What's new

[VERY IMPORTANT] Asus routers are compromised.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

To be clear, this was a scan of the WAN IP and the results are confirmed by grc.com's "Shields Up".

Your scan shows some printer related ports. Do you have any printers in your LAN? If the answer is "yes" most probably the ports are opened by them using UPnP. Try to disable UPnP using the router's GUI.
 
Last edited:
Those other ports should not be open from the WAN side, so I don't know why they would register as open on your network. That's why I thought you had run the scan from the LAN side.
 
Your scan shows some printer related ports. Do you have any printers in your LAN? If the answer is "yes" most probably the ports are opened by them using UPnP. Try to disable UPnP using the router's GUI.

The System Log -> Forward page would confirm if these ports were open through UPNP.
 
Just so the folks know, I heard back from Asus. As mentioned before, things are a bit slow at the moment due to the Lunar New Year in Taiwan (it means mostly empty offices for two weeks). So, it's not that they aren't taking these issues seriously, it's just a matter of timing.

- The FTP issue, as mentioned, has already been addressed with the recent beta firmware releases. Note that you still need to manually disable FTP access if you don't do a factory default reset. The issue is NOT a security hole in the firmware, it's a poorly chosen default configuration.

- The AiCloud issue seems to be referring to the one that was resolved months ago, unless there's actually a NEW security issue there which haven't been specified at this point.

- The Samba issue on AC56/AC68 will be addressed (things got delayed there due to the Holidays). People running my firmware can already resolve the issue by updating to 374.39 or newer.

- Asus are looking into this so-called "Asusgate" (sorry, but this name is just silly, if you ask me)

- Going through more thorough security checks for the firmware is something they are already considering.

So, that pretty much sums it for now.
 
This doesn't address the fact 8443 still is open on the WAN port despite the UI toggle - this appears to be a bug. But it does close 515 and 9100 at any rate, if you don't need the printer daemon running.

Port 8443 would mean that you enabled WAN and HTTPS access under System -> Administration.

Port 515 and 9100 still shouldn't be accessible over WAN. Do you have both the firewall and NAT enabled?
 
More news:

Expect new firmware releases to be available in the coming week, addressing security issues (amongst other things).
 
Port 8443 would mean that you enabled WAN and HTTPS access under System -> Administration.

Port 515 and 9100 still shouldn't be accessible over WAN. Do you have both the firewall and NAT enabled?

The very first thing I do when I install firmware is ensure that the WAN access for everything is turned off (including the UI), and this setting is correct in the UI. But 8443 still shows as open on GRC (and Nmap) scans. Firewall and NAT are enabled. 515 and 9100 I killed by the measures I indicated in my previous post - shutting down lpd and writing a setting to nvram.

BTW AC66U and AC68U firmware also just released from Asus, addressing security issues.
 
Last edited:
I don't have any disks and AICloud seems to be disabled (I've never used it) so I should be safe?

It's quite unbelievable that one of the world's biggest computer hardware manufacturers can't properly secure their firmware.
 
I don't have any disks and AICloud seems to be disabled (I've never used it) so I should be safe?

Correct. Just double check on the AiCloud tab that it's set to Off.
 
Not sure why I'm getting the warning sign about potentially unauthorized users logging in when SAMBA share only lists my account as a user (what? other users on my home network?). While I appreciate ASUS' new dedication towards security, it'd be nice if the warnings weren't ambiguous.

Oh, and thank goodness my IP address wasn't listed in that group.
 
Daily Digg on the bandwagon too.

This was one of the stories in The Daily Digg today

AT LEAST THE HACKER LET YOU KNOW
Dear Asus Router User: You've Been Pwned
arstechnica.com
Hackers expose eight-month-old Asus weakness by leaving note on victims' drives.


...definitely viral, but luckily I'm unaffected.
 
Not sure why I'm getting the warning sign about potentially unauthorized users logging in when SAMBA share only lists my account as a user (what? other users on my home network?). While I appreciate ASUS' new dedication towards security, it'd be nice if the warnings weren't ambiguous.

Oh, and thank goodness my IP address wasn't listed in that group.

The warning may be about FTP if FTP is on and no password is set.
 
I have a RT-N56U with AICloud not installed, a PPTP VPN in place, & a Synology NAS running DSM 4.3 latest release. A scan on Shields Up of the first 1056 ports reveals all stealth except Port 21, which is closed. I think I'm OK - is there anything else I should check?

Sent from my mobile phone.
 
I apparently posted in the wrong area

I posted a logfile I saw in my router. I was compromised by this. I have some major windows changes now that I have been affected. It has changed windows confnigurations on all and any device connected to my network. I DID NOT have AI Cloud enabled, Dual WAN, DDNS, AI Disk, and uPnP were all OFF. I had a SAMBA configured for my external drive and Norton 360 on my desktop box. I saw no warnings, nothing. I was navigating windows explorer looking for some pictures and saw some interesting folders, followed by services and processes when I viewed the task manager. I can without a doubt say this has spread to my windows phone, my gf's iphone, kindle, hp split notebook, 2nd desktop, and possible my dvr box. The DVR is from the ISP so I am uncertain on that. I would really appreciate any help on this. I have taken video, pictures, screen shots, taken file sample and posted on multiple forums about this. This is some serious shirt. I am essentially being re-directed to a VM pre-boot via a bios modification and am booting from a hidden x: instead of the real c: This is not changeable via the standard cmd line to change boot dir I have posted in the mydigitallife forums for assistance as well and have not had much progress.

What information can I give you? Please read my logfile to start if anyone can help. I cannot link the logfile due to redirects in my web addresses. Just view my other posts, I only have the 1 Thread I started with that logfile as the first post.
 
Last edited:
FYI on Samba share issue

The reports concerning attached HD's being vulnerable to wan side exposure, even if FTP is turned off is true, but it wasn't explained well in the article. The caveat to the bug is the ASUS firmware from July 13 closed that hole. I believe some were concerned by high number of routers still with pre-July 13 firmware,

When Samba is turned on, and AiCloud activated, any storage device was mounted to /smb/tmp/mnt/"drive-name". Since dir trav on the old firmware port 443 was trivial, an attacker could grab files through this attack vector.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top