What's new

Was my router's username and password hacked?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Has someone already reported this issue to Asus?

No, because nobody tested it on the stock firmware. And without any network capture or other additional info, it won't help tracking down the issue.
 
So you're the one here to address then... :D

No, because as stated here, without any network trace, there's no way to track it down.

So, I'll just repeat what I've been saying for years: do NOT open the httpd to the WAN.
 
No, because as stated here, without any network trace, there's no way to track it down.

So, I'll just repeat what I've been saying for years: do NOT open the httpd to the WAN.

From an overall security perspective that is a sound advice. Something like "don't have a door in your house: Burglars might come through".
Something is bothering me about this: the absence of any failed login attemtps on the 'door'. In all cases the password was 'guessed' right in one go. And to be sure: I never login from outside my home besides encrypted through work (which is a bank a has network security from here till eternity...)

There must be something else to trigger this/enable this and my gut feeling is that it is something in the router that is exploitable...
 
No, all shown logins are accounted for. Although they could have altered the logs as well.

Update:

First 'entry' was on Dec 31, same time, 03.00 at night. Second on Jan 1.

Earlier in December the router had apparently suffered some crashes with below latest error/reboot log. No idea if it is related though...

Interesting - what device (and rev) and firmware in use here?

Looks like someone is trying to do a ROP attack and failing because they're hitting a bad address... (which causes the ARM to crash with a fatal exception) - in other words, they're already in..
 
Something is bothering me about this: the absence of any failed login attemtps on the 'door'. In all cases the password was 'guessed' right in one go. And to be sure: I never login from outside my home besides encrypted through work (which is a bank a has network security from here till eternity...)

The password probably wasn't guessed - they smashed the webserver directly - perhaps a buffer overflow...

I warned Linksys about a similar issue on SmartWiFi, where the Guest Network is open, and a captive portal in place, and it was fairly trivial to smash it and get root on the box..
 
No, because as stated here, without any network trace, there's no way to track it down.

So, I'll just repeat what I've been saying for years: do NOT open the httpd to the WAN.
Is there a way to check if it's open?
 
There must be something else to trigger this/enable this and my gut feeling is that it is something in the router that is exploitable...

My RT-AC68U has Merlin's 380.65_alpha3, and I use Asus Android App, SSH, and HTTPS. None of it open from WAN, though. I do not use AIcloud, DDNS. Looked via SSH on netstat -l, and it is listening on port 22, but not on port 2222. There are no evidence in syslog of SSH logon from outside since I booted the router a week ago, but that could of course be wiped before I looked at it.

So, exploitable could just as well be on some client on LAN which runs some undiscovered bot-virus.

I see this, for example
- what are all these MiniUpnpD listening with HTTP on various ports? Firmware version check? The last one was within 1 hour of reboot, and none seen for 5 days now.

