No, because nobody tested it on the stock firmware. And without any network capture or other additional info, it won't help tracking down the issue.
No, because nobody tested it on the stock firmware. And without any network capture or other additional info, it won't help tracking down the issue.
So you're the one here to address then...
So you're the one here to address then...
No, because as stated here, without any network trace, there's no way to track it down.
So, I'll just repeat what I've been saying for years: do NOT open the httpd to the WAN.
From an overall security perspective that is a sound advice. Something like "don't have a door in your house: Burglars might come through".
Something is bothering me about this: the absence of any failed login attemtps on the 'door'. In all cases the password was 'guessed' right in one go. And to be sure: I never login from outside my home besides encrypted through work (which is a bank a has network security from here till eternity...)
There must be something else to trigger this/enable this and my gut feeling is that it is something in the router that is exploitable...
sfx2000
Part of the Furniture
Interesting - what device (and rev) and firmware in use here?
Looks like someone is trying to do a ROP attack and failing because they're hitting a bad address... (which causes the ARM to crash with a fatal exception) - in other words, they're already in..
sfx2000
Part of the Furniture
The password probably wasn't guessed - they smashed the webserver directly - perhaps a buffer overflow...
I warned Linksys about a similar issue on SmartWiFi, where the Guest Network is open, and a captive portal in place, and it was fairly trivial to smash it and get root on the box..
win465
Regular Contributor
Is there a way to check if it's open?
My RT-AC68U has Merlin's 380.65_alpha3, and I use Asus Android App, SSH, and HTTPS. None of it open from WAN, though. I do not use AIcloud, DDNS. Looked via SSH on netstat -l, and it is listening on port 22, but not on port 2222. There are no evidence in syslog of SSH logon from outside since I booted the router a week ago, but that could of course be wiped before I looked at it.
So, exploitable could just as well be on some client on LAN which runs some undiscovered bot-virus.
I see this, for example
- what are all these MiniUpnpD listening with HTTP on various ports? Firmware version check? The last one was within 1 hour of reboot, and none seen for 5 days now.
(rebooted router from Web interface after upgrade from 380.64 to 380.65_alpha3)
Aug 1 02:00:30 kernel: nf_conntrack_rtsp v0.6.21 loading
Aug 1 02:00:30 kernel: nf_nat_rtsp v0.6.21 loading
Aug 1 02:00:31 rc_service: hotplug 666:notify_rc restart_nasapps
Aug 1 02:00:31 iTunes: daemon is stopped
Aug 1 02:00:31 FTP Server: daemon is stopped
Aug 1 02:00:31 miniupnpd[731]: HTTP listening on port 37077
Aug 1 02:00:31 miniupnpd[731]: Listening for NAT-PMP/PCP traffic on port 5351
Aug 1 02:00:31 Samba Server: smb daemon is stopped
Aug 1 02:00:31 kernel: gro disabled
Aug 1 02:00:32 Timemachine: daemon is stopped
Aug 1 02:00:32 miniupnpd[731]: shutting down MiniUPnPd
Aug 1 02:00:32 kernel: gro enabled with interval 2
Aug 1 02:00:35 Samba Server: daemon is started
Aug 1 02:00:35 rc_service: udhcpc 545:notify_rc start_upnp
Aug 1 02:00:35 rc_service: waitting "stop_upnp" via udhcpc ...
Aug 1 02:00:35 miniupnpd[763]: HTTP listening on port 41182
Aug 1 02:00:35 miniupnpd[763]: Listening for NAT-PMP/PCP traffic on port 5351
Aug 1 02:00:35 miniupnpd[763]: shutting down MiniUPnPd
Aug 1 02:00:37 miniupnpd[770]: HTTP listening on port 34631
Aug 1 02:00:37 miniupnpd[770]: Listening for NAT-PMP/PCP traffic on port 5351
Aug 1 02:00:38 ntp: start NTP update
Dec 29 00:05:19 rc_service: ntp 767:notify_rc restart_upnp
Dec 29 00:05:19 miniupnpd[770]: shutting down MiniUPnPd
Dec 29 00:05:20 kernel: * Make sure sizeof(struct sw_struct)=160 is consistent
Dec 29 00:05:20 dnsmasq-dhcp[450]: DHCPDISCOVER(br0) xx:xx:xx:xx:xx:xx
Dec 29 00:05:20 dnsmasq-dhcp[450]: DHCPOFFER(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx
Dec 29 00:05:20 miniupnpd[788]: HTTP listening on port 53996
Dec 29 00:05:20 miniupnpd[788]: Listening for NAT-PMP/PCP traffic on port 5351
Dec 29 00:05:20 rc_service: ntp 767:notify_rc restart_diskmon
Dec 29 00:05:20 disk_monitor: Finish
Dec 29 00:05:21 dnsmasq-dhcp[450]: DHCPDISCOVER(br0) xx:xx:xx:xx:xx:xx
Dec 29 00:05:21 dnsmasq-dhcp[450]: DHCPOFFER(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx
Dec 29 00:05:21 dnsmasq-dhcp[450]: DHCPREQUEST(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx
Dec 29 00:05:21 dnsmasq-dhcp[450]: DHCPACK(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx D-link-extender
Dec 29 00:05:22 kernel: IDPfw: TrendMicro forward module ver-1.0.34
Dec 29 00:05:22 kernel: IDPfw: Apply module param dev_wan=eth0
Dec 29 00:05:22 kernel: IDPfw: Apply module param sess_num=30000
Dec 29 00:05:22 kernel: IDPfw: Init chrdev /dev/idpfw with major 191
Dec 29 00:05:22 kernel: IDPfw: IDPfw is ready
Dec 29 00:05:22 kernel: sizeof forward param = 160
Dec 29 00:05:23 disk monitor: be idle
Dec 29 00:05:30 rc_service: udhcpc 545:notify_rc start_firewall
Dec 29 00:05:30 dhcp client: bound 192.168.ccc.2 via 192.168.ccc.1 during 3600 seconds. <-- outer router
Dec 29 00:05:31 miniupnpd[788]: shutting down MiniUPnPd
Dec 29 00:05:32 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Dec 29 00:05:33 miniupnpd[1141]: HTTP listening on port 43254
Dec 29 00:05:33 miniupnpd[1141]: Listening for NAT-PMP/PCP traffic on port 5351
Dec 29 00:05:42 crond[458]: time disparity of 742985 minutes detected
Dec 29 00:05:48 dnsmasq-dhcp[450]: DHCPREQUEST(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx
sfx2000
Part of the Furniture
Absolutely - esp. now...
