What's new

Was my router's username and password hacked?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Yep, noticed that one also. Not a Linux guy though...can't find the location through SSH
 
Issue the ps command again. Is it still there and using the same port? If so, try going to https://www.grc.com/shieldsup and testing port 16161.
Yep... and it's open :-(

Port
transpixel.gif

Status Protocol and Application
transpixel.gif

16161
transpixel.gif

OPEN! Unknown Protocol for this port
Unknown Application for this port
 
10849 admin_ed 1136 S dropbear -p 192.168.1.1:22 -a -j -k
This is sort of interesting (and I think I see the bug) with the options '-a -j -k' it should be '-a' or '-j -k'

Code:
-j        Disable local port forwarding
-k        Disable remote port forwarding
-a        Allow connections to forwarded ports from any host
 
This is sort of interesting (and I think I see the bug) with the options '-a -j -k' it should be '-a' or '-j -k'

Code:
-j        Disable local port forwarding
-k        Disable remote port forwarding
-a        Allow connections to forwarded ports from any host
Bug or was it consciously altered?
 
This is sort of interesting (and I think I see the bug) with the options '-a -j -k' it should be '-a' or '-j -k'

Strange .... I've just checked my router (logged in remotely through OpenVPN). I also have both '-a' and '-j -k'. My Router was freshly updated to 380.64 just few days ago. I never detected any signs of infection yet. Here is the screenshot:
 

Attachments

  • Router processes.jpg
    Router processes.jpg
    107.5 KB · Views: 793
Just to clairify.....I think setting the conflicting options is a bug in the ASUS firmware.....not in dropbear.
I'v asked about the attribute interpretation sequence. Easier than going through the documentation...

I've been removing the 16161 port from IPtables (iptables -D INPUT -p tcp --dport 16161 -j ACCEPT), but guess what...every time after waiting a bit the IPtables entry to accept 16161 connections (ACCEPT tcp -- anywhere anywhere tcp dpt:16161) reappears again. Even when not saving the IPtables (service iptables_save)

There might be more alterations present.
 
Just to clairify.....I think setting the conflicting options is a bug in the ASUS firmware.....not in dropbear.

I fully agree with you. Could you check in the code base since which version it appeared? Then most probably it spread in Merlin's FW and your fork.
 
I fully agree with you. Could you check in the code base since which version it appeared? Then most probably it spread in Merlin's FW and your fork.
Looks like the change came in with the 4th April 2016 merge with Asus GPL 380_2697?

My fork is OK.....just wrote a patch for Merlin. Looks like it came in with 380.59 (Colin got it)
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top