Was my router's username and password hacked?

[Wutikorn]

I found out that SSH setting was changed by something or someone else. It was changed from LAN only to LAN+WAN and SSH port was changed to 2222 instead of 22. At first, I thought I might have done it when surfing around router's WebUI, so I changed the setting back to LAN and port 22. However, within 6 hours, my setting had been changed again to LAN+WAN with port 2222. Then I realise that it is no longer normal, so I went to system log to find more information. I found several of these logs:

dropbear[18810]: Password auth succeeded for 'My account name' from 37.8.101.9:50693 (this is one of 12 in the last 3 days)

I searched for a few of those IPs' location, and they are from different countries such as Taiwan, Iran, Malaysia, etc. If I understand the log correctly, they know my router's username/password and login to my router through SSH. So they hacked my router password? If that is the case, I think the problem is from having Web Access from WAN enabled. I now have it off and I changed my router's password. However, since they may have changed several setting or even put malicious code through SSH, is factory reset recommended? Other than having Web Access from WAN disabled and use better password, is there anything else I should do to prevent this next time? Could this problem come from having infected devices inside LAN? Can guests in guest network done this?

Router/firmware: Asus AC68U running AsusWRT Merlin 380.65 alpha 3.

Thanks in advance!

Edit: Sorry for creating third thread about the similar issue, I didn't see the others at first. Here are links to the first two threads by ColinTaylor before mine was created: first, second.

 

[thelonelycoder]

Another one?
I see a trend here, access from WAN enabled --> Not a good idea.
Use a VPN to connect to your router, no ssh or webUI should be exposed to the WAN side.

Reset your router, reinstall fw, check your USB devices for malicious code.

 

[ColinTaylor]

Another one?
I see a trend here, access from WAN enabled --> Not a good idea.
Use a VPN to connect to your router, no ssh or webUI should be exposed to the WAN side.

Reset your router, reinstall fw, check your USB devices for malicious code.

Yes, this is worrying. 3 different reports in 3 days. Here and here.

The logs from the first link definitely suggest that it's an automated attack. Perhaps a botnet? That log also appeared to show the attacker starting up a 2nd dropbear server in background. Presumably for another way back in if the owner disables WAN access.

Again, the fact that in each case the attacker got in on the first attempt makes me think that the credentials have been stolen from malware on the LAN side.

I would a) run anti-malware and anti-virus scans on all your devices, and b) factory reset the router and wipe the jffs partition. Set up the router from scratch manually.

@Wutikorn Did you only have HTTP access to the web enabled, or did you have SSH as well?

 

[matthew_eli]

I found out that SSH setting was changed by something or someone else. It was changed from LAN only to LAN+WAN and SSH port was changed to 2222 instead of 22. At first, I thought I might have done it when surfing around router's WebUI, so I changed the setting back to LAN and port 22. However, within 6 hours, my setting had been changed again to LAN+WAN with port 2222. Then I realise that it is no longer normal, so I went to system log to find more information. I found several of these logs:

dropbear[18810]: Password auth succeeded for 'My account name' from 37.8.101.9:50693 (this is one of 12 in the last 3 days)

I searched for a few of those IPs' location, and they are from different countries such as Taiwan, Iran, Malaysia, etc. If I understand the log correctly, they know my router's username/password and login to my router through SSH. So they hacked my router password? If that is the case, I think the problem is from having Web Access from WAN enabled. I now have it off and I changed my router's password. However, since they may have changed several setting or even put malicious code through SSH, is factory reset recommended? Other than having Web Access from WAN disabled and use better password, is there anything else I should do to prevent this next time? Could this problem come from having infected devices inside LAN? Can guests in guest network done this?

Router/firmware: Asus AC68U running AsusWRT Merlin 380.65 alpha 3.

Thanks in advance!

This is exactly what happened to me, excepting that I had already SSH enabled on both LAN and WAN sides. They canhed the port to 2222. It cannot be a coincidence at this point, but I think they discovered a weak spot on some part of the router defense here...BTW, I secured my router as suggested (disabling access from WAN side for both webUI and SSH) and do a fw flash and a settings restore from scratch.

Now all seems fine, but I'm concerned anyhow

 

[Henk59]

Two links to test the Router security;
http://routersecurity.org/
https://www.grc.com/shieldsup

I'll test my AC87U (Merlin) router against them, but there are more links.

 

[Wutikorn]

Thanks for all suggestions. I will factory reset router, re-flash it and won't enable those access.

