Sweet Exploit - Now how do I fix it?

[J0hnBlaze]

Noticed this on my router today after spending the week trying to purge my infected system. My PC was/is being redirected to a VM which I have identified through various observations, cmd lines, and other file/share/service discoveries. I was unable to reformat my drive for awhile and I ultimately have resolved that issue and have a clean drive and OS running again. However I am hesitant to simply flash the firmware and plug'er in! I've tried this with several unaffected devices after resetting the router and flashing the firmware with previously working ASUS and Merlin Builds. I don't think I posted anything dangerous or sensitive on my end but please advise if so!

Thank you!

 

[J0hnBlaze]

Logs

Jan 1 00:00:09 syslogd started: BusyBox v1.20.2
Jan 1 00:00:09 kernel: klogd started: BusyBox v1.20.2 (2013-11-30 18:02:35 EST)
Jan 1 00:00:09 kernel: Linux version 2.6.22.19 (root@asus) (gcc version 4.2.4) #1 Sat Nov 30 18:05:26 EST 2013
Jan 1 00:00:09 kernel: CPU revision is: 00019749
Jan 1 00:00:09 kernel: Determined physical RAM map:
Jan 1 00:00:09 kernel: memory: 07fff000 @ 00000000 (usable)
Jan 1 00:00:09 kernel: memory: 08000000 @ 87fff000 (usable)
Jan 1 00:00:09 kernel: Built 1 zonelists. Total pages: 585216
Jan 1 00:00:09 kernel: Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
Jan 1 00:00:09 kernel: Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Jan 1 00:00:09 kernel: Primary data cache 32kB, 4-way, linesize 32 bytes.
Jan 1 00:00:09 kernel: Synthesized TLB refill handler (20 instructions).
Jan 1 00:00:09 syslog: module ledtrig-usbdev not found in modules.dep
Jan 1 00:00:09 syslog: module leds-usb not found in modules.dep
Jan 1 00:00:09 kernel: Synthesized TLB load handler fastpath (32 instructions).
Jan 1 00:00:09 kernel: Synthesized TLB store handler fastpath (32 instructions).
Jan 1 00:00:09 kernel: Synthesized TLB modify handler fastpath (31 instructions).
Jan 1 00:00:09 kernel: PID hash table entries: 2048 (order: 11, 8192 bytes)
Jan 1 00:00:09 kernel: CPU: BCM5300 rev 1 pkg 0 at 600 MHz
Jan 1 00:00:09 kernel: Using 300.000 MHz high precision timer.
Jan 1 00:00:09 kernel: console [ttyS0] enabled
Jan 1 00:00:09 kernel: Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Jan 1 00:00:09 kernel: Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Jan 1 00:00:09 kernel: Memory: 238608k/131068k available (2564k kernel code, 22616k reserved, 515k data, 196k init, 131072k highmem)
Jan 1 00:00:09 kernel: Mount-cache hash table entries: 512
Jan 1 00:00:09 kernel: NET: Registered protocol family 16
Jan 1 00:00:09 kernel: PCI: Initializing host
Jan 1 00:00:09 kernel: PCI: Reset RC
Jan 1 00:00:09 kernel: PCI: Initializing host
Jan 1 00:00:09 kernel: PCI: Reset RC
Jan 1 00:00:09 kernel: PCI: Fixing up bus 0
Jan 1 00:00:09 kernel: PCI/PCIe coreunit 0 is set to bus 1.
Jan 1 00:00:09 kernel: PCI: Fixing up bridge
Jan 1 00:00:09 kernel: PCI: Fixing up bridge
Jan 1 00:00:09 kernel: PCI: Enabling device 0000:01:00.1 (0004 -> 0006)
Jan 1 00:00:10 kernel: PCI: Fixing up bus 1
Jan 1 00:00:10 kernel: PCI/PCIe coreunit 1 is set to bus 2.
Jan 1 00:00:10 kernel: PCI: Fixing up bridge
Jan 1 00:00:10 kernel: PCI: Fixing up bridge
Jan 1 00:00:10 kernel: PCI: Enabling device 0000:02:00.1 (0004 -> 0006)
Jan 1 00:00:10 kernel: PCI: Fixing up bus 2
Jan 1 00:00:10 kernel: NET: Registered protocol family 2
Jan 1 00:00:10 kernel: Time: MIPS clocksource has been installed.
Jan 1 00:00:10 kernel: IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
Jan 1 00:00:10 kernel: TCP established hash table entries: 16384 (order: 5, 131072 bytes)
Jan 1 00:00:10 kernel: TCP bind hash table entries: 16384 (order: 4, 65536 bytes)
Jan 1 00:00:10 kernel: TCP: Hash tables configured (established 16384 bind 16384)
Jan 1 00:00:10 kernel: TCP reno registered
Jan 1 00:00:10 kernel: highmem bounce pool size: 64 pages
Jan 1 00:00:10 kernel: squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
Jan 1 00:00:10 kernel: io scheduler noop registered (default)
Jan 1 00:00:10 kernel: HDLC line discipline: version $Revision: 4.8 $, maxframe=4096
Jan 1 00:00:10 kernel: N_HDLC line discipline registered.
Jan 1 00:00:10 kernel: Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled
Jan 1 00:00:10 kernel: serial8250: ttyS0 at MMIO 0xb8000300 (irq = 8) is a 16550A
Jan 1 00:00:10 kernel: serial8250: ttyS1 at MMIO 0xb8000400 (irq = 8) is a 16550A
Jan 1 00:00:10 kernel: PPP generic driver version 2.4.2
Jan 1 00:00:10 kernel: MPPE/MPPC encryption/compression module registered
Jan 1 00:00:10 kernel: NET: Registered protocol family 24