netware5
Very Senior Member
Just to support previous posts about Do not open anything except OpenVPN from WAN side. My configuration has only two ports open from WAN side and these are the ports of two OpenVPN servers. Everything other (https, ssh, etc.) is open only from LAN side. That is the solution.
win465
Regular Contributor
How would I know if something is open?
sfx2000
Part of the Furniture
If one is doing OpenVPN client, one doesn't need those ports open either...
Nice :-( Haven't got logs from earlier this year (that's what happens when you go along with new firmwares)
Where would one search for other traces?
My RT-AC68U has Merlin's 380.64 running. Hardware revision A1/A2 (board revision is 0x1100, hardware version 170)
Processor : ARMv7 Processor rev 0 (v7l)
processor : 0
BogoMIPS : 1595.80
processor : 1
BogoMIPS : 1599.07
Features : swp half thumb fastmult edsp
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x3
CPU part : 0xc09
CPU revision : 0
Hardware : Northstar Prototype
Revision : 0000
Serial : 0000000000000000
Wutikorn
Senior Member
Administration-> System-> SSH Daemon -> make sure it's not LAN+WAN(if SSH port is 2222, it's likely that you have been hacked with the same attacker as me), Administration-> System-> Web Interface -> Enable Web Access from WAN -> No -> apply If you do have AiProtection, go to network protection, router security assessment, scan, and then try to fix everything(turning off UPnP, FTP, change default password etc)
Did you have Web Access from WAN enabled? What about Asus Router app? What is/was your SSH port with WAN+LAN? What was the firmware version when you first saw SSH setting changes?
I think we just have to wait until someone with stock firmware started knowing they have this problem, but most of them won't need to pay attention to SSH port or SSH setting or even System Log, so it will take some weeks before they realise if they got affected.So you're the one here to address then...
win465
Regular Contributor
Thanks for the help!
Why? The problem is here. It's real. Question here is: Are the Merlin changes the catalyst for the hacks or not. And you're waiting for non-Merlin users to provide you with an answer to that...
I think Merlin should do some code analysis/investigations together with Asus. If it turns out to be a generic Asus exploit they're in trouble. As are we (already). Since WE are the tweaking kind, these issues might even go passed normal Asus users and continue unnoticed for a long time.
So...What is this community going to do? I don't know about you, but I am reporting it to Asus with priority. Don't want to damage the reps of Merlin, John or HGGomes and their customisations but I do think this requires serious attention/investigations.
Verstuurd vanaf mijn SM-G935F met Tapatalk
swetoast
Guest
As RMerlin stated the http deamon isnt like apache its not built to be open towards todays internet where things get exploited fast same goes for the stockfirmware although my guess is that asus doesnt give a shirt.
and as for SSH well its just plain dumb to have it open so listen to RMerlin when he says something and if you dont have the logs to and the network trace to prove something then you dont have nothing its as simple as that.
and Merlin firware is not a catalyst is rather the savior cause atleast RMerlin tries to have stuff running on later version rather then ancient.
and as for SSH well its just plain dumb to have it open so listen to RMerlin when he says something and if you dont have the logs to and the network trace to prove something then you dont have nothing its as simple as that.
and Merlin firware is not a catalyst is rather the savior cause atleast RMerlin tries to have stuff running on later version rather then ancient.
I did not even have SSH or Telnet enabled. Not even on LAN side (!). And do not disregard the multiple reports saying 'you should have traces and logs'. I have logs, but I use the router as an 'enabler' and not as a toy and do not run traces to whomever just for fun.
And if only asking the question whether or not the mods in the firmware can enable this is already considered an unacceptable insult...wow. Please back off with this attitude of admiration.
We all are thankful for the firmware, but that doesn't put the firmware above all suspicion. It needs to be considered from a problem-solving point of view. THAT is how professionals (yes, I am in IT) would work.
Last edited:
Similar threads
Similar threads
Similar threads
-
-
-
AX88U Pro (3004.388.5) suddenly rebooted mid-day. Last manual reboot was a few days ago.
- Started by theirongiant
- Replies: 0
-
-
Latest (Oct 2024) "best" recommended router for Merlin?
- Started by sthornington
- Replies: 19
-
-
Asus RT-AX58U v2 Merlin: Route all traffic to Pi-hole (running directly on router itself)
- Started by hamensman
- Replies: 12
-
-
Latest threads
-
-
XT8 Packet Loss Wired Mesh - Using as Access Points Only
- Started by spyerx
- Replies: 1
-
Asus BQ16 Little help required.
- Started by Reinforcer
- Replies: 1
-
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!