Hey all - Long time lurker, but I've been ground to submittion..
Backstory - home network with 20+ devices (ip cams, kids game systems, dads game systems, Synology nas) behind a R7000 running ddwrt - all running perfect for 1 1/2 years, no problems. About a month ago oddities started to arrise - a couple of my grey-market chinacams reverted to their native tongue, odd traffic / wireless disconnects occasionally (who checks after the movie?) which I ignored at the time - regrettably.
Fast forward to a week ago - synology comprimised and 2FA locked (havent even started with it, she sits cold) - R7000 has been hard - bricked and no hope of even the recovery console; Most of the house computers are in some state of win-doze reinstall from scratch, and I watched it all happen powerless - they (whoever) hit all in a two night attack - the worst part being after compromising the R7000 the second time, they allowed to continue with the parameters I had set - so while I was assessing the damages to the computers etc, they were going at the synology... FML. The real kicker - I had pulled the hard line and unplugged the r7000 and the sister AP wireless in my shop figuring I could breath and catch my breath; Turns out they had made their breach via my / wifes / sons androids - all of which are currently sitting on the counter with the batteries pulled (next to my minix U1 which I can only assume was nailed as well but is of low priority).
Windows reinstalls were turned rabid before I could get to the point of getting antivirus installed - infact I am typing this running hardwired on my old beater laptop and a live CD burn of kali. Its surreal.
So yesterday following the death of the R7000 I headed out and grabbed both a AC-3100 and a AC-5100 (which is still boxed) as I wanted backup "in case" and the vendor has a great return policy; i had yet to deduce the problem being the damn cell phones and installed the rt-ac3100 unhooked, configured her all right with the latest firmware via my kali-live powered laptop and checking the MD5 every step of the way. Its worth mentioning that I am on a static ip; the traffic ack-syning the unit seamed heavy but it seemed to be doing find and dropping packets like it should; I enjoyed a little research time on my phone and crashed out thinking it was over..
So this morning - no net, 3100 has a single led and is unresponsive.. thankfully there wasnt anything left running on the inside for them to chew on. Took a firmware restore to get the back up - to which I saw very odd traffic - what I assume is the dns rebinding attack described here -
regardless I have spent the better part of the day trying to discenrn if is my clients that are still infected; something else internal that is causing the issue, or perhaps the firmware I reloaded (threw on the newest merlin thinking it might help?) - Anyways, it only occured to me earlier while rebuilding on of my machines that the phones could possibly be the culperit - and pulling the batteries on everything android seems to have quieted the airways (at least from what I can see with the Kali wireless sniffer?) but the issue persists even with a full lockdown the on 3100 - Specified admin ports, ips, and SSL; DNS check... and I've attached what I see below within minutes of logging on with either the kali live machine or my one win10 laptop that I've rebuilt. At this point I'm considering cobbling together a PFsense machine out of some old hardware in the garage - but figured I would come see what the expert community has to say first. Its been a long couple days so please go easy, my brain is craving sleep horribly.
Wow... was kicked from the forum site the second I posted the bootlog. Will try again, but I'm hoping there is something in there. Some testing in the meantime - on my win10 laptop I installed tinywall; it appears I make multiple connections on port 443 to specific ips when I hit web urls... and I mean a lot... even disconnected form the lan and I get 50+ port connections.. yet machine shows clean and clear besides the usual "srvhosts"... ?
Boot
Backstory - home network with 20+ devices (ip cams, kids game systems, dads game systems, Synology nas) behind a R7000 running ddwrt - all running perfect for 1 1/2 years, no problems. About a month ago oddities started to arrise - a couple of my grey-market chinacams reverted to their native tongue, odd traffic / wireless disconnects occasionally (who checks after the movie?) which I ignored at the time - regrettably.
Fast forward to a week ago - synology comprimised and 2FA locked (havent even started with it, she sits cold) - R7000 has been hard - bricked and no hope of even the recovery console; Most of the house computers are in some state of win-doze reinstall from scratch, and I watched it all happen powerless - they (whoever) hit all in a two night attack - the worst part being after compromising the R7000 the second time, they allowed to continue with the parameters I had set - so while I was assessing the damages to the computers etc, they were going at the synology... FML. The real kicker - I had pulled the hard line and unplugged the r7000 and the sister AP wireless in my shop figuring I could breath and catch my breath; Turns out they had made their breach via my / wifes / sons androids - all of which are currently sitting on the counter with the batteries pulled (next to my minix U1 which I can only assume was nailed as well but is of low priority).
Windows reinstalls were turned rabid before I could get to the point of getting antivirus installed - infact I am typing this running hardwired on my old beater laptop and a live CD burn of kali. Its surreal.
So yesterday following the death of the R7000 I headed out and grabbed both a AC-3100 and a AC-5100 (which is still boxed) as I wanted backup "in case" and the vendor has a great return policy; i had yet to deduce the problem being the damn cell phones and installed the rt-ac3100 unhooked, configured her all right with the latest firmware via my kali-live powered laptop and checking the MD5 every step of the way. Its worth mentioning that I am on a static ip; the traffic ack-syning the unit seamed heavy but it seemed to be doing find and dropping packets like it should; I enjoyed a little research time on my phone and crashed out thinking it was over..
So this morning - no net, 3100 has a single led and is unresponsive.. thankfully there wasnt anything left running on the inside for them to chew on. Took a firmware restore to get the back up - to which I saw very odd traffic - what I assume is the dns rebinding attack described here -
regardless I have spent the better part of the day trying to discenrn if is my clients that are still infected; something else internal that is causing the issue, or perhaps the firmware I reloaded (threw on the newest merlin thinking it might help?) - Anyways, it only occured to me earlier while rebuilding on of my machines that the phones could possibly be the culperit - and pulling the batteries on everything android seems to have quieted the airways (at least from what I can see with the Kali wireless sniffer?) but the issue persists even with a full lockdown the on 3100 - Specified admin ports, ips, and SSL; DNS check... and I've attached what I see below within minutes of logging on with either the kali live machine or my one win10 laptop that I've rebuilt. At this point I'm considering cobbling together a PFsense machine out of some old hardware in the garage - but figured I would come see what the expert community has to say first. Its been a long couple days so please go easy, my brain is craving sleep horribly.
Wow... was kicked from the forum site the second I posted the bootlog. Will try again, but I'm hoping there is something in there. Some testing in the meantime - on my win10 laptop I installed tinywall; it appears I make multiple connections on port 443 to specific ips when I hit web urls... and I mean a lot... even disconnected form the lan and I get 50+ port connections.. yet machine shows clean and clear besides the usual "srvhosts"... ?
Boot