Jan 1 00:00:10 kernel: PPPoL2TP kernel driver, V0.18.3
Jan 1 00:00:10 kernel: PPTP driver version 0.8.5
Jan 1 00:00:10 kernel: Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank
Jan 1 00:00:10 kernel: Amd/Fujitsu Extended Query Table at 0x0040
Jan 1 00:00:10 kernel: Physically mapped flash: CFI does not contain boot bank location. Assuming top.
Jan 1 00:00:10 kernel: number of CFI chips: 1
Jan 1 00:00:10 kernel: cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Jan 1 00:00:10 kernel: Flash device: 0x2000000 at 0x1c000000
Jan 1 00:00:10 kernel: Creating 5 MTD partitions on "Physically mapped flash":
Jan 1 00:00:10 kernel: 0x00000000-0x00040000 : "pmon"
Jan 1 00:00:10 kernel: 0x00040000-0x01fe0000 : "linux"
Jan 1 00:00:10 kernel: 0x00174b0c-0x019e0000 : "rootfs"
Jan 1 00:00:10 kernel: 0x01fe0000-0x02000000 : "nvram"
Jan 1 00:00:10 kernel: 0x019e0000-0x01fe0000 : "jffs2"
Jan 1 00:00:10 kernel: Found an serial flash with 0 0KB blocks; total size 0MB
Jan 1 00:00:10 kernel: sflash: found no supported devices
Jan 1 00:00:10 kernel: dev_nvram_init: _nvram_init
Jan 1 00:00:10 kernel: _nvram_init: allocat size= 65536
Jan 1 00:00:10 kernel: sdhci: Secure Digital Host Controller Interface driver
Jan 1 00:00:10 kernel: sdhci: Copyright(c) Pierre Ossman
Jan 1 00:00:10 kernel: u32 classifier
Jan 1 00:00:10 kernel: OLD policer on
Jan 1 00:00:10 kernel: Netfilter messages via NETLINK v0.30.
Jan 1 00:00:10 kernel: nf_conntrack version 0.5.0 (2048 buckets, 16384 max)
Jan 1 00:00:10 kernel: ipt_time loading
Jan 1 00:00:10 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jan 1 00:00:10 kernel: net/ipv4/netfilter/tomato_ct.c [Nov 30 2013 18:04:45]
Jan 1 00:00:10 kernel: ipt_account 0.1.21 : Piotr Gasidlo <quaker@barbara.eu.org>, http://code.google.com/p/ipt-account/
Jan 1 00:00:10 kernel: NET: Registered protocol family 1
Jan 1 00:00:10 kernel: NET: Registered protocol family 10
Jan 1 00:00:10 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Jan 1 00:00:10 kernel: NET: Registered protocol family 17
Jan 1 00:00:10 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
Jan 1 00:00:10 kernel: All bugs added by David S. Miller <davem@redhat.com>
Jan 1 00:00:10 kernel: VFS: Mounted root (squashfs filesystem) readonly.
Jan 1 00:00:10 kernel: Freeing unused kernel memory: 196k freed
Jan 1 00:00:10 kernel: Warning: unable to open an initial console.
Jan 1 00:00:10 kernel: ctf: module license 'Proprietary' taints kernel.
Jan 1 00:00:10 kernel: et_module_init: passivemode set to 0x0
Jan 1 00:00:10 kernel: et_module_init: et_txq_thresh set to 0x400
Jan 1 00:00:10 kernel: bcm_robo_enable_switch: EEE is disabled
Jan 1 00:00:10 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.30.102.9 (r366174)
Jan 1 00:00:10 kernel: PCI: Enabling device 0000:01:01.0 (0000 -> 0002)
Jan 1 00:00:10 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
Jan 1 00:00:10 kernel: PCI: Enabling device 0000:02:01.0 (0000 -> 0002)
Jan 1 00:00:10 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
Jan 1 00:00:10 kernel: Algorithmics/MIPS FPU Emulator v1.5
Jan 1 00:00:10 kernel: usbcore: registered new interface driver usbfs
Jan 1 00:00:10 kernel: usbcore: registered new interface driver hub
Jan 1 00:00:10 kernel: usbcore: registered new device driver usb
Jan 1 00:00:10 kernel: SCSI subsystem initialized
Jan 1 00:00:10 kernel: Initializing USB Mass Storage driver...
Jan 1 00:00:10 kernel: usbcore: registered new interface driver usb-storage
Jan 1 00:00:10 kernel: USB Mass Storage support registered.
Jan 1 00:00:10 kernel: ufsd: driver (8.6 U86_r187446_b122, LBD=ON, acl, ioctl, rwm, ws, sd) loaded at c0208000
Jan 1 00:00:10 kernel: NTFS (with native replay) support included
Jan 1 00:00:10 kernel: optimized: speed
Jan 1 00:00:10 kernel: Build_for__asus_n66u_2011-10-27_U86_r187446_b122
Jan 1 00:00:10 kernel: ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: EHCI Host Controller
Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: new USB bus registered, assigned bus number 1
Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: EHCI Fastpath: New EHCI driver starting
Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: USB 0.0 started, EHCI 1.00
Jan 1 00:00:10 kernel: usb usb1: configuration #1 chosen from 1 choice
Jan 1 00:00:10 kernel: hub 1-0:1.0: USB hub found
Jan 1 00:00:10 kernel: hub 1-0:1.0: 2 ports detected
Jan 1 00:00:10 kernel: ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
Jan 1 00:00:10 kernel: ohci_hcd 0000:00:04.0: OHCI Host Controller
Jan 1 00:00:10 kernel: ohci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 2

