VERY suspicious iptables entries... please help...

[Leo Martin Lim]

Hi guys,

please anyone i need help....
this is martin... <-- has been hacked since 2018. sorry yes, it's me again... but i hope i found something useful now.

today... i just randomly print out iptables in my router (asus ax56u), and found out below....

if you take a look at logdrop_dns and logdrop_ip <--- these i never put any...
if the names suggest are real, no wonder i have never seen any trace of these hackers for these years...
i have never use iptables cli from ssh before, mostly i use ssh just to install addons via amtm.

i had blocked several ip address such as 20.x.x.x, 10.x.x.x, -->> it looked suspicious before....

this is just the route and logs, but the malware inside my computer is still there (i believe), possibly in the router too...
is there any other anomaly besides i mentioned above?

thanks....

 

[dave14305]

These are standard rules added by ASUS some time back. I have the same rules on my router firewall as well.

 

[Leo Martin Lim]

These are standard rules added by ASUS some time back. I have the same rules on my router firewall as well.

i am no expert, but for example these lines...
......
Chain OUTPUT_IP (1 references)
target prot opt source destination
logdrop_ip all -- anywhere 193.201.224.0/24
logdrop_ip all -- anywhere vriezekolk.org
logdrop_ip all -- anywhere li1019-134.members.linode.com
logdrop_ip all -- anywhere 190.115.18.28
logdrop_ip all -- anywhere 51-159-52-250.rev.poneytelecom.eu
logdrop_ip all -- anywhere 190.115.18.86
......

they are very specific ip and also the ones in drop DNS log.... they looked for specific string to drop.

i think they are very suspicious command in iptables entries....

besides, when i was looking at iptables list for the first time, the hacker distracted me by
killing my "activity monitor" abruply, thus causing macOS prompting me "ignore, report, re-run" thing.

actually, earlier, i was adding networkserviceproxy on mac firewall, there was a prompt allow or deny of "remotepairingd". i search for "remotepairingd" on web, there wasn't any reference to it. thus, hacker was goofing with me....

the hacker can see what actually displayed on my devices, guys...

 

[Yota]

has been hacked since 2018.

no wonder i have never seen any trace of these hackers for these years.

killing my "activity monitor" abruply, thus causing macOS prompting me

the hacker can see what actually displayed on my devices, guys...

When you're some bank executive holding everyone's credit card data, or some general holding the secrets of a nuclear bomb launch, I think that's the only way you're likely to have a long-lasting hacking attack. Even then the attacks won't be easily detected by you.

The fact is, these iptables rules are in everyone's router and asus added them to drop these requests, probably for some protection.

The fact is that 10.0.0.0/8 comes from your openvpn or isp, which is not part of the internet, this is a private address.

So relax, nothing to worry about here. If you are still worried just enable aiprotection and skyenet, frequently update firmware, software and system on your device. this is all.

 

[RMerlin]

i think they are very suspicious command in iptables entries....

These rules are normal. Asus adds them to block access to certain known malware C&C servers. As indicated, they were added to the firmware quite some time ago.