Yes, this is worrying. 3 different reports in 3 days. Here and here.

Thanks for links, that's a lot for 3 days.

Again, the fact that in each case the attacker got in on the first attempt makes me think that the credentials have been stolen from malware on the LAN side.

I would a) run anti-malware and anti-virus scans on all your devices, and b) factory reset the router and wipe the jffs partition. Set up the router from scratch manually.

That's interesting, I just know it will report if the password is wrong and there is no report about bad attempt, so I will check my PCs and phones right away.

Did you only have HTTP access to the web enabled, or did you have SSH as well?

I have both HTTPS and HTTP enabled. I never used HTTP though. In Asus Router app, I also set it to HTTPS. SSH was set to LAN only.

Another one?
I see a trend here, access from WAN enabled --> Not a good idea.
Use a VPN to connect to your router, no ssh or webUI should be exposed to the WAN side.
Reset your router, reinstall fw, check your USB devices for malicious code.

I normally use VPN to connect to my router, but I had WAN access for Asus Router app.

 

[Wutikorn]

This is exactly what happened to me, excepting that I had already SSH enabled on both LAN and WAN sides. They canhed the port to 2222. It cannot be a coincidence at this point, but I think they discovered a weak spot on some part of the router defense here...BTW, I secured my router as suggested (disabling access from WAN side for both webUI and SSH) and do a fw flash and a settings restore from scratch.

My attack also started 31st Dec 16. Just curious if you have any IoT device or PCs you suspect to be the cause?

Two links to test the Router security;
http://routersecurity.org/
https://www.grc.com/shieldsup
I'll test my AC87U (Merlin) router against them, but there are more links.

I tried GRC shieldup, everything is fine, but I will try routersecurity.org to see how well it goes. Let me know if you find other links more better at testing.

 

[RMerlin]

My first guess would be a vulnerability in the httpd server. Folks, don't expose the web interface to the WAN - that httpd daemon is hardly hardened compared to a real web server like Apache. Use a VPN if you need remote access.

 

[ColinTaylor]

Two links to test the Router security;
http://routersecurity.org/
https://www.grc.com/shieldsup

Just a note about the GRC test. If you choose "All service ports" it will only check ports 0 to 1055. As this attacks seems to use port 2222 it won't be detected.

 

[matthew_eli]

I don't know if this could be helpful, but I analyzed again the syslog and I found that the first access was made just after something strange was happened; see the log below:

Dec 30 08:51:18 dropbear[29944]: Child connection from 80.184.82.29:56478
Dec 30 08:51:19 rc_service: httpd 587:notify_rc restart_time;restart_httpd;restart_upnp
Dec 30 08:51:19 syslogd started: BusyBox v1.20.2
Dec 30 08:51:19 kernel: klogd started: BusyBox v1.20.2 (2016-12-16 12:26:27 EST)
Dec 30 08:51:20 dropbear[29968]: Running in background
Dec 30 08:51:20 start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!
Dec 30 08:51:21 custom script: Running /jffs/scripts/firewall-start (args: ppp0)
Dec 30 08:51:21 RT-AC88U: start httpd - SSL
Dec 30 08:51:21 RT-AC88U: start httpd
Dec 30 08:51:21 miniupnpd[30017]: HTTP listening on port 41383
Dec 30 08:51:21 miniupnpd[30017]: Listening for NAT-PMP/PCP traffic on port 5351
Dec 30 08:51:21 hour monitor: daemon is starting
Dec 30 08:51:22 Firewall: [Complete] 12757 IPs currently banned.
Dec 30 08:51:28 dropbear[30095]: Child connection from 46.20.215.170:52354
Dec 30 08:51:33 dropbear[30095]: Password auth succeeded for 'admin' from 46.20.215.170:52354
Dec 30 08:52:15 dropbear[30267]: Running in background
Dec 30 08:52:57 syslogd started: BusyBox v1.20.2
Dec 30 08:52:57 kernel: klogd started: BusyBox v1.20.2 (2016-12-16 12:26:27 EST)
Dec 30 08:52:57 start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!
Dec 30 08:52:57 custom script: Running /jffs/scripts/firewall-start (args: ppp0)
Dec 30 08:52:57 RT-AC88U: start httpd - SSL
Dec 30 08:52:57 RT-AC88U: start httpd
Dec 30 08:52:57 kernel: DROP IN=ppp0 OUT= MAC= SRC=184.173.25.74 DST=87.7.63.108 LEN=63 TOS=0x00 PREC=0x00 TTL=116 ID=14869 PROTO=UDP SPT=55261 DPT=4672 LEN=43
Dec 30 08:52:57 miniupnpd[30449]: HTTP listening on port 42535
Dec 30 08:52:57 miniupnpd[30449]: Listening for NAT-PMP/PCP traffic on port 5351