 

[J0hnBlaze]

Jan 1 00:00:10 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
Jan 1 00:00:10 kernel: usb usb2: configuration #1 chosen from 1 choice
Jan 1 00:00:10 kernel: hub 2-0:1.0: USB hub found
Jan 1 00:00:10 kernel: hub 2-0:1.0: 2 ports detected
Jan 1 00:00:10 kernel: usbcore: registered new interface driver usblp
Jan 1 00:00:10 kernel: drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver

 

[J0hnBlaze]

Jan 1 00:00:10 kernel: usbcore: registered new interface driver asix
Jan 1 00:00:10 kernel: usb 1-1: new high speed USB device using ehci_hcd and address 2
Jan 1 00:00:10 kernel: usb 1-1: configuration #1 chosen from 1 choice
Jan 1 00:00:10 kernel: hub 1-1:1.0: USB hub found
Jan 1 00:00:10 kernel: hub 1-1:1.0: 4 ports detected
Jan 1 00:00:11 kernel: usbcore: registered new interface driver cdc_ether
Jan 1 00:00:11 kernel: usbcore: registered new interface driver net1080
Jan 1 00:00:11 kernel: usbcore: registered new interface driver rndis_host
Jan 1 00:00:11 kernel: usbcore: registered new interface driver zaurus
Jan 1 00:00:11 kernel: usb 1-1.4: new high speed USB device using ehci_hcd and address 3
Jan 1 00:00:11 kernel: usb 1-1.4: configuration #1 chosen from 1 choice
Jan 1 00:00:11 kernel: scsi0 : SCSI emulation for USB Mass Storage devices
Jan 1 00:00:12 kernel: br0: starting userspace STP failed, staring kernel STP
Jan 1 00:00:12 kernel: vlan1: dev_set_promiscuity(master, 1)
Jan 1 00:00:12 kernel: device eth0 entered promiscuous mode
Jan 1 00:00:12 kernel: device vlan1 entered promiscuous mode
Jan 1 00:00:13 kernel: scsi 0:0:0:0: Direct-Access Multi Flash Reader 1.00 PQ: 0 ANSI: 0
Jan 1 00:00:13 kernel: sd 0:0:0:0: [sda] Attached SCSI removable disk
Jan 1 00:00:13 kernel: sd 0:0:0:0: Attached scsi generic sg0 type 0
Jan 1 00:00:13 kernel: device eth1 entered promiscuous mode
Jan 1 00:00:14 kernel: device eth2 entered promiscuous mode
Jan 1 00:00:14 kernel: br0: port 3(eth2) entering listening state
Jan 1 00:00:14 kernel: br0: port 2(eth1) entering listening state
Jan 1 00:00:14 kernel: br0: port 1(vlan1) entering listening state
Jan 1 00:00:14 kernel: br0: port 3(eth2) entering learning state
Jan 1 00:00:14 kernel: br0: port 2(eth1) entering learning state
Jan 1 00:00:14 kernel: br0: port 1(vlan1) entering learning state
Jan 1 00:00:14 kernel: br0: topology change detected, propagating
Jan 1 00:00:14 kernel: br0: port 3(eth2) entering forwarding state
Jan 1 00:00:14 kernel: br0: topology change detected, propagating
Jan 1 00:00:14 kernel: br0: port 2(eth1) entering forwarding state
Jan 1 00:00:14 kernel: br0: topology change detected, propagating
Jan 1 00:00:14 kernel: br0: port 1(vlan1) entering forwarding state
Jan 1 00:00:14 stop_nat_rules: apply the redirect_rules!
Jan 1 00:00:14 dnsmasq[301]: started, version 2.67 cachesize 1500
Jan 1 00:00:14 dnsmasq[301]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth
Jan 1 00:00:14 dnsmasq[301]: warning: interface ppp1* does not currently exist
Jan 1 00:00:14 dnsmasq[301]: asynchronous logging enabled, queue limit is 5 messages
Jan 1 00:00:14 dnsmasq-dhcp[301]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
