What's new

Was my router's username and password hacked?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

It's set to be off by default, but if you want to check, go to Administrator->System->Enable Access from WAN, change to "no" then apply. Since you are using Google DNS, you can turn on DNSSEC in LAN-> DHCP server-> Enable DNSSEC support-> yes->apply. If you are using AiProtection, you can use it to help securing your router by going to AiProtection->Network Protection->Router Security Assessment->Scan, and it should tell you want you can do to secure your router, and by clicking at each, it might redirect you to specific setting.
Thank you Wuticorn - Just what I needed ! :)
 
I guess I should consider myself lucky because up until mid-Nov I had the https gui open to the internet. I did carelessly leave ssh with password login open, and when I looked at my log last night, it was getting hammered way more than I had ever seen.

The whole discussion about not leaving these kinds of services open is interesting because most people will keep them closed because they either have no knowledge of them, or they are aware of the potential for vulnerability. Its people like myself who have some knowledge and understanding but don't dig deep enough to realize that some implementations of a secure protocol can be very weak.

Perhaps a pertinent question is if the ASUS version of https is that weak (what hole will be found next?), maybe ASUS should just remove the option to expose it to the internet?
 
Perhaps a pertinent question is if the ASUS version of https is that weak (what hole will be found next?), maybe ASUS should just remove the option to expose it to the internet?

Not everyone's "WAN" is actually the raw, unfiltered Internet. In my case for instance, if I need to test something on a router, I plug it within my LAN. Since my laptop sits on that same LAN, it means I need to enable WAN access on that device getting tested.

In a double NAT network, or when cascading routers, it might be useful to have access to the device from its WAN side.
 
Here you have one more affected router (RT-AC88) with RMerlin FW 380.62_1.
Yesterday I saw same entries in my asus router log (dropbear access). I had WebUI to WAN open, but not SSH.
In my case, I saw those entries since Jan 1.

I only had time to save output logs and upgrade to last RMerlin FW version, restore default, format JFFS.
 
Hi everyone! My RT-AC88U with stock-firmware has also been hacked, so I can confirm it has nothing to do with Merlin. I was unaware of the intrusions until last week (9/2) when my ISP contacted me about attempts to access some of their services through SSH.

It was a chock to find out that I've been having unwanted visitors for a month, starting 10/1 for what I can tell when someone logged in to dropbear on the first attempt. And I always use strong unique passwords and I'm almost 100% sure it wasn't compromised by virus or malware. I guess my misstake was to have webaccess to the WAN enabled. I thought it would be safe considering my strong password :( But I can't remember I enabled telnet or SSH, which was now open on port 2222. I also havn't been using AiCloud or AiDisk. I've been using the router-app for iPhone, not Android.

When my ISP contacted me I was running version 3.0.0.4.380.4180 released late december with the securityfix for dropbox. But I'm not really sure when I updated to that version, it could be after the initial attack 10/1. In my logfile it's seems like the router restared about 4 hours before the first login (since the date according to the log was Aug 1 which I believe means a restart). Is it possible to somehow see when the FW was updated?

I see some suspicious things in my log but luckily I can't find any execute commands like someone in this forum had. I don't know if they managed to break through to my computers, but since my anti-virus doesn't find anything I hope my files where left alone. But around 1/2 my systemdrive (SSD) crashed and I don't know if that got infected. I mean the drive really CRASHED, I can't reinstall it since it's not found by the system. I guess this is just a coincidence and has nothing to do with the attacks.

I hope everything is fine with the router now. I disconnected it from the WAN and updated to the latest FW released a couple of days ago and I also wiped the nvram.

Best regards
Håkan
 
Thanks for your post @Datamupp, that's useful information, particularly that it's confirmed that it's not Merlin-specific.

The information from your ISP is interesting as well. It possibly suggests that once the router has been compromised it starts looking for other devices it can infect on the WAN side, typical botnet behaviour.

Anyway, it looks like you've sorted it out now and I'd agree that the SSD is probably just a coincidence.

Thanks again for the info.
 
