Was my router's username and password hacked?

[RMerlin]

EDIT: I just tested the Android app, and it will only enable WAN access if you enable "Remote Connection", at which point it will show you a popup asking you to confirm, warning you that it will change various settings, including AiCloud and access from WAN. So, the app itself won't do it automatically, only if an user specifically asked it.

 

[Wutikorn]

Are you guys saying that the Android app will change the Access from WAN option to enable it? If it's true, then this is utter garbage.

Can someone confirm this? It's been nearly a year since I've last played with that app.

It has been a long time since I used it, but I don't think it will enable Access from WAN without permission. Only if we want to use the app from outside LAN, it will ask us to enable that Web Access from WAN, and may modify our setting after we have agreed.

 

[thelonelycoder]

I'm not sure how to tag a user.

Type the @ sign and start writing the username, exactly like this: @Wutikorn

 

[pattiri]

That's the case. Normal users won't be accessing SSH or even router's WebUI every few days. The main reason I started to suspect is when I was unable to use SSH on my router as they change SSH port to 2222. If they had not changed port, but changed to LAN+WAN, I would not know for much longer time. But if they attacked through Web Access from WAN, most normal users should have it off.


I think we need to sum up our information first to find out what happened. I do see a few things that could lead to this: Asus Router app, Web Access from WAN, UPnP, AiCloud. I wonder which of these did @matthew_eli and @pattiri have it on before the attack. I'm not sure how to tag a user.

Edit: I just tagged the other two users.

I was using;

Asus DDNS enabled, Asus Router App enabled(was connecting via HTTPS), Access from WAN was enabled for both HTTP and HTTPS, UPnP was disabled, AiCloud was enabled (Cloud Disk and Smart Access is enabled), SSH was disabled, Telnet was enabled.

The first time I observed this was 26 Dec 2016. I saw logs in 27 Dec and become a member to SNBforums to ask about these logs but I was at work and I couldn't create a post. I don't know why but possibly its because of proxy that my company uses. Whatever, later that I changed my password and cleared logs.

After 1 or 2 days, I saw logs that says login failed, so I thought all OK but last saturday I saw someone logged in again and I created my post.

Currently my configs are;

Asus DDNS enabled, Asus Router App (connecting via HTTPS), Access from WAN enabled for HTTPS, UPnP disabled, AiCloud enabled (Cloud Disk and Smart Access is enabled) SSH is enabled only for LAN, Telnet disabled. btw, my WAN IP address and DDNS settings are still same.

Since saturday, I haven't seen any log in attempts, still monitoring. If I see anything I will format JFFS, and config router manuelly from factroy defaults, ask my ISP to change my IP address and change my DDNS host name.

 

[unsynaps]

Humm glad I load my own SSL cert, only run HTTPS, disabled keyboard auth on SSH and have it set to LAN only.

 

[visortgw]

...

Currently my configs are;

Asus DDNS enabled, Asus Router App (connecting via HTTPS), Access from WAN enabled for HTTPS, UPnP disabled, AiCloud enabled (Cloud Disk and Smart Access is enabled), SSH is enabled only for LAN, Telnet disabled. btw, my WAN IP address and DDNS settings are still same.

Since saturday, I haven't seen any log in attempts, still monitoring. If I see anything I will format JFFS, and config router manuelly from factroy defaults, ask my ISP to change my IP address and change my DDNS host name.

You probably want to disable all WAN access -- configure and use a VPN as an alternative -- until this is sorted out.

 

[eddiez]

Yes, they got me too: Only open WAN access is web access. no SSH or telnet to WAN, DDNS enabled, AiCloud enabled, router app enabled
This must be the door. Running 380.64 on AC68. Will close the door...

Jan 3 04:00:30 dropbear[11773]: Password auth succeeded for 'admin_xxxxx' from 37.76.197.8:52785

IP Address Country Region City
37.76.197.8 Palestinian Territories

WEST BANK Hebron
ISP Organization Latitude Longitude
Mada ALArab LTD Segment-Cronos 31.5333 35.1000

 

[Wutikorn]

Yes, they got me too: Only open WAN access is web access. no SSH or telnet to WAN, DDNS enabled, AiCloud enabled, router app enabled
This must be the door. Running 380.64 on AC68. Will close the door...