Jan 1 00:00:14 dnsmasq[301]: read /etc/hosts - 5 addresses
Jan 1 00:00:14 WAN Connection: ISP's DHCP did not function properly.
Jan 1 00:00:14 RT-N66R: start httpd
Jan 1 00:00:14 crond[315]: crond: crond (busybox 1.20.2) started, log level 8
Jan 1 00:00:15 disk monitor: be idle
Jan 1 00:00:15 Samba Server: daemon is started
Jan 1 00:00:16 dnsmasq[301]: read /etc/hosts - 5 addresses
Jan 1 00:00:16 dnsmasq[301]: read /etc/hosts - 5 addresses
Jan 1 00:00:16 dnsmasq[301]: using nameserver 209.18.47.62#53
Jan 1 00:00:16 dnsmasq[301]: using nameserver 209.18.47.61#53
Jan 1 00:00:16 stop_nat_rules: apply the redirect_rules!
Jan 1 00:00:16 dnsmasq[301]: exiting on receipt of SIGTERM
Jan 1 00:00:16 dnsmasq[369]: started, version 2.67 cachesize 1500
Jan 1 00:00:16 dnsmasq[369]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth
Jan 1 00:00:16 dnsmasq[369]: warning: interface ppp1* does not currently exist
Jan 1 00:00:16 dnsmasq[369]: asynchronous logging enabled, queue limit is 5 messages
Jan 1 00:00:16 dnsmasq-dhcp[369]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
Jan 1 00:00:16 dnsmasq[369]: read /etc/hosts - 5 addresses
Jan 1 00:00:16 dnsmasq[369]: using nameserver 209.18.47.62#53
Jan 1 00:00:16 dnsmasq[369]: using nameserver 209.18.47.61#53
Jan 1 00:00:17 kernel: nf_conntrack_rtsp v0.6.21 loading
Jan 1 00:00:17 kernel: nf_nat_rtsp v0.6.21 loading
Jan 1 00:00:17 rc_service: udhcpc 351:notify_rc stop_upnp
Jan 1 00:00:17 rc_service: udhcpc 351:notify_rc start_upnp
Jan 1 00:00:17 rc_service: waitting "stop_upnp" via udhcpc ...
Jan 1 00:00:18 kernel: device eth1 left promiscuous mode
Jan 1 00:00:18 kernel: br0: port 2(eth1) entering disabled state
Jan 1 00:00:18 kernel: device eth2 left promiscuous mode
Jan 1 00:00:18 kernel: br0: port 3(eth2) entering disabled state
Jan 1 00:00:19 WAN Connection: WAN was restored.
Jan 1 00:00:21 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
Jan 1 00:00:21 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
Jan 1 00:00:22 kernel: device eth1 entered promiscuous mode
Jan 1 00:00:22 kernel: br0: port 2(eth1) entering listening state
Jan 1 00:00:22 kernel: br0: port 2(eth1) entering learning state
Jan 1 00:00:22 kernel: br0: topology change detected, propagating
Jan 1 00:00:22 kernel: br0: port 2(eth1) entering forwarding state
Jan 1 00:00:23 kernel: device eth2 entered promiscuous mode
Jan 1 00:00:23 kernel: br0: port 3(eth2) entering listening state
Jan 1 00:00:23 kernel: br0: port 3(eth2) entering learning state
Jan 1 00:00:23 kernel: br0: topology change detected, propagating
Jan 1 00:00:23 kernel: br0: port 3(eth2) entering forwarding state
Jan 1 00:00:28 rc_service: udhcpc 351:notify_rc stop_ntpc
Jan 1 00:00:28 rc_service: waitting "start_upnp" via udhcpc ...
Jan 1 00:00:28 miniupnpd[487]: HTTP listening on port 37515
Jan 1 00:00:28 miniupnpd[487]: Listening for NAT-PMP traffic on port 5351
Jan 1 00:00:29 rc_service: udhcpc 351:notify_rc start_ntpc
Jan 1 00:00:29 rc_service: waitting "stop_ntpc" via udhcpc ...
Jan 1 00:00:30 dhcp client: bound 67.253.165.215 via 67.253.160.1 during 81593 seconds.

