Suspicious Outgoing traffic on RT-AC86U

[ColinTaylor]

Out of curiosity, are we looking for specific suspicious file to show in /tmp folder? There over 60 files there already.

We've already seen one suspicious file reported so we're looking for any others. We won't know what they are until we see them.

 

[vaboro]

I wanted to have WAN access when I travel for extended period of time but honestly I never really needed it. It is probably not worth the risk.

You may consider using VPN.
Charon (Strongswan) can be quite useful and is relatively easy to set up. Instant Guard app on a mobile device is used to access LAN from WAN.
Other VPN types can definitely also be used.

 

[vaboro]

We won't know what they are until we see them.

Have you tried to enable WAN access to router ui and/or AiClould to obtain a copy of malware executable on your device?

 

[dave14305]

Have you tried to enable WAN access to router ui and/or AiClould to obtain a copy of malware executable on your device?

Just because a doctor wants to cure a disease doesn’t mean he wants to contract the disease.

 

[vaboro]

Just because a doctor wants to cure a disease doesn’t mean he wants to contract the disease.

Yeah, but I was just curious

 

[arturk]

We've already seen one suspicious file reported so we're looking for any others. We won't know what they are until we see them.

Got it, I did not see problem this afternoon. If there is any pattern it tends to happen earlier in a day. I will be watching for it.
Meanwhile I am not sure if this will help in any way but this is current state (without outbound transfer).

