ColinTaylor
Part of the Furniture
We've already seen one suspicious file reported so we're looking for any others. We won't know what they are until we see them.
Suspicious Outgoing traffic on RT-AC86U
- Thread starter arturk
- Start date
vaboro
Regular Contributor
You may consider using VPN.
Charon (Strongswan) can be quite useful and is relatively easy to set up. Instant Guard app on a mobile device is used to access LAN from WAN.
Other VPN types can definitely also be used.
vaboro
Regular Contributor
Have you tried to enable WAN access to router ui and/or AiClould to obtain a copy of malware executable on your device?
dave14305
Part of the Furniture
Just because a doctor wants to cure a disease doesn’t mean he wants to contract the disease.
vaboro
Regular Contributor
Yeah, but I was just curiousJust because a doctor wants to cure a disease doesn’t mean he wants to contract the disease.
Got it, I did not see problem this afternoon. If there is any pattern it tends to happen earlier in a day. I will be watching for it.
Meanwhile I am not sure if this will help in any way but this is current state (without outbound transfer).
Code:
ASUSWRT-Merlin RT-AC86U 386.14_0 Sat Jul 20 17:12:47 UTC 2024
admin@RT-AC86U-8238:/tmp/home/root# ls -altr /tmp/
drwxr-xr-x 4 admin root 80 Dec 31 1969 var
drwxr-xr-x 2 admin root 40 Dec 31 1969 share
-rw-r--r-- 1 admin root 0 Dec 31 1969 settings
drwxr-xr-x 3 admin root 60 Dec 31 1969 notify
drwxr-xr-x 2 admin root 40 Dec 31 1969 inadyn.cache
drwxr-xr-x 3 admin root 60 Dec 31 1969 home
drwxr-xr-x 3 admin root 60 Dec 31 1969 confmtd
-rw-rw-rw- 1 admin root 262197 Dec 31 2023 syslog.log-1
-rw-rw-rw- 1 admin root 5 Dec 31 2023 wps_monitor.pid
drwxrwxrwx 2 admin root 40 Dec 31 2023 netool
-rw-rw-rw- 1 admin root 0 Dec 31 2023 awsiot_log
drwxrwxrwx 2 admin root 80 Dec 31 2023 asdfile
-rw-rw-rw- 1 admin root 0 Dec 31 2023 asd.init
drwxrwxrwx 3 admin root 80 Dec 31 2023 avahi
drwxr--r-- 2 admin root 140 Dec 31 2023 pptpd
-rw-rw-rw- 1 admin root 0 Dec 31 2023 mastiff_log
-rw-rw-rw- 1 admin root 5 Dec 31 2023 mastiff.pid
-rw-rw-rw- 1 admin root 64 Dec 31 2023 lld2d.conf
-rw-rw-rw- 1 admin root 4286 Dec 31 2023 lighttpd.conf
drwxrwxrwx 2 admin root 40 Dec 31 2023 asusfbsvcs
drw------- 3 admin root 60 Dec 31 2023 .le
-rw-rw-rw- 1 admin root 331 Dec 31 2023 run_lldpd.sh
-rw-rw-rw- 1 admin root 47 Dec 31 2023 lldpd_bind_ifnames
lrwxrwxrwx 1 admin root 8 Dec 31 2023 zcip -> /sbin/rc
lrwxrwxrwx 1 admin root 8 Dec 31 2023 wpa_cli -> /sbin/rc
-rw-r--r-- 1 admin root 227 Dec 31 2023 wchannel.json
-rw-rw-rw- 1 admin root 364 Dec 31 2023 wan0_bound.env
lrwxrwxrwx 1 admin root 8 Dec 31 2023 udhcpc_wan -> /sbin/rc
-rw-rw-rw- 1 admin root 10 Dec 31 2023 udhcpc0.expires
-rw-r--r-- 1 admin root 2 Dec 31 2023 relist.json
drwxrwxrwx 3 admin root 260 Dec 31 2023 ppp
lrwxrwxrwx 1 admin root 8 Dec 31 2023 dhcp6c -> /sbin/rc
-rw-r--r-- 1 admin root 361 Dec 31 2023 chanspec_private.json
-rw-rw-rw- 1 admin root 186 Dec 31 2023 chanspec_avbl.txt
-rw-r--r-- 1 admin root 246 Dec 31 2023 chanspec_avbl.json
-rw-r--r-- 1 admin root 409 Dec 31 2023 chanspec_all.json
-rw-r--r-- 1 admin root 93 Dec 31 2023 aplist.json
-rw-r--r-- 1 admin root 71 Dec 31 2023 XX:XX:XX:XX:82:38.cap
-rw-r--r-- 1 admin root 31 Dec 31 2023 XX:XX:XX:XX:82:38.bi
-rw-rw-rw- 1 admin root 92 Dec 31 2023 obvsie
-rw-rw-rw- 1 admin root 1 Dec 31 2023 obstatus
-rw-rw-rw- 1 admin root 92 Dec 31 2023 guest_vsie
-rw-rw-rw- 1 admin root 383 Dec 31 2023 filter_ipv6.default
-rw-rw-rw- 1 admin root 888 Dec 31 2023 filter.default
-rw-r--r-- 1 admin root 106 Dec 31 2023 resolv.dnsmasq
-rw-r--r-- 1 admin root 48 Dec 31 2023 resolv.conf
drwxrwxrwx 3 admin root 60 Dec 31 2023 mnt
-rwxr--r-- 1 admin root 0 Dec 31 2023 .bwdpi.rule.lck
-rwxr--r-- 1 admin root 0 Dec 31 2023 .bwdpi.appdb.lck
-rw-rw-rw- 1 admin root 34 Dec 31 2023 usb_err
-rw-rw-rw- 1 admin root 682 Dec 31 2023 redirect_rules
-rw-rw-rw- 1 admin root 512 Dec 31 2023 nat_rules_eth0_eth0
lrwxrwxrwx 1 admin root 24 Dec 31 2023 nat_rules -> /tmp/nat_rules_eth0_eth0
-rw-rw-rw- 1 admin root 5366 Dec 31 2023 filter_rules
drw-rw-rw- 3 admin root 520 Dec 31 2023 bwdpi
-rw-rw-rw- 1 admin root 3268 Dec 31 2023 usb.log
drwxrwxrwx 5 admin root 240 Dec 31 2023 lighttpd
-rw-rw-rw- 1 admin root 14 Dec 31 2023 hw_auth_clm
drwxrwxrwx 4 admin root 80 Dec 31 2023 diag_db_cloud
drwxr-xr-x 20 admin root 1840 Jul 20 13:50 ..
