Suspicious Activity?

[NoviceNetworker]

I was running an ASUS RT-AC66U B1 router that this morning was having trouble connecting to the internet. I was receiving a warning that my ISP's DHCP does not function properly. I restarted the router and cable modem multiple times with the same result and also tried to manually update the firmware on the router and it would not update. I pulled up the router system log and saw what appears to be an OpenVPN connection trying to be established (I don't remember ever turning this on). The log times are also late in the evening and I was not up on any computer. I'm not a networking guy, so I'm curious if those smarter than I see anything suspicious in the below portions of the log? The "out_fd is a pipe" entry occurred over and over for about 45 minutes and this is where the log starts. I'm using a different router now but would like to know if this was just an error with my router or something more? I've removed any specific IP or MAC ADDRESS info in the below:

May 16 23:27:09 kernel: out_fd is a pipe
May 16 23:27:09 kernel: out_fd is a pipe
May 16 23:27:11 kernel: out_fd is a pipe
May 16 23:27:11 kernel: out_fd is a pipe
May 16 23:27:11 kernel: out_fd is a pipe
May 16 23:27:11 kernel: out_fd is a pipe
May 16 23:27:21 DualWAN: skip single wan wan_led_control - WANRED off
May 16 23:27:26 WAN Connection: WAN(0) link up.
May 16 23:27:26 rc_service: wanduck XXX:notify_rc restart_wan_if 0
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:33 kernel: out_fd is a pipe
May 16 23:27:39 kernel: out_fd is a pipe
May 16 23:27:40 kernel: out_fd is a pipe
May 16 23:27:40 kernel: out_fd is a pipe
May 16 23:27:47 kernel: out_fd is a pipe
May 16 23:27:47 kernel: out_fd is a pipe
May 16 23:27:47 kernel: out_fd is a pipe
May 16 23:27:48 kernel: out_fd is a pipe
May 16 23:27:48 kernel: out_fd is a pipe
May 16 23:28:01 WAN Connection: WAN(0) link up.
May 16 23:28:01 rc_service: wanduck XXX:notify_rc restart_wan_if 0
May 16 23:28:03 kernel: out_fd is a pipe
May 16 23:28:21 syslog: wlceventd_proc_event(527): eth1: Auth MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:28:21 syslog: wlceventd_proc_event(556): eth1: Assoc MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:28:38 syslog: wlceventd_proc_event(527): eth1: Auth MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:28:38 syslog: wlceventd_proc_event(556): eth1: Assoc MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:28:59 syslog: wlceventd_proc_event(527): eth1: Auth MAC ADDRESS status: Successful (0), rssi:0
May 16 23:28:59 syslog: wlceventd_proc_event(556): eth1: Assoc MAC ADDRESS, status: Successful (0), rssi:0
May 16 23:29:07 wan: finish adding multi routes
May 16 23:29:08 vpnserver1[9724]: Multiple --up scripts defined. The previously configured script is overridden.
May 16 23:29:08 vpnserver1[9724]: OpenVPN 2.4.11 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 2 2021
May 16 23:29:08 vpnserver1[9724]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.03
May 16 23:29:08 vpnserver1[9731]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 16 23:29:08 vpnserver1[9731]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
May 16 23:29:08 vpnserver1[9731]: Diffie-Hellman initialized with 2048 bit key
May 16 23:29:08 vpnserver1[9731]: TUN/TAP device tun21 opened
May 16 23:29:08 vpnserver1[9731]: TUN/TAP TX queue length set to 100
May 16 23:29:08 vpnserver1[9731]: /sbin/ifconfig tun21 10.8.x.x pointopoint 10.8.x.x mtu 1500
May 16 23:29:09 vpnserver1[9731]: /bin/sh /jffs/updater tun21 1500 1622 10.8.x.x 10.8.x.x init
May 16 23:29:09 vpnserver1[9731]: WARNING: Failed running command (--up/--down): external program exited with error status: 2
May 16 23:29:09 vpnserver1[9731]: Exiting due to fatal error
May 16 23:29:17 dhcp client: bound 192.168.x.x/255.255.x.x via for 20 seconds.
May 16 23:29:21 wan: finish adding multi routes
May 16 23:30:25 BWDPI: fun bitmap = 5ff
May 16 23:30:25 A.QoS: qos_count=0, qos_check=0
May 16 23:30:30 dhcp client: bound EXTERNAL IP ADDRESS/255.255.255.0 via EXTERNAL IP ADDRESS for 4549 seconds.

 

[ColinTaylor]

There have been other reports of this "out_fd is a pipe" message recently. It's possible that it's malware, particularly if you didn't setup the VPN server (which thankfully isn't working).

I suggest you play it safe and hard reset your router as soon as possible and set it up again from scratch.

[Wireless Router] ASUS router Hard Factory Reset - Method 1 | Official Support | ASUS Global

EDIT: Looking more at your log, that "/jffs/updater" message definitely looks like malware to me. What firmware version are you using?

 

[eunhahaha]

I also found my routers offline this morning and then they back to normal after I made them reset. It seems that many ASUS routers were having this trouble?

I would suggest that you refer to this FAQ to make your router hard reset: https://www.asus.com/support/FAQ/1039074/
And remember to save the settings in advance (here: https://www.asus.com/support/FAQ/1001376/). It would save a lot of time from doing all the setting...

Hope it would help.

 

[NoviceNetworker]

There have been other reports of this "out_fd is a pipe" message recently. It's possible that it's malware, particularly if you didn't setup the VPN server (which thankfully isn't working).

I suggest you play it safe and hard reset your router as soon as possible and set it up again from scratch.

[Wireless Router] ASUS router Hard Factory Reset - Method 1 | Official Support | ASUS Global

EDIT: Looking more at your log, that "/jffs/updater" message definitely looks like malware to me. What firmware version are you using?

Thanks. When I logged into the router, it had an older firmware version. I'm now running 3.0.0.4.386_51665-g8072e52. I believe it was running 3.0.0.4.386_49703 - I don't remember exactly what was after the 4, but I remember after the underscore was a 4.

At first I first tried to update the firmware, and when I had it check for updates, it said no update required. I then downloaded the firmware, did the checksum, and tried to manually update, and it would not update. I was in bed and asleep during all the log activity showing the VPN setup attempts, so someone was definitely trying to setup the VPN server. Looking at the log files, it appears they ran the script you referenced multiple times, failing each time before giving up late in the evening.

I think I'm good now running the latest firmware and haven't seen any more unusual activity in the logs.

 

[ColinTaylor]

Make sure you do the hard reset to remove any malware from your router.

 

[cptnoblivious]

Could it be related?

It took 48 hours, but the mystery of the mass Asus router outage is solved

Asus finally responds after being castigated by users.

arstechnica.com

 

[L&LD]

No, that link states a wonky asd file was the culprit for many, this is (possibly) much more malicious.