Think my AC 1900P (ac68) router compromised

[David1973]

I had a bunch of computers inside my home that had malware installed. I could do a fresh install of windows 10 and right after connecting to my router AC 1900P using Merlins latest firmware it seems after just minutes my PC has been infected again.

The malware is creating folders and files that shouldn't exist on a clean windows 10 pc. I've google searched some of the files and folders and it was talking aborigines a network worm.

I don't know how to solve this if it is indeed the router causing these infections. I have tried clearing the nvram, reinstalling the firmware, disabling every service that could be potentially exploited within the router.

I'm just at a loss. I did notice and I don't know if this is relevant that I disable the jffs and when I look at the tools section I see that there is an ever increasing amount of data written to it.

I set it to format the jffa on next boot boot but there is always a small amounts of data that grows in size.

I'm mentally at my end here, could someone help me out and let me know if this is normal router behavior?

Also noticed my iPhones are all using the BootP protocol and that's something I set up.

Thanks for reading,

David

 

[CaptainSTX]

I had a bunch of computers inside my home that had malware installed. I could do a fresh install of windows 10 and right after connecting to my router AC 1900P using Merlins latest firmware it seems after just minutes my PC has been infected again.

The malware is creating folders and files that shouldn't exist on a clean windows 10 pc. I've google searched some of the files and folders and it was talking aborigines a network worm.

I don't know how to solve this if it is indeed the router causing these infections. I have tried clearing the nvram, reinstalling the firmware, disabling every service that could be potentially exploited within the router.

I'm just at a loss. I did notice and I don't know if this is relevant that I disable the jffs and when I look at the tools section I see that there is an ever increasing amount of data written to it.

I set it to format the jffa on next boot boot but there is always a small amounts of data that grows in size.

I'm mentally at my end here, could someone help me out and let me know if this is normal router behavior?

Also noticed my iPhones are all using the BootP protocol and that's something I set up.

Thanks for reading,

David

Have you authorized aiprotection on your router, activated all its settings and done a scan from aiprotection to make sure all the settings are green ? This may not eradicate your problem(s) but it will block infected devices from communicating with known bad sites. You still may need to repeat the clean installs if a device was able to call home and pick up another load of crap.

Also reset the router to factory defaults, erase nvram, change the router's password and maybe even its dhcp subnet. Do not restore the settings from a backup file. Do this while the router is disconnected from the Internet.

 

[ColinTaylor]

I set it to format the jffa on next boot boot but there is always a small amounts of data that grows in size.

That's normal. /jffs is used to store copies of the syslog and client information used in the network map, both of which will grow noticeably immediately after being cleared down.

 

[ColinTaylor]

I had a bunch of computers inside my home that had malware installed. I could do a fresh install of windows 10 and right after connecting to my router AC 1900P using Merlins latest firmware it seems after just minutes my PC has been infected again.

If your PC is being re-infected when you reconnect it to your network then it is more likely that the infection is coming from one (or more) of the other computers on your network. You need to disconnect them all from your network and only reconnect each one after it has been disinfected in offline mode, otherwise you're just playing whack-a-mole with the virus.

Conversely, check your router configuration (Administration > System) to ensure the SSH and Web access is not enabled from the WAN.

 

[NetworkError]

I had a bunch of computers inside my home that had malware installed. I could do a fresh install of windows 10 and right after connecting to my router AC 1900P using Merlins latest firmware it seems after just minutes my PC has been infected again.

The malware is creating folders and files that shouldn't exist on a clean windows 10 pc. I've google searched some of the files and folders and it was talking aborigines a network worm.

I don't know how to solve this if it is indeed the router causing these infections. I have tried clearing the nvram, reinstalling the firmware, disabling every service that could be potentially exploited within the router.

I'm just at a loss. I did notice and I don't know if this is relevant that I disable the jffs and when I look at the tools section I see that there is an ever increasing amount of data written to it.

I set it to format the jffa on next boot boot but there is always a small amounts of data that grows in size.

I'm mentally at my end here, could someone help me out and let me know if this is normal router behavior?

Also noticed my iPhones are all using the BootP protocol and that's something I set up.

Thanks for reading,

David

Set your AP in isolation mode then hosts will no longer speak to each other. Whats telling you of this " infection" ? Defender ??? He he .... Win 10 is full of security risks but this one should be watched out for. Injection is easy if your on the same segment

. Windows 10 WiFi Sense Contact Sharing

By default, Windows 10 will share your wifi credentials to Outlook, Skype, and Facebook contacts—presumably to make wifi and hotspot sharing easier. This makes it possible for any of these said contacts to hop onto your wifi network—if in proximity—without authorization. While not necessarily a software vulnerability, this feature can lead to compromises, and should be remediated through the following steps:

Change the wifi network name/SSID to include the terms “_nomap_optout," prior to upgrading to Windows 10
Post-upgrade, change your Windows privacy settings to disable Wi-Fi Sense sharing.

 

[RMerlin]

Windows 10 WiFi Sense Contact Sharing

That was removed from Windows 10 over a year ago now.