drwxr-xr-x 10 admin root 1520 Oct 19 18:25 etc
-rw-r--r-- 1 admin root 25291 Oct 19 18:26 nmp_cache.js
drwxrwxrwx 2 admin root 80 Oct 19 18:26 asusdebuglog
drwxrwxrwx 2 admin root 180 Oct 19 18:26 nc
-rw-rw-rw- 1 admin root 118768 Oct 19 18:26 syslog.log
-rw-r--r-- 1 admin root 106 Oct 19 18:26 allwclientlist.json
-rw-rw-rw- 1 admin root 2349 Oct 19 18:26 dev
drwxrwxrwx 22 admin root 1440 Oct 19 18:26 .
-rw-r--r-- 1 admin root 1049 Oct 19 18:26 wiredclientlist.json
-rw-r--r-- 1 admin root 541 Oct 19 18:26 current_wired_client_list.json
-rw-r--r-- 1 admin root 1266 Oct 19 18:26 clientlist.json
-rw-rw-rw- 1 admin root 0 Oct 19 18:26 watchdog_heartbeat
Last edited:
Definitely, I was using one of the built in options on my previous router.
Are those options any good or safe to use?
vaboro
Regular Contributor
They're all relatively safe to use, imho. Although TOR kinda stands out as it has a particular purpose of hiding real ip.
You can use whatever VPN is easier and/or more convenient for you to set up. I use openvpn and charon (Instant Guard tab).
Tech9
Part of the Furniture
Use OpenVPN.
Sorry forgot to specify.
These were taken with WAN Access and iCloud Disk + Smart Access enabled.
I just disabled those and we will see what happens.
dave14305
Part of the Furniture
It seems like there is only one file present, so that’s “good”. The send/receive queues of these raw sockets demonstrates the volume of traffic, although I’m not clear how these raw sockets work.
Code:
-rwxrwxrwx 1 admin root 70928 Oct 20 10:27 hklp
raw 230592 302016 0.0.0.0:6 0.0.0.0:* 6 2071/
raw 230592 344448 0.0.0.0:6 0.0.0.0:* 6 2071/
raw 230592 344448 0.0.0.0:6 0.0.0.0:* 6 2071/
Code:
-A INPUT -p tcp -m tcp --dport 8082 -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPTColinTaylor
Part of the Furniture
443 and 8082 is AiCloud
1723 is PPTP VPN
@arturk Have you intentionally enabled the PPTP VPN server?
Yes, I did enable PPTP VPN
Tech9
Part of the Furniture
Was this part of the experiment to expose the router as much as possible? PPTP has lots of known issues and is rarely used.
Surprised how fast the router catches the bug with no TM or ASD reaction whatsoever. I may leave one router running to see what happens.
I am actually travelling over the next few days and I enabled it allow me to monitor things during this time. Based on feedback here it was acceptable and low risk.
Update:
After shutting down WAN/iCloud and restarting router around 11:30 am, there is no suspicious outbound traffic reported (for almost 2 hours).
Based on previous few days I would expect this to keep happening until evening hours. Not sure what make of it, definitely not holding my breath.
Tech9
Part of the Furniture
Unrelated to this discussion, but VPNs using known ports are blocked in quite a few places and you may not be able to connect back to your network. I had this issue recently with global country/state or hotel filtering happening and had to resort to alternative options.
vaboro
Regular Contributor
Good to know, I was trying to test it last night and in fact I was having trouble getting using my cellphone as mobile hotspot. I was using this VPN while back and I had no problem. I am assuming I may not be able to connect, not many options left since I am leaving shortly.
Similar threads
Latest threads
-
-
-
Confused about the status of RT-AX56U
- Started by Terepin
- Replies: 1
-
Asus AX88u slow on 2.4ghz wifi on certain devices
- Started by Zacharybinx34
- Replies: 6
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!