Hi everyone! My RT-AC88U with stock-firmware has also been hacked, so I can confirm it has nothing to do with Merlin. I was unaware of the intrusions until last week (9/2) when my ISP contacted me about attempts to access some of their services through SSH.

It was a chock to find out that I've been having unwanted visitors for a month, starting 10/1 for what I can tell when someone logged in to dropbear on the first attempt. And I always use strong unique passwords and I'm almost 100% sure it wasn't compromised by virus or malware. I guess my misstake was to have webaccess to the WAN enabled. I thought it would be safe considering my strong password :( But I can't remember I enabled telnet or SSH, which was now open on port 2222. I also havn't been using AiCloud or AiDisk. I've been using the router-app for iPhone, not Android.

When my ISP contacted me I was running version 3.0.0.4.380.4180 released late december with the securityfix for dropbox. But I'm not really sure when I updated to that version, it could be after the initial attack 10/1. In my logfile it's seems like the router restared about 4 hours before the first login (since the date according to the log was Aug 1 which I believe means a restart). Is it possible to somehow see when the FW was updated?

I see some suspicious things in my log but luckily I can't find any execute commands like someone in this forum had. I don't know if they managed to break through to my computers, but since my anti-virus doesn't find anything I hope my files where left alone. But around 1/2 my systemdrive (SSD) crashed and I don't know if that got infected. I mean the drive really CRASHED, I can't reinstall it since it's not found by the system. I guess this is just a coincidence and has nothing to do with the attacks.
That confirms our hypothesis. I was hoping you didn't factory reset the router yet, so that we might be able to report this directly to Asus, since none of the others, who have been hacked, used stock firmware.

For your SSD, I doubt that it is related to this attack.

Did you save your system log before doing NVRAM wipe?
 
That confirms our hypothesis. I was hoping you didn't factory reset the router yet, so that we might be able to report this directly to Asus, since none of the others, who have been hacked, used stock firmware.

For your SSD, I doubt that it is related to this attack.

Did you save your system log before doing NVRAM wipe?

Well, I actually didn't pressed the "factory reset" button before I wiped the NVRAM but all my settings where gone so I guess it's like the same thing. But I did save the system log though. I also have a little part of the logfile my ISP sent me. Are you interested in something special in the log? I'm not very experienced in telnet/ssl/linux etc so I don't understand everything in the log. But I've learned a lot this week :) Last week I had no idea what BusyBox, Dropbear, Klogd, NVRAM, jffs etc was :)
 
hopefully you have changed default username and password. as the default user is admin.

As you noticed I never changed the default username. I thought a strong password was good enough. But after the reset I've changed both username and password and of course turned off access from WAN :)
 
Did this ever get solved? I've a couple of other points to raise, if not. They may or may not be related.

I've seen a number of posts suggesting that closing off access from the outside internet should make you safe. Netgear had a big vulnerability in December, where a web page with an embedded hyperlink of the form http://192.168.1.1/cgi-bin/blah-blah could execute code. This was used to take over the router. ASUS may have been vulnerable to this at some point in the past. At one time, you could enable Telnet on an ASUS with the following: http://192.168.1.1/telnetd.cgi?enable=1. Perhaps those who have been hacked clicked on an URL (metaphorically) like http://192.168.1.1/ssh.cgi?enable_to_outside_world=1

Totally different idea: I may have been hit by something related on my Ubuntu WEB server. About a month ago, I failed to ssh to it. My only open services on that box were ssh and http. I discovered that someone had moved my sshd from port 22 to port 2222. I could find no other changes on the box. I wiped the box and rebuilt it, so I don't have the data. It is *probably* unrelated, but since it moved ssh from 22 to 2222 and that's what happened here, I thought I'd mention it.
 
Again - don't expose ports/services...

Seriously - deep is the rabbit hole here... and there's a few GitHub gists on how to how to update/manage devices remotely...
 
Hello,

if you care about your routers safety PLEASE DO NOT open WAN port for the remote access, even the newest Merlin fw is exposed to the exploit, also the stock firmware. And it applies to the all ASUS/Merlin/other forks, not only for the ASUS routers (for example customized R7000). They are all hackable.

Use VPN or at least not the default port for scanners not to see you so easily.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top