(rebooted router from Web interface after upgrade from 380.64 to 380.65_alpha3)
Aug 1 02:00:30 kernel: nf_conntrack_rtsp v0.6.21 loading
Aug 1 02:00:30 kernel: nf_nat_rtsp v0.6.21 loading
Aug 1 02:00:31 rc_service: hotplug 666:notify_rc restart_nasapps
Aug 1 02:00:31 iTunes: daemon is stopped
Aug 1 02:00:31 FTP Server: daemon is stopped
Aug 1 02:00:31 miniupnpd[731]: HTTP listening on port 37077
Aug 1 02:00:31 miniupnpd[731]: Listening for NAT-PMP/PCP traffic on port 5351
Aug 1 02:00:31 Samba Server: smb daemon is stopped
Aug 1 02:00:31 kernel: gro disabled
Aug 1 02:00:32 Timemachine: daemon is stopped
Aug 1 02:00:32 miniupnpd[731]: shutting down MiniUPnPd
Aug 1 02:00:32 kernel: gro enabled with interval 2
Aug 1 02:00:35 Samba Server: daemon is started
Aug 1 02:00:35 rc_service: udhcpc 545:notify_rc start_upnp
Aug 1 02:00:35 rc_service: waitting "stop_upnp" via udhcpc ...
Aug 1 02:00:35 miniupnpd[763]: HTTP listening on port 41182
Aug 1 02:00:35 miniupnpd[763]: Listening for NAT-PMP/PCP traffic on port 5351
Aug 1 02:00:35 miniupnpd[763]: shutting down MiniUPnPd
Aug 1 02:00:37 miniupnpd[770]: HTTP listening on port 34631
Aug 1 02:00:37 miniupnpd[770]: Listening for NAT-PMP/PCP traffic on port 5351
Aug 1 02:00:38 ntp: start NTP update
Dec 29 00:05:19 rc_service: ntp 767:notify_rc restart_upnp
Dec 29 00:05:19 miniupnpd[770]: shutting down MiniUPnPd
Dec 29 00:05:20 kernel: * Make sure sizeof(struct sw_struct)=160 is consistent
Dec 29 00:05:20 dnsmasq-dhcp[450]: DHCPDISCOVER(br0) xx:xx:xx:xx:xx:xx
Dec 29 00:05:20 dnsmasq-dhcp[450]: DHCPOFFER(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx
Dec 29 00:05:20 miniupnpd[788]: HTTP listening on port 53996
Dec 29 00:05:20 miniupnpd[788]: Listening for NAT-PMP/PCP traffic on port 5351
Dec 29 00:05:20 rc_service: ntp 767:notify_rc restart_diskmon
Dec 29 00:05:20 disk_monitor: Finish
Dec 29 00:05:21 dnsmasq-dhcp[450]: DHCPDISCOVER(br0) xx:xx:xx:xx:xx:xx
Dec 29 00:05:21 dnsmasq-dhcp[450]: DHCPOFFER(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx
Dec 29 00:05:21 dnsmasq-dhcp[450]: DHCPREQUEST(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx
Dec 29 00:05:21 dnsmasq-dhcp[450]: DHCPACK(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx D-link-extender
Dec 29 00:05:22 kernel: IDPfw: TrendMicro forward module ver-1.0.34
Dec 29 00:05:22 kernel: IDPfw: Apply module param dev_wan=eth0
Dec 29 00:05:22 kernel: IDPfw: Apply module param sess_num=30000
Dec 29 00:05:22 kernel: IDPfw: Init chrdev /dev/idpfw with major 191
Dec 29 00:05:22 kernel: IDPfw: IDPfw is ready
Dec 29 00:05:22 kernel: sizeof forward param = 160
Dec 29 00:05:23 disk monitor: be idle
Dec 29 00:05:30 rc_service: udhcpc 545:notify_rc start_firewall
Dec 29 00:05:30 dhcp client: bound 192.168.ccc.2 via 192.168.ccc.1 during 3600 seconds. <-- outer router
Dec 29 00:05:31 miniupnpd[788]: shutting down MiniUPnPd
Dec 29 00:05:32 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Dec 29 00:05:33 miniupnpd[1141]: HTTP listening on port 43254
Dec 29 00:05:33 miniupnpd[1141]: Listening for NAT-PMP/PCP traffic on port 5351
Dec 29 00:05:42 crond[458]: time disparity of 742985 minutes detected
Dec 29 00:05:48 dnsmasq-dhcp[450]: DHCPREQUEST(br0) 192.168.1.nnn xx:xx:xx:xx:xx:xx
 
Just to support previous posts about Do not open anything except OpenVPN from WAN side. My configuration has only two ports open from WAN side and these are the ports of two OpenVPN servers. Everything other (https, ssh, etc.) is open only from LAN side. That is the solution.
 
Just to support previous posts about Do not open anything except OpenVPN from WAN side. My configuration has only two ports open from WAN side and these are the ports of two OpenVPN servers. Everything other (https, ssh, etc.) is open only from LAN side. That is the solution.
How would I know if something is open?
 
Just to support previous posts about Do not open anything except OpenVPN from WAN side. My configuration has only two ports open from WAN side and these are the ports of two OpenVPN servers. Everything other (https, ssh, etc.) is open only from LAN side. That is the solution.

If one is doing OpenVPN client, one doesn't need those ports open either...
 
Interesting - what device (and rev) and firmware in use here?

Looks like someone is trying to do a ROP attack and failing because they're hitting a bad address... (which causes the ARM to crash with a fatal exception) - in other words, they're already in..

Nice :-( Haven't got logs from earlier this year (that's what happens when you go along with new firmwares)

Where would one search for other traces?