 

[J0hnBlaze]

Feb 22 16:10:15 rc_service: ntp 488:notify_rc restart_upnp
Feb 22 16:10:15 miniupnpd[497]: HTTP listening on port 56982
Feb 22 16:10:15 miniupnpd[497]: Listening for NAT-PMP traffic on port 5351
Feb 22 16:10:15 rc_service: ntp 488:notify_rc restart_diskmon
Feb 22 16:10:15 disk monitor: be idle
Feb 22 16:10:46 crond[315]: time disparity of 1654090 minutes detected
Feb 22 16:11:05 nmbd[344]: [2014/02/22 16:11:05, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(392)
Feb 22 16:11:05 nmbd[344]: Samba name server RT-N66R is now a local master browser for workgroup WORKGROUP on subnet 192.168.1.1
Feb 22 16:12:42 kernel: device eth1 left promiscuous mode
Feb 22 16:12:42 kernel: br0: port 2(eth1) entering disabled state
Feb 22 16:12:42 kernel: device eth2 left promiscuous mode
Feb 22 16:12:42 kernel: br0: port 3(eth2) entering disabled state
Feb 22 16:12:45 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
Feb 22 16:12:45 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
Feb 22 16:12:45 kernel: device eth1 entered promiscuous mode
Feb 22 16:12:45 kernel: br0: port 2(eth1) entering listening state
Feb 22 16:12:45 kernel: br0: port 2(eth1) entering learning state
Feb 22 16:12:45 kernel: br0: topology change detected, propagating
Feb 22 16:12:45 kernel: br0: port 2(eth1) entering forwarding state
Feb 22 16:12:46 kernel: device eth2 entered promiscuous mode
Feb 22 16:12:46 kernel: br0: port 3(eth2) entering listening state
Feb 22 16:12:46 kernel: br0: port 3(eth2) entering learning state
Feb 22 16:12:46 kernel: br0: topology change detected, propagating
Feb 22 16:12:46 kernel: br0: port 3(eth2) entering forwarding state
Feb 22 16:12:54 dnsmasq-dhcp[369]: DHCPREQUEST(br0) 192.168.33.125 70:18:8b:2d:2b:4b
Feb 22 16:12:54 dnsmasq-dhcp[369]: DHCPNAK(br0) 192.168.33.125 70:18:8b:2d:2b:4b wrong network
Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPDISCOVER(br0) 70:18:8b:2d:2b:4b
Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPOFFER(br0) 192.168.1.50 70:18:8b:2d:2b:4b
Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPREQUEST(br0) 192.168.1.50 70:18:8b:2d:2b:4b
Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPACK(br0) 192.168.1.50 70:18:8b:2d:2b:4b
Feb 22 16:13:02 rc_service: httpd 312:notify_rc start_autodet
Feb 22 16:13:02 kernel: autodet uses obsolete (PF_INET,SOCK_PACKET)
Feb 22 16:14:00 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Feb 22 16:14:00 dnsmasq[369]: exiting on receipt of SIGTERM
Feb 22 16:14:00 dnsmasq[578]: started, version 2.67 cachesize 1500
Feb 22 16:14:00 dnsmasq[578]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth
Feb 22 16:14:00 dnsmasq[578]: warning: interface ppp1* does not currently exist
Feb 22 16:14:00 dnsmasq[578]: asynchronous logging enabled, queue limit is 5 messages
Feb 22 16:14:00 dnsmasq-dhcp[578]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
Feb 22 16:14:00 dnsmasq[578]: read /etc/hosts - 5 addresses
Feb 22 16:14:00 dnsmasq[578]: using nameserver 209.18.47.62#53
Feb 22 16:14:00 dnsmasq[578]: using nameserver 209.18.47.61#53
Feb 22 16:14:02 rc_service: httpd 312:notify_rc restart_wireless
Feb 22 16:14:03 kernel: device eth1 left promiscuous mode
Feb 22 16:14:03 kernel: br0: port 2(eth1) entering disabled state
Feb 22 16:14:03 kernel: device eth2 left promiscuous mode
Feb 22 16:14:03 kernel: br0: port 3(eth2) entering disabled state
Feb 22 16:14:06 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
Feb 22 16:14:06 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
Feb 22 16:14:07 kernel: device eth1 entered promiscuous mode
Feb 22 16:14:07 kernel: br0: port 2(eth1) entering listening state
Feb 22 16:14:07 kernel: br0: port 2(eth1) entering learning state
Feb 22 16:14:07 kernel: br0: topology change detected, propagating
Feb 22 16:14:07 kernel: br0: port 2(eth1) entering forwarding state
Feb 22 16:14:08 kernel: device eth2 entered promiscuous mode
Feb 22 16:14:08 kernel: br0: port 3(eth2) entering listening state
Feb 22 16:14:08 kernel: br0: port 3(eth2) entering learning state
Feb 22 16:14:08 kernel: br0: topology change detected, propagating
Feb 22 16:14:08 kernel: br0: port 3(eth2) entering forwarding state
Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPDISCOVER(br0) 70:18:8b:2d:2b:4b
Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPOFFER(br0) 192.168.1.50 70:18:8b:2d:2b:4b
Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPREQUEST(br0) 192.168.1.50 70:18:8b:2d:2b:4b
Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPACK(br0) 192.168.1.50 70:18:8b:2d:2b:4b
Feb 22 18:08:05 smbd[659]: [2014/02/22 18:08:05, 0] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(55)
Feb 22 18:08:05 smbd[659]: smb_pwd_check_ntlmv1: incorrect password length (74)
Feb 22 18:08:05 smbd[659]: [2014/02/22 18:08:05, 0] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(55)
Feb 22 18:08:05 smbd[659]: smb_pwd_check_ntlmv1: incorrect password length (74)

