What's new

[VERY IMPORTANT] Asus routers are compromised.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

To give you a partial answer: if no extra features are used (such as a USB drive, for example) then the defaults should be secure enough.

I am using a USB drive to record 'bandwidth monitoring' data - nothing else.

Reading RMerlin's post I have checked that ftp is disabled by default (I am running 39_0-em on an RT-N66U) so it sounds like everything should be fine.
 
Last edited:
i have a strong feeling Asus is going to shut down this thread or send their employees to screw it up by justifying (nothing is safe around the internet) or (We're Not the Only Ones)
:D
 
Asusgate

ASUSGATE

Hackers publish thousands of Asus router data


Supposedly also affected: Asus RT- AC66U © Asus

12,937 IP addresses , 6,535 full file lists and 3,131 access - Hackers publish sensitive information from numerous Asus RT- routers.

Under the title " ASUSGATE " in reference to the Watergate scandal hackers publish thousands of IP addresses that lead to vulnerable routers of the brand Asus. More specifically, it is the RT series, which was , according to the hackers equally affected by two critical vulnerabilities . To allow the default setting of the router that you could log in the FTP server anonymously. Who uses the media server function AiCloud should even grant access even to his PC to hackers. Because the login data would be stored in plain text in a file that you can easily download . The vulnerabilities have been discovered in the summer of 2013, Asus had responded with a patch , albeit late. But the hackers announce now that the firmware upgrade would not have closed the gaps.

To prove they publish the IP addresses of 12,937 Asus routers whose FTP and / or AiCloud - access could be boarded . In addition, they publish complete 6,535 and 3,605 partially complete lists of files to which you have access through the gaps . There are the AiCloud login data from 3,131 Asus routers.


Signed ASUSGATE is the action of the Brothers Grim , Chuk Palahniuk , Gargamel , Debra Morgan, Gollum , Voldemort , Skeletor and Duke Igthorn . According to the original message of the security holes that refers to the security researcher Kyle Lovett , the following models of Asus routers are affected:

- RT AC66R
- RT AC66U
- RT N66R
- RT- N66U
- RT AC56U
- RT N56R
- RT- N56U
- RT- N14U
- RT- N16
- RT N16R

If you use one of the models , we strongly advise you to change your password AiCloud . In addition, you should consider whether you need the function on and off as necessary. They also look on the Asus support page for an update for your router.

http://www.pcwelt.de/news/Hacker_ve...77.html?r=663650515168080&lid=305510&pm_ln=15
 
i have a strong feeling Asus is going to shut down this thread or send their employees to screw it up by justifying (nothing is safe around the internet) or (We're Not the Only Ones)
:D


No, this is not Asus' forum. They have no control over the content here.
 
i think the reason why l&ld says this thread is getting overblown is that, if one reads the original post, it's written there that ftp was configured with no account being required for access. That means he had anonymous access enabled.

This is overblown for the following reason:

1) the only issue there is that asuswrt had an insecure default setting (ftp enabled by default)

2) this can be resolved by anyone simply by disabling or reconfiguring their ftp access

3) the matter of the default ftp setting being too permissive has already been fixed by asus in a recent firmware update released a few weeks ago.

No need to get into a 4+ pages debate and having people launching personal attacks against one another over this. The bottom line is, asus left a default setting to an unsafe value, and they have already addressed the issue.

thank you!
 
To give you a partial answer: if no extra features are used (such as a USB drive, for example) then the defaults should be secure enough.

And if you are to use the USB ports on the RT-N66U for file sharing within your OWN network... How would you go about securing your own network?.

We have a RT-N66U 3.0.0.4.374.39 firmware and with FTP disabled, AIRCLOUD disabled, AES WPA Encryption but using the USB ports on the router with storage for file sharing and I got that file ...

WARNING_YOU_ARE_VULNERABLE.txt on the USB Storage.

What would be recommended in these cases?

Thanks.-
 
We have a RT-N66U 3.0.0.4.374.39 firmware and with FTP disabled, AIRCLOUD disabled, AES WPA Encryption but using the USB ports on the router with storage for file sharing and I got that file ...

WARNING_YOU_ARE_VULNERABLE.txt on the USB Storage.

What would be recommended in these cases?

Thanks.-

Run a remote portscan, you'll see what's open. If nothing is open, then it means the vector of attack was probably through wifi.
 
Now, after scanning with ShieldsUP! I got a report of saying " All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet."

But on the ShieldsUP! Ports Report we got: 21 FTP OPEN! FTP servers have many known security vulnerabilities and the payoff from exploiting an insecure FTP server can be significant. This system's open FTP port is inviting intruders to examine your system more closely.

We have Enable Port Forwarding -> No on the Router's WAN - Virtual Server / Port Forwarding

Any help would be appreciated
 
Last edited:
i have a strong feeling Asus is going to shut down this thread or send their employees to screw it up by justifying (nothing is safe around the internet) or (We're Not the Only Ones)
:D

The only two persons here who have any say as to what thread stays up and what thread goes down are Tim (who will always have the final say), and myself (on the Asus-Wireless sub-forums, and subject to Tim's final decision).

Personally, as long nobody posts detailed instructions on how to EXPLOIT a security hole (this is very different from pointing out at a hole and saying how to close it), and the thread doesn't devolve into an insult fest, I have no intention of "shutting it down".
 
Moving this to the general Asus Wireless sub-forum, as this is definitely not specifically related to Asuswrt-Merlin.
 
And if you are to use the USB ports on the RT-N66U for file sharing within your OWN network... How would you go about securing your own network?.

We have a RT-N66U 3.0.0.4.374.39 firmware and with FTP disabled, AIRCLOUD disabled, AES WPA Encryption but using the USB ports on the router with storage for file sharing and I got that file ...