My RT-AC68U has Merlin's 380.64 running. Hardware revision A1/A2 (board revision is 0x1100, hardware version 170)

Processor : ARMv7 Processor rev 0 (v7l)
processor : 0
BogoMIPS : 1595.80

processor : 1
BogoMIPS : 1599.07

Features : swp half thumb fastmult edsp
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x3
CPU part : 0xc09
CPU revision : 0

Hardware : Northstar Prototype
Revision : 0000
Serial : 0000000000000000
 
Well, WTF - SSH with WAN+LAN on my 87U - when did that happen? I sure did NOT set it up that way. Fortunately have the RT-AC87U on port 2 of my cable modem - there's nothing actually connected to it except my iPhone because I use it mostly for guest access.
 
How would I know if something is open?
Administration-> System-> SSH Daemon -> make sure it's not LAN+WAN(if SSH port is 2222, it's likely that you have been hacked with the same attacker as me), Administration-> System-> Web Interface -> Enable Web Access from WAN -> No -> apply If you do have AiProtection, go to network protection, router security assessment, scan, and then try to fix everything(turning off UPnP, FTP, change default password etc)

Well, WTF - SSH with WAN+LAN on my 87U - when did that happen? I sure did NOT set it up that way. Fortunately have the RT-AC87U on port 2 of my cable modem - there's nothing actually connected to it except my iPhone because I use it mostly for guest access.
Did you have Web Access from WAN enabled? What about Asus Router app? What is/was your SSH port with WAN+LAN? What was the firmware version when you first saw SSH setting changes?

So you're the one here to address then... :D
I think we just have to wait until someone with stock firmware started knowing they have this problem, but most of them won't need to pay attention to SSH port or SSH setting or even System Log, so it will take some weeks before they realise if they got affected.
 
Administration-> System-> SSH Daemon -> make sure it's not LAN+WAN(if SSH port is 2222, it's likely that you have been hacked with the same attacker as me), Administration-> System-> Web Interface -> Enable Web Access from WAN -> No -> apply If you do have AiProtection, go to network protection, router security assessment, scan, and then try to fix everything(turning off UPnP, FTP, change default password etc)


Did you have Web Access from WAN enabled? What about Asus Router app? What is/was your SSH port with WAN+LAN? What was the firmware version when you first saw SSH setting changes?

I think we just have to wait until someone with stock firmware started knowing they have this problem, but most of them won't need to pay attention to SSH port or SSH setting or even System Log, so it will take some weeks before they realise if they got affected.
Thanks for the help!
 
I think we just have to wait until someone with stock firmware started knowing they have this problem, but most of them won't need to pay attention to SSH port or SSH setting or even System Log, so it will take some weeks before they realise if they got affected.

Why? The problem is here. It's real. Question here is: Are the Merlin changes the catalyst for the hacks or not. And you're waiting for non-Merlin users to provide you with an answer to that...

I think Merlin should do some code analysis/investigations together with Asus. If it turns out to be a generic Asus exploit they're in trouble. As are we (already). Since WE are the tweaking kind, these issues might even go passed normal Asus users and continue unnoticed for a long time.

So...What is this community going to do? I don't know about you, but I am reporting it to Asus with priority. Don't want to damage the reps of Merlin, John or HGGomes and their customisations but I do think this requires serious attention/investigations.

Verstuurd vanaf mijn SM-G935F met Tapatalk
 
As RMerlin stated the http deamon isnt like apache its not built to be open towards todays internet where things get exploited fast same goes for the stockfirmware although my guess is that asus doesnt give a shirt.

and as for SSH well its just plain dumb to have it open so listen to RMerlin when he says something and if you dont have the logs to and the network trace to prove something then you dont have nothing its as simple as that.

and Merlin firware is not a catalyst is rather the savior cause atleast RMerlin tries to have stuff running on later version rather then ancient.
 
