Has someone already reported this issue to Asus?
No, because nobody tested it on the stock firmware. And without any network capture or other additional info, it won't help tracking down the issue.
Has someone already reported this issue to Asus?
So you're the one here to address then...No, because nobody tested it on the stock firmware.
So you're the one here to address then...
No, because as stated here, without any network trace, there's no way to track it down.
So, I'll just repeat what I've been saying for years: do NOT open the httpd to the WAN.
No, all shown logins are accounted for. Although they could have altered the logs as well.
Update:
First 'entry' was on Dec 31, same time, 03.00 at night. Second on Jan 1.
Earlier in December the router had apparently suffered some crashes with below latest error/reboot log. No idea if it is related though...
Something is bothering me about this: the absence of any failed login attemtps on the 'door'. In all cases the password was 'guessed' right in one go. And to be sure: I never login from outside my home besides encrypted through work (which is a bank a has network security from here till eternity...)
Is there a way to check if it's open?No, because as stated here, without any network trace, there's no way to track it down.
So, I'll just repeat what I've been saying for years: do NOT open the httpd to the WAN.
There must be something else to trigger this/enable this and my gut feeling is that it is something in the router that is exploitable...
So, I'll just repeat what I've been saying for years: do NOT open the httpd to the WAN.
How would I know if something is open?Just to support previous posts about Do not open anything except OpenVPN from WAN side. My configuration has only two ports open from WAN side and these are the ports of two OpenVPN servers. Everything other (https, ssh, etc.) is open only from LAN side. That is the solution.
Just to support previous posts about Do not open anything except OpenVPN from WAN side. My configuration has only two ports open from WAN side and these are the ports of two OpenVPN servers. Everything other (https, ssh, etc.) is open only from LAN side. That is the solution.
Interesting - what device (and rev) and firmware in use here?
Looks like someone is trying to do a ROP attack and failing because they're hitting a bad address... (which causes the ARM to crash with a fatal exception) - in other words, they're already in..
Administration-> System-> SSH Daemon -> make sure it's not LAN+WAN(if SSH port is 2222, it's likely that you have been hacked with the same attacker as me), Administration-> System-> Web Interface -> Enable Web Access from WAN -> No -> apply If you do have AiProtection, go to network protection, router security assessment, scan, and then try to fix everything(turning off UPnP, FTP, change default password etc)How would I know if something is open?
Did you have Web Access from WAN enabled? What about Asus Router app? What is/was your SSH port with WAN+LAN? What was the firmware version when you first saw SSH setting changes?Well, WTF - SSH with WAN+LAN on my 87U - when did that happen? I sure did NOT set it up that way. Fortunately have the RT-AC87U on port 2 of my cable modem - there's nothing actually connected to it except my iPhone because I use it mostly for guest access.
I think we just have to wait until someone with stock firmware started knowing they have this problem, but most of them won't need to pay attention to SSH port or SSH setting or even System Log, so it will take some weeks before they realise if they got affected.So you're the one here to address then...
Thanks for the help!Administration-> System-> SSH Daemon -> make sure it's not LAN+WAN(if SSH port is 2222, it's likely that you have been hacked with the same attacker as me), Administration-> System-> Web Interface -> Enable Web Access from WAN -> No -> apply If you do have AiProtection, go to network protection, router security assessment, scan, and then try to fix everything(turning off UPnP, FTP, change default password etc)
Did you have Web Access from WAN enabled? What about Asus Router app? What is/was your SSH port with WAN+LAN? What was the firmware version when you first saw SSH setting changes?
I think we just have to wait until someone with stock firmware started knowing they have this problem, but most of them won't need to pay attention to SSH port or SSH setting or even System Log, so it will take some weeks before they realise if they got affected.
I think we just have to wait until someone with stock firmware started knowing they have this problem, but most of them won't need to pay attention to SSH port or SSH setting or even System Log, so it will take some weeks before they realise if they got affected.
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: Detect abnormal logins at 5 times. The newest one was from 185.159.37.125.
Jan 4 01:10:40 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'Admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'Admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: Detect abnormal logins at 10 times. The newest one was from 185.159.37.125.
Jan 4 01:10:40 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: Detect abnormal logins at 15 times. The newest one was from 185.159.37.125.
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: Detect abnormal logins at 20 times. The newest one was from 185.159.37.125.
Jan 4 01:10:41 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:42 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:42 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:42 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:42 HTTP login: Detect abnormal logins at 25 times. The newest one was from 185.159.37.125.
Jan 4 01:10:43 HTTP login: login 'airlive' failed from 185.159.37.125:80
Jan 4 01:10:46 HTTP login: login 'airlive' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: Detect abnormal logins at 30 times. The newest one was from 185.159.37.125.
Jan 4 01:10:47 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login 'support' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: Detect abnormal logins at 35 times. The newest one was from 185.159.37.125.
Jan 4 01:10:47 HTTP login: login 'support' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login 'support' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login 'support' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: Detect abnormal logins at 40 times. The newest one was from 185.159.37.125.
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: Detect abnormal logins at 45 times. The newest one was from 185.159.37.125.
Jan 4 01:10:48 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: Detect abnormal logins at 50 times. The newest one was from 185.159.37.125.
Jan 4 01:10:52 HTTP login: login 'mts' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'mts' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'telecomadmin' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'telecomadmin' failed from 185.159.37.125:80
Jan 4 01:10:55 HTTP login: login 'mgts' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: Detect abnormal logins at 55 times. The newest one was from 185.159.37.125.
Jan 4 01:10:58 HTTP login: login 'mgts' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: Detect abnormal logins at 60 times. The newest one was from 185.159.37.125.
Jan 4 01:10:58 HTTP login: login 'kyivstar' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login 'kyivstar' failed from 185.159.37.125:80
Jan 4 01:11:11 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: login 'telekom' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: Detect abnormal logins at 65 times. The newest one was from 185.159.37.125.
Jan 4 01:11:14 HTTP login: login 'telekom' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: login 'superadmin' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: login 'superadmin' failed from 185.159.37.125:80
Jan 4 01:11:15 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:15 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:15 HTTP login: Detect abnormal logins at 70 times. The newest one was from 185.159.37.125.
Jan 4 01:11:18 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:21 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: Detect abnormal logins at 75 times. The newest one was from 185.159.37.125.
Jan 4 01:11:24 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: login 'engineer' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: login 'engineer' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: Detect abnormal logins at 80 times. The newest one was from 185.159.37.125.
Jan 4 01:11:24 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: Detect abnormal logins at 85 times. The newest one was from 185.159.37.125.
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:27 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:30 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: Detect abnormal logins at 90 times. The newest one was from 185.159.37.125.
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: Detect abnormal logins at 95 times. The newest one was from 185.159.37.125.
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:32 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:32 HTTP login: Detect abnormal logins at 105 times. The newest one was from 185.159.37.125.
Jan 4 01:11:32 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:32 HTTP login: login 'admin' failed from 185.159.37.125:80
I did not even have SSH or Telnet enabled. Not even on LAN side (!). And do not disregard the multiple reports saying 'you should have traces and logs'. I have logs, but I use the router as an 'enabler' and not as a toy and do not run traces to whomever just for fun.As RMerlin stated the http deamon isnt like apache its not built to be open towards todays internet where things get exploited fast same goes for the stockfirmware although my guess is that asus doesnt give a shirt.
and as for SSH well its just plain dumb to have it open so listen to RMerlin when he says something and if you dont have the logs to and the network trace to prove something then you dont have nothing its as simple as that.
and Merlin firware is not a catalyst is rather the savior cause atleast RMerlin tries to have stuff running on later version rather then ancient.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!