WARNING_YOU_ARE_VULNERABLE.txt on the USB Storage.

What would be recommended in these cases?

Thanks.-

hmmm - like you I have RT-N66U with FTP disabled, AIRCLOUD disabled, AES WPA Encryption and in my case only use the USB drive to log the bandwidth monitoring data usage in case router reboots. In my case I am running 39_0-em but doubt that makes a difference.

I ran a ShieldsUP scan and all ports were shown as stealth - so that sounds promising - but I guess I will double check to see if the file is there.
 
Merging this post into the existing thread (which was moved to the general Asus Wireless sub-forum).
 
Now, after scanning with ShieldsUP! I got a report of saying " All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet."

But on the ShieldsUP! Ports Report we got: 21 FTP OPEN! FTP servers have many known security vulnerabilities and the payoff from exploiting an insecure FTP server can be significant. This system's open FTP port is inviting intruders to examine your system more closely.

We have Enable Port Forwarding -> No on the Router's WAN - Virtual Server / Port Forwarding

Any help would be appreciated

Unless you really need FTP, either completely disable it, or make sure it's only enabled for sharing using user accounts (and change your router's password to be safe). This can be done under USB -> Servers Center -> FTP tab.
 
Unless you really need FTP, either completely disable it, or make sure it's only enabled for sharing using user accounts (and change your router's password to be safe). This can be done under USB -> Servers Center -> FTP tab.

VIOLA!! ... Leave it up to Merlin and he will have the answer ... fantastique.

Thanks to RMerlin's Firmware version and help our RT-N66U system got this statement from ShieldsUP! :

"Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

Thank you, that did it, everything is Stealth and
passed.gif
 
Last edited:
I have tested my rt-n66u using shields up and have the 5 ports closed but can't get them to stealth out. They are 135, 137, 138, 139 and 445.

Software is 374.36 beta1-sdk5.

If someone knows how to get these ports to stealth I would appreciate your words of wisdom.

Thanks.


Bob.
 
I have tested my rt-n66u using shields up and have the 5 ports closed but can't get them to stealth out. They are 135, 137, 138, 139 and 445.

Software is 374.36 beta1-sdk5.

If someone knows how to get these ports to stealth I would appreciate your words of wisdom.

There is a lot of routers with NAS-features and NAS-units from Synology, Qnap, Netgear, WD and more on networks with 445 open.

And this can be just as scary as a open ftp. A lot of NAS-units can be accessed directly through smb - find them with Shodan, and runst run \\<ip> in Windows. Many will have no password.

Some ISPs block outgoing smb. For my isp i will need to use a general vpn service to access smb-shares. But I can access smb-shares on NAS-units that are connected to the same ISP.

In most cases UPnP is at fault. People belive smb-shares are only for their internal local network, and no idea that their router have been configured in a way where these are available through the internet. I would guess that is the NAS that send the UPnP commands to the router. Many will have smb-shares without a password (since it just for the local network... right...).

So the open FTPs an AiClouds is just a small part of NAS-solutions that can be accessed. Shodan and similar services are scary... manufacturers need to re-think hos these units are designed and the technology used.

Disable UPnP. If something needs a open port, set it up manually and have more control.
 
I think the reason why L&LD says this thread is getting overblown is that, if one reads the original post, it's written there that FTP was configured with no account being required for access. That means he had Anonymous access enabled.

This is overblown for the following reason:

1) The only issue there is that Asuswrt had an insecure default setting (FTP enabled by default)

2) This can be resolved by anyone simply by disabling or reconfiguring their FTP access

3) The matter of the default FTP setting being too permissive has already been fixed by Asus in a recent firmware update released a few weeks ago.

No need to get into a 4+ pages debate and having people launching personal attacks against one another over this. The bottom line is, Asus left a default setting to an unsafe value, and they have already addressed the issue.

I don't think it's overblown, at least when also looking on the AiCloud-issue.

There will continue to be open routers for a long long time. And there will be routers where the passwords from the AiCloud hacks will work. In some cases, these passwords will also be used by the VPN-service that is enabled on the router, giving many a "nice way" to "be someone else on the internet".

A part of this is that Asus was told about the open ftp-issue last summer. They didn't fix it until 3-4 weeks ago. And it still ain't in a firmware that you get by checking for new firmware in the UI.

I believe we need a automatic update-solution for routers now. Most users will never update their router. Having the router doing it automatically can be a solution. And if you for some reason don't want this feature, you can disable it.

There is also a quite good possibility that there will be "info" out on more routers from the same group that released the asusgate-datasets....
 
I believe we need a automatic update-solution for routers now. Most users will never update their router. Having the router doing it automatically can be a solution. And if you for some reason don't want this feature, you can disable it.

As mentioned before: that's not gonna happen, for a lot of reasons.

1) Some updates require a factory default reset.
2) The router architecture cannot ensure that an update won't require a manual router reboot. You need a device with dual firmware storage for that kind of feature - this is why business class products will sport an active and a stored firmware versions. Those are the only devices that are safe to be used in an automated update environment, as the firmware gets written to a partition that is separate from the live one
3) Randomly disrupting someone's internet connection through an automated firmware update is a bad idea

The best that could be done with these routers would be email notification when new firmwares are available.
 
I have tested my rt-n66u using shields up and have the 5 ports closed but can't get them to stealth out. They are 135, 137, 138, 139 and 445.

Software is 374.36 beta1-sdk5.

If someone knows how to get these ports to stealth I would appreciate your words of wisdom.

That means your ISP is blocking traffic on those ports before they even reach your router, so there's nothing you can change about it.

Closed is just as secure as stealth, there's nothing to worry about.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top