I think it's a brute force attack...
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:39 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: Detect abnormal logins at 5 times. The newest one was from 185.159.37.125.
Jan 4 01:10:40 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'Admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'Admin' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: Detect abnormal logins at 10 times. The newest one was from 185.159.37.125.
Jan 4 01:10:40 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:40 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: Detect abnormal logins at 15 times. The newest one was from 185.159.37.125.
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'root' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: Detect abnormal logins at 20 times. The newest one was from 185.159.37.125.
Jan 4 01:10:41 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:41 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:42 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:42 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:42 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:42 HTTP login: Detect abnormal logins at 25 times. The newest one was from 185.159.37.125.
Jan 4 01:10:43 HTTP login: login 'airlive' failed from 185.159.37.125:80
Jan 4 01:10:46 HTTP login: login 'airlive' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: Detect abnormal logins at 30 times. The newest one was from 185.159.37.125.
Jan 4 01:10:47 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login 'support' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: Detect abnormal logins at 35 times. The newest one was from 185.159.37.125.
Jan 4 01:10:47 HTTP login: login 'support' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login 'support' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login 'support' failed from 185.159.37.125:80
Jan 4 01:10:47 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: Detect abnormal logins at 40 times. The newest one was from 185.159.37.125.
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:48 HTTP login: Detect abnormal logins at 45 times. The newest one was from 185.159.37.125.
Jan 4 01:10:48 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'super' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: Detect abnormal logins at 50 times. The newest one was from 185.159.37.125.
Jan 4 01:10:52 HTTP login: login 'mts' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'mts' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'telecomadmin' failed from 185.159.37.125:80
Jan 4 01:10:52 HTTP login: login 'telecomadmin' failed from 185.159.37.125:80
Jan 4 01:10:55 HTTP login: login 'mgts' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: Detect abnormal logins at 55 times. The newest one was from 185.159.37.125.
Jan 4 01:10:58 HTTP login: login 'mgts' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login '' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: Detect abnormal logins at 60 times. The newest one was from 185.159.37.125.
Jan 4 01:10:58 HTTP login: login 'kyivstar' failed from 185.159.37.125:80
Jan 4 01:10:58 HTTP login: login 'kyivstar' failed from 185.159.37.125:80
Jan 4 01:11:11 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: login 'telekom' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: Detect abnormal logins at 65 times. The newest one was from 185.159.37.125.
Jan 4 01:11:14 HTTP login: login 'telekom' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: login 'superadmin' failed from 185.159.37.125:80
Jan 4 01:11:14 HTTP login: login 'superadmin' failed from 185.159.37.125:80
Jan 4 01:11:15 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:15 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:15 HTTP login: Detect abnormal logins at 70 times. The newest one was from 185.159.37.125.
Jan 4 01:11:18 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:21 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: Detect abnormal logins at 75 times. The newest one was from 185.159.37.125.
Jan 4 01:11:24 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: login 'engineer' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: login 'engineer' failed from 185.159.37.125:80
Jan 4 01:11:24 HTTP login: Detect abnormal logins at 80 times. The newest one was from 185.159.37.125.
Jan 4 01:11:24 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:25 HTTP login: Detect abnormal logins at 85 times. The newest one was from 185.159.37.125.
Jan 4 01:11:25 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:27 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:30 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: Detect abnormal logins at 90 times. The newest one was from 185.159.37.125.
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: Detect abnormal logins at 95 times. The newest one was from 185.159.37.125.
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:31 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:32 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:32 HTTP login: Detect abnormal logins at 105 times. The newest one was from 185.159.37.125.
Jan 4 01:11:32 HTTP login: login 'admin' failed from 185.159.37.125:80
Jan 4 01:11:32 HTTP login: login 'admin' failed from 185.159.37.125:80
 
As RMerlin stated the http deamon isnt like apache its not built to be open towards todays internet where things get exploited fast same goes for the stockfirmware although my guess is that asus doesnt give a shirt.

and as for SSH well its just plain dumb to have it open so listen to RMerlin when he says something and if you dont have the logs to and the network trace to prove something then you dont have nothing its as simple as that.

and Merlin firware is not a catalyst is rather the savior cause atleast RMerlin tries to have stuff running on later version rather then ancient.
I did not even have SSH or Telnet enabled. Not even on LAN side (!). And do not disregard the multiple reports saying 'you should have traces and logs'. I have logs, but I use the router as an 'enabler' and not as a toy and do not run traces to whomever just for fun.

And if only asking the question whether or not the mods in the firmware can enable this is already considered an unacceptable insult...wow. Please back off with this attitude of admiration.

We all are thankful for the firmware, but that doesn't put the firmware above all suspicion. It needs to be considered from a problem-solving point of view. THAT is how professionals (yes, I am in IT) would work.
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top