 

[David1973]

OK I did a factory reset by logging in the router and pressing the restore defaults, let that load up and then immediately cleared the nvram using the wps hold down 30 30 30. Upon my shock and horror I boot into the router after creating a fresh username and password and I have done all the harding with trebmicro and disabling the stuff in USB section and what not, but although I tuned ports forward off, they were enabled and ponting at 192.168.1.41 udp 3074>3074. I wrote it down fast so I think that's how it went.


I go onto my mom's old iPad, she has never sinked it to any computer ever, and it shows its going to sink the computer called PC. That's what I named my computer, PC.

I then realize nephews surface pro 2 has taken over by a hyper visor malware and it even has a little eject button at the bottom of the he screen to eject the surface pro 2.

There is tons of powershell scripts everywhere and hyper v this and that.

I don't know what to do. All computers are infected but what's worse is when I was trying to isolate it all, people in my house just want the wifi back on and get upset with me because they can't fathom the damage that has been done.

I really am at a loss.

I got it connected, the router as fast as I could using a Linux mint boot disk and I think I got the router secured down. But I really don't know.

Had anyone heard of such a malware infestation?

Like I said, everyone just wants to get their pic's back and get on Facebook and don't know or care about what's going on.


Thanks,

David

 

[mikelees2]

If your router is locked down i would move to the next step. Disconnect your computer from the network and re install windows. Then unplug everyone else and reboot the router. Once rebooted hook up only your computer, update windows and download and install Norton security and run live update until it has no more updates. You may get a 30 day free trial. Once that is done you should be ok to connect the others again. Then Norton will tell you what computer is trying to play with your system and you can block it or you can use the firewall in it to stop all traffic from the other computers. The router should be able to handle its self as long as you have set it up right.

Just take your time and you will be fine. I would repeat this with the other computers as well.

 

[ColinTaylor]

but although I tuned ports forward off, they were enabled and ponting at 192.168.1.41 udp 3074>3074.

That is the standard port for Xbox Live which it will open using UPnP. Normal behaviour.

I then realize nephews surface pro 2 has taken over by a hyper visor malware and it even has a little eject button at the bottom of the he screen to eject the surface pro 2.

Are you sure it's malware, how are you checking this? Maybe he has just enabled the Hyper-V feature in Windows.

 

[Csection]

That is the standard port for Xbox Live which it will open using UPnP. Normal behaviour.

Are you sure it's malware, how are you checking this? Maybe he has just enabled the Hyper-V feature in Windows.

Try d/l NPE.exe from Norton(Not sure if it is available in"Trial version" though). Google it. You must be connected to run it! It runs in "Safe" mode. It should tell you if you have malware. You should run it on each pc in your network.

 

[HugoGTM]

Try crating a new network with isolated AP, format each device And then connect each one to the new network. Try activating the trend micro security in the router it might help as well.

 

[NetworkError]

N

If your router is locked down i would move to the next step. Disconnect your computer from the network and re install windows. Then unplug everyone else and reboot the router. Once rebooted hook up only your computer, update windows and download and install Norton security and run live update until it has no more updates. You may get a 30 day free trial. Once that is done you should be ok to connect the others again. Then Norton will tell you what computer is trying to play with your system and you can block it or you can use the firewall in it to stop all traffic from the other computers. The router should be able to handle its self as long as you have set it up right.

Just take your time and you will be fine. I would repeat this with the other computers as well.

When people tell me they have Norton I say thats your first problem ,) I remember when Norton was good in 2006.

 

[RMerlin]

When people tell me they have Norton I say thats your first problem ,) I remember when Norton was good in 2006.

Norton Antivirus in the 2002-2006 era was actually total garbage. They had to rewrite it almost from the ground up to fix it, current Norton Security software is actually pretty good. It's what I use at home.

 

[Csection]

Norton Antivirus in the 2002-2006 era was actually total garbage. They had to rewrite it almost from the ground up to fix it, current Norton Security software is actually pretty good. It's what I use at home.

I totally agree with Merlin!
I used it back in the 90's on a corporate level and it was trash on Dos machines.
We could only relie on Mac AFee back then which at least removed viruses.
Today! Norton is top-notch along with Malware Bytes.

 

[Viktor Jaep]

Highly recommend going with MalwareBytes Premium... Make sure your firewall in Windows 10 is enabled and hardened before you connect it to your network.

 

[cybrnook]

Norton Antivirus in the 2002-2006 era was actually total garbage. They had to rewrite it almost from the ground up to fix it, current Norton Security software is actually pretty good. It's what I use at home.

I just switched to bitdefender. I made the decision for 2 x main reasons. 1. Every time when performing an "update" in Norton, the update window would just sit at installing (or "Fixing" I think it was called). But when I would right click the Norton icon in the task tray, it wold refresh itself to complete. Always hated that....

And 2, they started promoting other Norton items directly through the Norton notifications within the program (same reason I am dropping back to windows 7). I still get emails about their damned router, 3 x "final chance" emails so far and counting.....

Bitdefender seems pretty good so far. Same, dumbed down interface like Norton. But the distribution and portal online are cleaner than Nortons. Easier for me to manage since I use a multi-pc license for the extended family as well.