packet loss, but no matter what I can not access the internet from my Asus router. Sometimes I get connection time out issues and more frequently than not it loads 'partial pages'. I get text links and nothing else. Using a search engine is impossible. Due to the hack my ISP filtered port 49152 which is how they initially infiltrated my network, but that hasn't stopped anything. My last conversation with them they suggested that something on my network is calling out . . .
This morning I connected my Asus to my ISP gateway to run some tests and when I ran netstat from Asus I found that something like 80+ ports on my router are on a TIME WAIT for a German IP address.
tcp 0 0 hostname.:www p5dcf572b.dip0.t-ipconnect.de:52460 TIME_WAIT
I really want to nail these a$$holes to the wall. Even though I'm a complete noob at networking I can SSH into my router and if anyone could tell me where / what to look for . . .
I know a lot of people would just send the router back to the manufacturer to get a replacement, but I need to know how they did this so I can stop it from ever happening to me again. I'm fairly sure that this same hacker is the one hacking my business websites and clients, but I need some help figuring out what he did to my network and my systems.
Any assistance would be greatly appreciated! (I have logs and screenshots of issues backed up for over a month now.)
(Before this process started I knew I was hacked because someone managed to get past my ISP gateway firewall set to high, past my Asus firewall with Ai Protection turned on, and then past a Qubes firewall and deleted client information from my primary workstation.)
Now I understand that doing a factory reset, re-initializing the settings, and flashing the firmware is supposed to erase everything on the router and return it to factory condition, but that is not what is happening for me. Is it possible that somehow code could be added somewhere that would prevent a full reset from occurring?
Right after I realized I was hacked I immediately upgraded to the latest version of stock firmware (beta 9) and enabled Ai Protection. The next morning when I tried to check the logs I was locked out of my router and had to factory reset just to access the backend. Then I tried to upgrade to Merlin but it wouldn't accept the firmware. I ended up having to re-flash the last stable Asus firmware before I could upgrade to Merlin. I upgraded to Merlin starting with 386.1_0, but JFFS would not mount at all. (Tried several fixes from the forums.)
Next I upgraded to 386.2_2 but I found (quite by accident) that even though I had set a custom LAN IP, the router backend could be accessed from the custom LAN IP and both of the default LAN IPs (192.168.0.1 and 192.168.50.1). Note however that JFFS did mount with this version.
So then I upgraded to 386.2_4 yesterday and found the exact same problem. Only this time I realized that not only would the custom LAN IP and default LAN IPs work, but ANY IP I typed into the address bar would redirect to my router. I tried several random IP addys that I have never set before and sure enough they redirected me to router.asus.com . . .
Redirect webUI to router.asus.com was disabled in my settings.
Across all of these reset, re-initialize, re-flash processes I have been using the instructions that L&LD set down here: https://www.snbforums.com/threads/ax88-packet-loss.62891/#post-563326. The only difference is I let it 'rest' longer.
With some of these updates I get 100% packet loss, sometimes I get 0% packet loss, but no matter what I can not access the internet from my Asus router. Sometimes I get connection time out issues and more frequently than not it loads 'partial pages'. I get text links and nothing else. Using a search engine is impossible. Due to the hack my ISP filtered port 49152 which is how they initially infiltrated my network, but that hasn't stopped anything. My last conversation with them they suggested that something on my network is calling out . . .
This morning I connected my Asus to my ISP gateway to run some tests and when I ran netstat from Asus I found that something like 80+ ports on my router are on a TIME WAIT for a German IP address.
tcp 0 0 hostname.:www p5dcf572b.dip0.t-ipconnect.de:52460 TIME_WAIT
I really want to nail these a$$holes to the wall. Even though I'm a complete noob at networking I can SSH into my router and if anyone could tell me where / what to look for . . .
I know a lot of people would just send the router back to the manufacturer to get a replacement, but I need to know how they did this so I can stop it from ever happening to me again. I'm fairly sure that this same hacker is the one hacking my business websites and clients, but I need some help figuring out what he did to my network and my systems.
Any assistance would be greatly appreciated! (I have logs and screenshots of issues backed up for over a month now.)