 

[sinshiva]

your router is unaffected by whatever is plaguing your computers. i assume the errors you are questioning are the smbd password length variety. i also see them; vaguely remember looking into what they were from and subsequently forgetting the reason, but it's the least of the your worries, it looks like.

 

[jlake]

I'm just curious, but why would you flash older firmware versions on your router when they have security vulnerabilities?

Which router do you have? What firmware version were you using? What firmware version are you using now? Are you talking about USB drives that were connected to the USB port of the Asus router?

 

[J0hnBlaze]

Firmware

I Flash the currently installed firmware when either reverting or upgrading to any different version. I thought that was necessary to ensure complete success? I recall reading that on a post in this forum when I purchased this router initially.

The Router is the Asus RT-N66R Dark Knight. Yes I am referring to the USB port on the router. I had my external drive configured as a network drive for all my devices to access at one point. I later decided to go with the SAMBA configuration so the External Drive was no longer connected to the routers USB and instead directly to the Desktop Box. My transfer rates were significantly faster via the USB 3.0 on my box and the tradeoff for access was just as easy to setup in the SAMBA method.

Firmware Version: 3.0.0.4.375_4 Have not changed firmware since the discovery of this log file a few hours ago. I want to isolate how it happened, how I remove it from my devices, and how to prevent it once it has been removed.

 

[J0hnBlaze]

Explot

I also have additional syslog files that show this exploit goes ape shirt when it has accessed a local box. Those logs contain physical ip addresses and network data that is accurate and unmasked as well as device names and other information. So I cannot just paste it all on the thread.

*edit*

I think I misread your question initially. Why did I revert to an older firmware? Because I thought it was possible that changes made to the existing firmware created the 'hole' I was breached through since no router settings were changed locally. It seemed logical that the firmware changes must have enabled the breach. As with a lot of patches, sometimes the patch is what breaks things and waiting a bit before blindly jumping into the new patch is best. Since I blindly jumped and broke my network, I tried reverting to see if that would reinstate the networks integrity.

 

[jlake]

I Flash the currently installed firmware when either reverting or upgrading to any different version. I thought that was necessary to ensure complete success? I recall reading that on a post in this forum when I purchased this router initially.

The Router is the Asus RT-N66R Dark Knight. Yes I am referring to the USB port on the router. I had my external drive configured as a network drive for all my devices to access at one point. I later decided to go with the SAMBA configuration so the External Drive was no longer connected to the routers USB and instead directly to the Desktop Box. My transfer rates were significantly faster via the USB 3.0 on my box and the tradeoff for access was just as easy to setup in the SAMBA method.

Firmware Version: 3.0.0.4.375_4 Have not changed firmware since the discovery of this log file a few hours ago. I want to isolate how it happened, how I remove it from my devices, and how to prevent it once it has been removed.