At 08:51:19 some services have been restarted by their own (at least it seems so), just before there have been some attempts of connection from remote IPs (the last one at 08:51:18). Then at 08:51:28 the first malicious login, at the first attempt. I strongly suspect they used a weak spot on this procedure, either for having restarted some services, or to use this restart to log into the router.

If someone needs the full log I still have it saved for further inspections

 

[RMerlin]

The 08:51:19 service restart was initiated by the httpd server. This specific list of services restart is done by the Administration -> System page, presumably where one went to enable WAN access to the SSH server (and probably more).

 

[AndreiV]

I wonder how many of these people seeing attacks have been using the Android App to manage their routers.

 

[snb82828]

How do you wipe the JFFS partition?

 

[thelonelycoder]

How do you wipe the JFFS partition?

Select format at next boot.
Then reboot.

 

[matthew_eli]

I wonder how many of these people seeing attacks have been using the Android App to manage their routers.

I have installed the android app on my phone (LG G4), but I use it sporadically: doI have to be afraid of?

 

[AndreiV]

I have installed the android app on my phone (LG G4), but I use it sporadically: doI have to be afraid of?

If it requires you to use " Enable Web Access from WAN " I would be VERY afraid.

Turn off UPNP, telnet , ssh and don't allow access from the web.

The experts have given advice in this thread.

 

[Wutikorn]

Code:

Dec 31 20:35:08 kernel: klogd started: BusyBox v1.25.1 (2016-12-28 03:38:06 EST)
Dec 31 20:35:10 RT-AC68U: start httpd - SSL
Dec 31 20:35:10 RT-AC68U: start httpd
Dec 31 20:35:10 miniupnpd[18806]: HTTP listening on port 35006
Dec 31 20:35:10 miniupnpd[18806]: Listening for NAT-PMP/PCP traffic on port 5351
Dec 31 20:35:10 miniupnpd[18806]: shutting down MiniUPnPd
Dec 31 20:35:10 miniupnpd[18808]: HTTP listening on port 54856
Dec 31 20:35:10 miniupnpd[18808]: Listening for NAT-PMP/PCP traffic on port 5351
Dec 31 20:35:11 hour monitor: daemon is starting
Dec 31 20:35:22 dropbear[18810]: Password auth succeeded for 'RoyalDol' from 37.8.101.9:50693​

The last line is the first login. Does it has anything to do with UPnP or likely just httpd? How vulnerable is UPnP in most of the case? I have two IP Cameras, so it's easier with UPnP enabled, but if it is too vulnerable, I will manually set port forward.

 

[Xentrk]

So, it appears as if a pattern is happening here. Perhaps the android app? Is there a formal channel one should use to report back to ASUS? I wonder their response since we are not using factory FW.

http://thehackernews.com/2016/02/asus-router-security-hack.html

 

[smadremanden]

Can't we remove the "ssh from wan" option from the web interface in some way?

In my oppinion @Xentrk, the only reason why we, which are using custom FW are being attacked, is because we actually check our syslogs once in a while, compared to the normal end-user who might just setup the router and leave it there.

 

[Wutikorn]

In my oppinion @Xentrk, the only reason why we, which are using custom FW are being attacked, is because we actually check our syslogs once in a while, compared to the normal end-user who might just setup the router and leave it there.

That's the case. Normal users won't be accessing SSH or even router's WebUI every few days. The main reason I started to suspect is when I was unable to use SSH on my router as they change SSH port to 2222. If they had not changed port, but changed to LAN+WAN, I would not know for much longer time. But if they attacked through Web Access from WAN, most normal users should have it off.

So, it appears as if a pattern is happening here. Perhaps the android app? Is there a formal channel one should use to report back to ASUS? I wonder their response since we are not using factory FW.

I think we need to sum up our information first to find out what happened. I do see a few things that could lead to this: Asus Router app, Web Access from WAN, UPnP, AiCloud. I wonder which of these did @matthew_eli and @pattiri have it on before the attack. I'm not sure how to tag a user.

Edit: I just tagged the other two users.