ASUSWRT-Merlin RT-AC86U 386.14_0 Sat Jul 20 17:12:47 UTC 2024
admin@RT-AC86U-8238:/tmp/home/root# ls -altr /tmp/
drwxr-xr-x    4 admin  root            80 Dec 31  1969 var
drwxr-xr-x    2 admin  root            40 Dec 31  1969 share
-rw-r--r--    1 admin  root             0 Dec 31  1969 settings
drwxr-xr-x    3 admin  root            60 Dec 31  1969 notify
drwxr-xr-x    2 admin  root            40 Dec 31  1969 inadyn.cache
drwxr-xr-x    3 admin  root            60 Dec 31  1969 home
drwxr-xr-x    3 admin  root            60 Dec 31  1969 confmtd
-rw-rw-rw-    1 admin  root        262197 Dec 31  2023 syslog.log-1
-rw-rw-rw-    1 admin  root             5 Dec 31  2023 wps_monitor.pid
drwxrwxrwx    2 admin  root            40 Dec 31  2023 netool
-rw-rw-rw-    1 admin  root             0 Dec 31  2023 awsiot_log
drwxrwxrwx    2 admin  root            80 Dec 31  2023 asdfile
-rw-rw-rw-    1 admin  root             0 Dec 31  2023 asd.init
drwxrwxrwx    3 admin  root            80 Dec 31  2023 avahi
drwxr--r--    2 admin  root           140 Dec 31  2023 pptpd
-rw-rw-rw-    1 admin  root             0 Dec 31  2023 mastiff_log
-rw-rw-rw-    1 admin  root             5 Dec 31  2023 mastiff.pid
-rw-rw-rw-    1 admin  root            64 Dec 31  2023 lld2d.conf
-rw-rw-rw-    1 admin  root          4286 Dec 31  2023 lighttpd.conf
drwxrwxrwx    2 admin  root            40 Dec 31  2023 asusfbsvcs
drw-------    3 admin  root            60 Dec 31  2023 .le
-rw-rw-rw-    1 admin  root           331 Dec 31  2023 run_lldpd.sh
-rw-rw-rw-    1 admin  root            47 Dec 31  2023 lldpd_bind_ifnames
lrwxrwxrwx    1 admin  root             8 Dec 31  2023 zcip -> /sbin/rc
lrwxrwxrwx    1 admin  root             8 Dec 31  2023 wpa_cli -> /sbin/rc
-rw-r--r--    1 admin  root           227 Dec 31  2023 wchannel.json
-rw-rw-rw-    1 admin  root           364 Dec 31  2023 wan0_bound.env
lrwxrwxrwx    1 admin  root             8 Dec 31  2023 udhcpc_wan -> /sbin/rc
-rw-rw-rw-    1 admin  root            10 Dec 31  2023 udhcpc0.expires
-rw-r--r--    1 admin  root             2 Dec 31  2023 relist.json
drwxrwxrwx    3 admin  root           260 Dec 31  2023 ppp
lrwxrwxrwx    1 admin  root             8 Dec 31  2023 dhcp6c -> /sbin/rc
-rw-r--r--    1 admin  root           361 Dec 31  2023 chanspec_private.json
-rw-rw-rw-    1 admin  root           186 Dec 31  2023 chanspec_avbl.txt
-rw-r--r--    1 admin  root           246 Dec 31  2023 chanspec_avbl.json
-rw-r--r--    1 admin  root           409 Dec 31  2023 chanspec_all.json
-rw-r--r--    1 admin  root            93 Dec 31  2023 aplist.json
-rw-r--r--    1 admin  root            71 Dec 31  2023 XX:XX:XX:XX:82:38.cap
-rw-r--r--    1 admin  root            31 Dec 31  2023 XX:XX:XX:XX:82:38.bi
-rw-rw-rw-    1 admin  root            92 Dec 31  2023 obvsie
-rw-rw-rw-    1 admin  root             1 Dec 31  2023 obstatus
-rw-rw-rw-    1 admin  root            92 Dec 31  2023 guest_vsie
-rw-rw-rw-    1 admin  root           383 Dec 31  2023 filter_ipv6.default
-rw-rw-rw-    1 admin  root           888 Dec 31  2023 filter.default
-rw-r--r--    1 admin  root           106 Dec 31  2023 resolv.dnsmasq
-rw-r--r--    1 admin  root            48 Dec 31  2023 resolv.conf
drwxrwxrwx    3 admin  root            60 Dec 31  2023 mnt
-rwxr--r--    1 admin  root             0 Dec 31  2023 .bwdpi.rule.lck
-rwxr--r--    1 admin  root             0 Dec 31  2023 .bwdpi.appdb.lck
-rw-rw-rw-    1 admin  root            34 Dec 31  2023 usb_err
-rw-rw-rw-    1 admin  root           682 Dec 31  2023 redirect_rules
-rw-rw-rw-    1 admin  root           512 Dec 31  2023 nat_rules_eth0_eth0
lrwxrwxrwx    1 admin  root            24 Dec 31  2023 nat_rules -> /tmp/nat_rules_eth0_eth0
-rw-rw-rw-    1 admin  root          5366 Dec 31  2023 filter_rules
drw-rw-rw-    3 admin  root           520 Dec 31  2023 bwdpi
-rw-rw-rw-    1 admin  root          3268 Dec 31  2023 usb.log
drwxrwxrwx    5 admin  root           240 Dec 31  2023 lighttpd
-rw-rw-rw-    1 admin  root            14 Dec 31  2023 hw_auth_clm
drwxrwxrwx    4 admin  root            80 Dec 31  2023 diag_db_cloud
drwxr-xr-x   20 admin  root          1840 Jul 20 13:50 ..
drwxr-xr-x   10 admin  root          1520 Oct 19 18:25 etc
-rw-r--r--    1 admin  root         25291 Oct 19 18:26 nmp_cache.js
drwxrwxrwx    2 admin  root            80 Oct 19 18:26 asusdebuglog
drwxrwxrwx    2 admin  root           180 Oct 19 18:26 nc
-rw-rw-rw-    1 admin  root        118768 Oct 19 18:26 syslog.log
-rw-r--r--    1 admin  root           106 Oct 19 18:26 allwclientlist.json
-rw-rw-rw-    1 admin  root          2349 Oct 19 18:26 dev
drwxrwxrwx   22 admin  root          1440 Oct 19 18:26 .
-rw-r--r--    1 admin  root          1049 Oct 19 18:26 wiredclientlist.json
-rw-r--r--    1 admin  root           541 Oct 19 18:26 current_wired_client_list.json
-rw-r--r--    1 admin  root          1266 Oct 19 18:26 clientlist.json
-rw-rw-rw-    1 admin  root             0 Oct 19 18:26 watchdog_heartbeat

For the record "admin" is not my user name, I replaced it before posting. Also changed two files which looked like MAC Address

 

[arturk]

You may consider using VPN.
Charon (Strongswan) can be quite useful and is relatively easy to set up. Instant Guard app on a mobile device is used to access LAN from WAN.
Other VPN types can definitely also be used.

Definitely, I was using one of the built in options on my previous router.
Are those options any good or safe to use?

 

[vaboro]

Are those options any good or safe to use?

They're all relatively safe to use, imho. Although TOR kinda stands out as it has a particular purpose of hiding real ip.
You can use whatever VPN is easier and/or more convenient for you to set up. I use openvpn and charon (Instant Guard tab).

 

[Tech9]

Are those options any good or safe to use?

Use OpenVPN.