Try checking the asus website and see if there's a newer firmware.

Or try checking Merlin's website and see if he's got a newer firmware.

After you flash the new firmware then reset the router to factory defaults and remove your old wireless profiles from your computers and reconnect. Good luck.

 

[J0hnBlaze]

Good Luck

Yes, I see that Asus has some mud on their face for not addressing the breach when asked if there was a vulnerability recently. That is all well and good. Hopefully that fixes it I agree.

My question was How do I fix the computer and other network devices that have been affected by this. It does no good to update the firmware and remove network profiles if the local boxes are all altered by the exploit, hack, and/or hi-jacking. What stops this from resetting the router configuration again since it has installed itself as a trusted installer, authorized installer, and granted itself special permissions/admin rights?

I don't feel like imaging 5 machines to depoy them into an insecure environment only to be right back at square 1 after 10 hours of formatting and updating software....

What was changed in my PC based on that log file the router had? Do you know the firmware is going to prevent this? This is what im trying to figure out here. Asus website had zero information on this.... Nor the forums here that I saw..

 

[Adamm]

Yes, I see that Asus has some mud on their face for not addressing the breach when asked if there was a vulnerability recently. That is all well and good. Hopefully that fixes it I agree.

My question was How do I fix the computer and other network devices that have been affected by this. It does no good to update the firmware and remove network profiles if the local boxes are all altered by the exploit, hack, and/or hi-jacking. What stops this from resetting the router configuration again since it has installed itself as a trusted installer, authorized installer, and granted itself special permissions/admin rights?

I don't feel like imaging 5 machines to depoy them into an insecure environment only to be right back at square 1 after 10 hours of formatting and updating software....

What was changed in my PC based on that log file the router had? Do you know the firmware is going to prevent this? This is what im trying to figure out here. Asus website had zero information on this.... Nor the forums here that I saw..

I am not sure what "exploit" in particular you are referring to, the only thing I can think of is the recent discovery of insecure SMB/FTP settings allowing outside access to USB's attached to the router which was fixed over the last two firmware releases.

That being said you could have been really unfortunate and had your network infected because of this, but that would be a hard task and I haven't heard of any cases yet where this has been used maliciously besides a log file explaining the routers FW is exploitable. If this is the case then further information would be needed but I find this unlikely.

Updating to the latest firmware should solve your issues.

 

[jlake]

I am not sure what "exploit" in particular you are referring to, the only thing I can think of is the recent discovery of insecure SMB/FTP settings allowing outside access to USB's attached to the router which was fixed over the last two firmware releases.

That being said you could have been really unfortunate and had your network infected because of this, but that would be a hard task and I haven't heard of any cases yet where this has been used maliciously besides a log file explaining the routers FW is exploitable. If this is the case then further information would be needed but I find this unlikely.

Updating to the latest firmware should solve your issues.

Now when you say "recent discovery", do you consider June of 2012 recent?

And when you're talking about "the last two firmware updates", are you referring to the update that was released 6 days ago and the subsequent update that was released less than 48 hours ago?

http://www.securityfocus.com/archive/1/531046

 

[Adamm]

Now when you say "recent discovery", do you consider June of 2012 recent?

And when you're talking about "the last two firmware updates", are you referring to the update that was released 6 days ago and the subsequent update that was released less than 48 hours ago?

http://www.securityfocus.com/archive/1/531046

I should have chosen my words more carefully, but yes.

Unfortunately things like this happen to the best of companies, just yesterday it was discovered Apple implemented SSL hasn't been verifying anything for the last year opening millions of devices up to man-in-the-middle attacks.

 

[speedingcheetah]

Yes, I see that Asus has some mud on their face for not addressing the breach when asked if there was a vulnerability recently.

Asus has released newer firmware to address security holes. They did so very quickly compared to other brands that still haven't even looked into security issues.

What was changed in my PC based on that log file the router had? Do you know the firmware is going to prevent this? This is what im trying to figure out here. Asus website had zero information on this.... Nor the forums here that I saw..

A router can not change your pc configuration in such a matter(as u have posted in other threads about). It only provides DHCP info to you computers NIC card and discovery services in regard to its own file and printer sharing etc features.

Now, if someone uploads a malicious file to a open file share, and you run or open it, then you could be in trouble.

 

[RMerlin]

That router log is a perfectly normal boot log, there is nothing unusual in there.

 

[RocketJSquirrel]

your router is unaffected by whatever is plaguing your computers. i assume the errors you are questioning are the smbd password length variety. i also see them; vaguely remember looking into what they were from and subsequently forgetting the reason, but it's the least of the your worries, it looks like.

