Menu
What's new
By:
Filters Better Search

Was my router's username and password hacked?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Yep, noticed that one also. Not a Linux guy though...can't find the location through SSH
 
ColinTaylor said:
Issue the ps command again. Is it still there and using the same port? If so, try going to https://www.grc.com/shieldsup and testing port 16161.
Click to expand...
Yep... and it's open :-(

Port
transpixel.gif

Status Protocol and Application
transpixel.gif

16161
transpixel.gif

OPEN! Unknown Protocol for this port
Unknown Application for this port
 
eddiez said:
10849 admin_ed 1136 S dropbear -p 192.168.1.1:22 -a -j -k
Click to expand...
This is sort of interesting (and I think I see the bug) with the options '-a -j -k' it should be '-a' or '-j -k'

Code: 
-j        Disable local port forwarding
-k        Disable remote port forwarding
-a        Allow connections to forwarded ports from any host
 
john9527 said:
This is sort of interesting (and I think I see the bug) with the options '-a -j -k' it should be '-a' or '-j -k'

Code: 
-j        Disable local port forwarding
-k        Disable remote port forwarding
-a        Allow connections to forwarded ports from any host
Click to expand...
Bug or was it consciously altered?
 
john9527 said:
This is sort of interesting (and I think I see the bug) with the options '-a -j -k' it should be '-a' or '-j -k'
Click to expand...

Strange .... I've just checked my router (logged in remotely through OpenVPN). I also have both '-a' and '-j -k'. My Router was freshly updated to 380.64 just few days ago. I never detected any signs of infection yet. Here is the screenshot:
 

Attachments

  • Router processes.jpg
    Router processes.jpg
    107.5 KB · Views: 792
john9527 said:
Just to clairify.....I think setting the conflicting options is a bug in the ASUS firmware.....not in dropbear.
Click to expand...
I'v asked about the attribute interpretation sequence. Easier than going through the documentation...

I've been removing the 16161 port from IPtables (iptables -D INPUT -p tcp --dport 16161 -j ACCEPT), but guess what...every time after waiting a bit the IPtables entry to accept 16161 connections (ACCEPT tcp -- anywhere anywhere tcp dpt:16161) reappears again. Even when not saving the IPtables (service iptables_save)

There might be more alterations present.
 
john9527 said:
Just to clairify.....I think setting the conflicting options is a bug in the ASUS firmware.....not in dropbear.
Click to expand...

I fully agree with you. Could you check in the code base since which version it appeared? Then most probably it spread in Merlin's FW and your fork.
 
netware5 said:
I fully agree with you. Could you check in the code base since which version it appeared? Then most probably it spread in Merlin's FW and your fork.
Click to expand...
ColinTaylor said:
Looks like the change came in with the 4th April 2016 merge with Asus GPL 380_2697?
Click to expand...

My fork is OK.....just wrote a patch for Merlin. Looks like it came in with 380.59 (Colin got it)
 
You must log in or register to reply here.

Similar threads

A
CloudFlare Proxied DNS, can't login to Asus router
Replies
10
Views
394
Crimliar
Crimliar
R
Prevent SSH Disconnect / Timeout around ~ 105-116 seconds from last activity on terminal session
Replies
7
Views
1K
ColinTaylor
C
C
Port Forwarding and Firewall - not working as I expect
Replies
4
Views
933
chrisisbd
C
eibgrad
Clarification and Discussion on Recent 388.8 Changes
2
Replies
25
Views
2K
eibgrad
eibgrad
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
435
GShlomi
GShlomi
Similar threads
Thread starter Title Forum Replies Date
TheLyppardMan Flash Drive was getting pretty hot Asuswrt-Merlin 38
H add_wlc_event_tbl(1040): client table was full Asuswrt-Merlin 0
theirongiant AX88U Pro (3004.388.5) suddenly rebooted mid-day. Last manual reboot was a few days ago. Asuswrt-Merlin 0
R Solved RT-AX86U Pro log repeats "WAN_Connection: WAN was restored" while red light keeps on and no Internet connection? Asuswrt-Merlin 24
E Unable to add GT-AX11000 as an AiMesh node to GT-BE98 PRO router Asuswrt-Merlin 0
L Why can't I associate my router with my iOS account in the app? Asuswrt-Merlin 7
A Duckdns on Asus merlin router Asuswrt-Merlin 1
P Accessing remotly Server While Using VPN on Asus Router with Merlin Firmware Asuswrt-Merlin 9
H Astrill router applet problem. Asuswrt-Merlin 0
sthornington Latest (Oct 2024) "best" recommended router for Merlin? Asuswrt-Merlin 19

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 879 (members: 26, guests: 853)
Top