Me no crazy, yes?Was just thinking.
The WAN exploit did give admin rights to the person who just logged in.
That means that he/she could have run "nvram show" ... and get the admin password for the router?
So I think it's time to change that one too...
sfx2000
Part of the Furniture
Remoting in via VPN is the best option - and it's fairly easy to set up a jump box to facilitate access inside if one doesn't want to run a PC full time..
OpenVPN usually is pretty mindful about security - the risk for them is probably not directly in their code, but platform and integration since the code itself is independent of OS...
sfx2000
Part of the Furniture
Just also want to go on record here that while the Asuswrt-RMerlin community noticed this potential risk first, I don't believe this was introduced by any changes that were added/changed - Rmerlin has been ahead of the factory firmware with finding and implementing fixes...
It's more about how advanced users are watching things more closely, and how they're using the device compared to the 'typical' user that just plugs it in, sets up the wifi, and goes about their business...
This is a good thing - if folks weren't watching, this issue could have gone unnoticed for a long time...
It's more about how advanced users are watching things more closely, and how they're using the device compared to the 'typical' user that just plugs it in, sets up the wifi, and goes about their business...
This is a good thing - if folks weren't watching, this issue could have gone unnoticed for a long time...
sfx2000
Part of the Furniture
I agree... see my comment above.
The community here observed it first - and it shows the power of the 3rd party user group...
Dropbear is a red herring - it's secure in and of itself - what people are seeing is after the fact...
Wutikorn
Senior Member
Agree, baidu is not a good website, for some reason, my Chinese IP camera was connecting to baidu.com thousands of times a month, I'm considering to throw that thing away. But for now, I have baidu in blacklist. I should also put hao123.com too. I'm curious why you put kapook.com to blacklist? Are there many things for entertainments there? Is it dangerous or just annoying? Btw, I live in the same province as you.
I also doubt that RMerlin will be the cause of this. I also think that if I am running AsusWRT stock firmware, I wouldn't care whatsoever is in the changelog, or care if SSH setting has been changed, or even care opening WebUI.
thelonelycoder
Part of the Furniture
Change who sees the nvram entries or change the pw store location?Was just thinking.
The WAN exploit did give admin rights to the person who just logged in.
That means that he/she could have run "nvram show" ... and get the admin password for the router?
So I think it's time to change that one too...
The root of the problem is the apparent unsafe WebUI exposure to WAN.
This needs to be fixed, not where the pw is stored.
Remember this is the root user account, if that one does not have the privileges to read the pw then.., IDK.
Wutikorn
Senior Member
The attacker, in my case, had access to my admin username/password as logged when they accessed SSH through WAN. There was no failed attempt at all, and username I use is not default "admin" either.Was just thinking.
The WAN exploit did give admin rights to the person who just logged in.
That means that he/she could have run "nvram show" ... and get the admin password for the router?
So I think it's time to change that one too...
My main concern is that there is an vulnerability in the default Asus login, enabling either bypassing it or disabling it completely. Too much coincidence that 4 users with not simple 123admin usernames and likewise passwords are hacked this way...
The vulnerability is implied with opening HTTP WAN access to the router GUI.
One successful remote login of yourself is enough to have your credentials being sniffed and stored for malicious use.
To be sniffed would require another breach somewhere on the network or when logging on through an unsecured hotspot. Possible, of course. But without that...
Wutikorn
Senior Member
I think one of the other three said that HTTP was never used. I also have not login to my router from WAN through HTTP, but in any case, I will just use OpenVPN.
If they had disable it or bypass it, would they get our credential? In our cases, they got our credentials, not sure if it before being able to access router or after, by getting info from NVRAM, as when they access WAN SSH without making failing to login.
Do you want any logs or extra information from eddiez? He may have some useful information as he has not yet done factory reset. In any case, thanks for constantly improving both security and usability of firmware.
sfx2000
Part of the Furniture
Thinking outside the box - but maybe testing from the WAN side if the WebGUI is exposed - NMAP's scripting engine can do a walk thru the HTTP document tree, and this might point out other pages that are worthy of review...
The web gui log has not registered any failed or illogical login attempts (correct or incorrect ones). So they must have used the WAN exposure to enter, bypassing the login, after which they enabled SSH and by made sure the iptables rule cannot be deleted (easily) (ash).
Or they just removed traces of brute force but left other traces still there...Sloppy so unlikely.
Looking at the timings, it does seem a planned activity. Exactly on the hour at night 03.00.30 / 04.00.30.
Yes.
The only way to track this down is through a network trace. System Logs won't help in any way, sorry.
john9527
Part of the Furniture
Just wanted to open a discussion on something that's been nagging at me in case I'm missing something. In one of the early reports of this
http://www.snbforums.com/threads/was-my-routers-username-and-password-hacked.36602/#post-299090
the syslog shows a dropbear 'Child connection' immediately followed by the restart of the httpd services. Notice there is no 'Password auth' message from dropbear. Without logging in, how did they initiate the restart?
http://www.snbforums.com/threads/was-my-routers-username-and-password-hacked.36602/#post-299090
the syslog shows a dropbear 'Child connection' immediately followed by the restart of the httpd services. Notice there is no 'Password auth' message from dropbear. Without logging in, how did they initiate the restart?
I'm starting to be unable to see the wood for the trees.
Would it help if we try to re-establish the common patterns? I'm happy to collate the data. I get the impression there are only less than 6 or so people who realise they've been hacked, and I'm wondering if a questionnaire to them would help?
For example,
1. Which firmware version?
2. In the last 12 months, have your settings:
a. Allowed web access from WAN?
b. Allowed SSH access from WAN?
c. Allowed SSH password login?
3. Do you ever login to your router using an Android device?
4. Did you see a change of SSH port number and if so what to?
5. What other change to your settings did you see?
Are there any other pertinent questions? And would this be a wasted effort given such a small affected population?
If there's merit in this, I'd be happy to tidy up the questionnaire, whilst keeping it focussed on relevant questions, and then those hacked could PM me or reply direct to the forum, and it'd be a sort of taking-stock exercise.
So, if, and only if, this is worthwhile, are there any pertinent questions I've overlooked?
Would it help if we try to re-establish the common patterns? I'm happy to collate the data. I get the impression there are only less than 6 or so people who realise they've been hacked, and I'm wondering if a questionnaire to them would help?
For example,
1. Which firmware version?
2. In the last 12 months, have your settings:
a. Allowed web access from WAN?
b. Allowed SSH access from WAN?
c. Allowed SSH password login?
3. Do you ever login to your router using an Android device?
4. Did you see a change of SSH port number and if so what to?
5. What other change to your settings did you see?
Are there any other pertinent questions? And would this be a wasted effort given such a small affected population?
If there's merit in this, I'd be happy to tidy up the questionnaire, whilst keeping it focussed on relevant questions, and then those hacked could PM me or reply direct to the forum, and it'd be a sort of taking-stock exercise.
So, if, and only if, this is worthwhile, are there any pertinent questions I've overlooked?
Last edited:
Similar threads
Similar threads
Similar threads
-
-
-
AX88U Pro (3004.388.5) suddenly rebooted mid-day. Last manual reboot was a few days ago.
- Started by theirongiant
- Replies: 0
-
Why can't I associate my router with my iOS account in the app?
- Started by lenovomen
- Replies: 7
-
-
Accessing remotly Server While Using VPN on Asus Router with Merlin Firmware
- Started by psimaker
- Replies: 9
-
-
Latest (Oct 2024) "best" recommended router for Merlin?
- Started by sthornington
- Replies: 19
-