For the password length fix, you need to tell Windows to use NTLMv2 only if negotiated. See this post:
http://forums.smallnetbuilder.com/showpost.php?p=61463&postcount=6

 

[J0hnBlaze]

Observant vs paranoid

I appreciate the conjecture that this has been some well known bug since 2012 except for the fact the router had no problems until recently. I have always used the most recent firmware available as it came out. I updated the Christmas eve release the day it came out. Any subsequent firmware was updated within a day or two of being released. I purchased the router in December.
I am not saying the router has physically changed the direct windows configuration of my LAN Adapter TCP/IP Internet Protocol v4 and v6 settings.
I am saying that there are indications that because of the router exploit my PC and network devices have been affected.
I am supporting this hypothesis with evidence visible in bios posts (secure virtual machine has been enabled among others that indicate the PC looks to a different location when booting afte bios post before windows logon) advanced reformat options (hidden x: boot drive), Net Users View attachment, if I select desktop libraries, desktop.libraries - ms is displayed as the properties at times, proxy redirects, I could type point out a hundred others.
The eventvwr has a plethora of strange entries that I have never seen before. Such as; System log: event id 1055 Processing group policy failed, the active directory failed to replicate to the current domain controller. Event ID 1530 Application - 16 User Registry Handles Leaked From - \Registry\User\S-1-5-21-1390067357-926492609-725345543-5632: Process 1360
I am however not entirely sure what is the best indicator to look for. I can tell you that yesterday I had over 150 TCP Connections in my resource monitor.
I understand updating to the newest firmware may resolve this. I understand a reformat may also fix this. Of course I have to remove the user groups and users that should not be on my pc otherwise the reformat attempts, reset bios to default attemps, system restore attempts all fail. I understand.
What I don't understand is how to prevent that from happening in the future. I post with the goal of identifying the source of the exploit - if not the router since there is no possible way that caused what my symptoms are, (right cheetah?) what is it? I also find it difficult to believe, with how I have configured my network - contrary to assumptions previously made - others aren't experiencing the same thing. I don't have some obscure program or settings that thousands to hundreds of thousands don't have either.
I have a syslog file that is much more in-depth but has my network data visible. I don't know if what I am reading is normal but I don't think it is. I can send it to a senior member if anyone would like to review it.

 

[J0hnBlaze]

Maybe its just Windows being...well...Windows.....

There are so many malware and security issues with it.....I can't tell you how many times Windows just out of no where goes FUBAR.....all the more reason to switch to Linux (or mac, if you can afford it) I personally don't like Apple products.

Though...Win 8/8.1 with its kernel level antivirus support built in....much more hardened...but...its still Windows....lol...

if it were me, at this point...I would just wipe everything, and start over and be done with it...

Maybe its just windows being windows - How is this helpful or productive?

There are so many security/malware issues...I cant tell you how many times its gone fubar - Really? If this were true the percentage of business/corporations that use windows vs mac would be different. How does this help again?

If it were me I would wipe and start over - Yes, I can do that now and with a very good chance it could just happen again if I change nothing other than the firmware. Since as you say the router could not have done this. Although the article posted earlier states you are wrong and it can.

http://www.securityfocus.com/archive/1/531046

"...
Many have reported malware being uploaded into the sync share folders,
large amounts of unauthorized file sharing and most importantly the
theft of entire hard drives of personal information. Over 7,300 units
are still vulnerable to this weakness as of today...."​

The article also says that ASUS was asked multiple times about the exploit and only recently addressed its existence publicly and then followed it up with a very recent patch. So those who were saying its been a well known issue for sometime...
1) yes but not by any firmware that verified its resolution (unless im misreading) 2) Asus released a beta patch almost 9 months after being asked about the exploit initially. Which was mid Jan 2014. 4 short weeks ago.

Buy an apple if I can afford it! - *Quote from 2 posts up* Unfortunately things like this happen to the best of companies, just yesterday it was discovered Apple implemented SSL hasn't been verifying anything for the last year opening millions of devices up to man-in-the-middle attacks."*

Makes a ton of sense I'll run right out and do that. All platforms are vulnerable. If there is a will there is a way - And I get this. Now....Since I ran 6 different Malware programs with updated databases that didn't identify anything, combined with all of the other things I am seeing, I come and ask for what I specifically stated in my above post. 1 identify 2 remove 3 prevent.

 

[J0hnBlaze]

Progress!

This is also a symptom. My Certificate's Fingerprint Number does not match the one displayed on the page near the bottom. Will follow up once I read the articles a little bit more in depth and apply any resolutions if any are displayed.


https://www.grc.com/fingerprints.htm