Jan 3 04:00:30 dropbear[11773]: Password auth succeeded for 'admin_xxxxx' from 37.76.197.8:52785

Since they had accessed through SSH, they can do almost everything. So don't forget to reflash firmware, reset to defaults, and wipe out JFFS partition if you have one.

 

[unsynaps]

You probably want to disable all WAN access -- configure and use a VPN as an alternative -- until this is sorted out.

People should disable all WAN NOT till this is sorted out but FOREVER. None of these services have any business being open to the internet. Specifically HTTP (even if its HTTPS only), SSL, and *gags* telnet.

I was digging through stuff all morning to try and find out why this is happening and if I am at risk. Only to find out its dumb dumbs opening stupid services to the internet.

 

[eddiez]

People should disable all WAN NOT till this is sorted out but FOREVER. None of these services have any business being open to the internet. Specifically HTTP (even if its HTTPS only), SSL, and *gags* telnet.

I was digging through stuff all morning to try and find out why this is happening and if I am at risk. Only to find out its dumb dumbs opening stupid services to the internet.

I did not have SSH enabled at all and still they could connect and change port to 2222...So WTF is happening here?

 

[emNewB]

I SSH and WEBUI access only set to LAN. I do use the Asus app but I have not enabled remote connection and it still works fine for me. I just use it to check my router out while home and being lazy to get up and go to my laptop.

I have not enabled any of the other Asus sharing stuff or applications. I just searched through my syslog but didn't see anything unusual besides my logins from home or via VPN.

 

[Wutikorn]

I did not have SSH enabled at all and still they could connect and change port to 2222...So WTF is happening here?

Since you have Web Access from WAN on, and attacker got our credentials somehow, probably through vulnerability, the attacker can use credentials to login to WebUI from WAN, enable SSH, do some bad stuff and disable SSH(or leave it on). So the problem here is not SSH, but how the attacker get our credential. However, without Web Access from WAN, attacker shouldn't be able to turn WAN SSH on.

 

[ColinTaylor]

I did not have SSH enabled at all and still they could connect and change port to 2222...So WTF is happening here?

My guess is that they're getting in through HTTP/S initially and then enabling SSH.

@eddiez , @Wutikorn , @matthew_eli , @pattiri Do you see anything suspicious in the logs just before the dropbear messages?

 

[visortgw]

I did not have SSH enabled at all and still they could connect and change port to 2222...So WTF is happening here?

"Only open WAN access is web access." SSH can be enabled, and SSH port can be changed from WebUI (and later reverted).

 

[visortgw]

My guess is that they're getting in through HTTP/S initially and then enabling SSH.

@eddiez , @Wutikorn , @matthew_eli , @pattiri Do you see anything suspicious in the logs just before the dropbear messages?

dropbear is the ssh implementation, so you will see that every time that you use ssh (even if LAN based): https://en.wikipedia.org/wiki/Drop_bear

 

[pattiri]

My guess is that they're getting in through HTTP/S initially and then enabling SSH.

@eddiez , @Wutikorn , @matthew_eli , @pattiri Do you see anything suspicious in the logs just before the dropbear messages?

I didn't.

 

[ColinTaylor]

dropbear is the ssh implementation, so you will see that every time that you use ssh (even if LAN based): https://en.wikipedia.org/wiki/Drop_bear

Yes we know that . I'm asking about what happens before the SSH access. Were there any signs of them logging in through http.

 

[Wutikorn]

@eddiez , @Wutikorn , @matthew_eli , @pattiri Do you see anything suspicious in the logs just before the dropbear messages?

No, only logs in post 17th of this blog that I see. But a few hours before that, there was nothing, only VPN logs. Note that I change default log level and log message level to one level higher than defaults.

Edit: In post 17th of this blog, it's the first SSH login from WAN, and nothing I see suspicious.

 

[eddiez]

Yes we know that . I'm asking about what happens before the SSH access. Were there any signs of them logging in through http.

No, all shown logins are accounted for. Although they could have altered the logs as well.

Update:

First 'entry' was on Dec 31, same time, 03.00 at night. Second on Jan 1.

Earlier in December the router had apparently suffered some crashes with below latest error/reboot log. No idea if it is related though...

http://pastebin.com/5M0igFJ1

 

[eddiez]

Has someone already reported this issue to Asus?