Was my router's username and password hacked?

[Nullity]

The attacker, in my case, had access to my admin username/password as logged when they accessed SSH through WAN. There was no failed attempt at all, and username I use is not default "admin" either.

You changed the admin username? I thought the admin username was kinda hard-wired.

Is the admin username non-existant on your device?

 

[eddiez]

I'm starting to be unable to see the wood for the trees.

Would it help if we try to re-establish the common patterns? I'm happy to collate the data. I get the impression there are only less than 6 or so people who realise they've been hacked, and I'm wondering if a questionnaire to them would help?

For example,

1. Which firmware version?
2. In the last 12 months, have your settings:
a. Allowed web access from WAN?
b. Allowed SSH access from WAN?
c. Allowed SSH password login?
3. Do you ever login to your router using an Android device?
4. Did you see a change of SSH port number and if so what to?
5. What other change to your settings did you see?

Are there any other pertinent questions? And would this be a wasted effort given such a small affected population?

I can make my logs available. Password info is outdated now of course. Logs include errors from ROP and SSH activities. If there's any other log info not displayed through the web UI , please point them out to me (Linux n00b) and I'll make them available for investigation.

Also, I could re-establish the SSH connection on port 16161 to use as honey pot if someone helps me out in setting the traces.

Just let me know if this would help... Someone must sacrifice for the greater good

Verstuurd vanaf mijn SM-G935F met Tapatalk

 

[Wutikorn]

And would this be a wasted effort given such a small affected population?

Yeah, I believe not many people will have WebUI opened to WAN, but 4 reports in a week are not that small in population. However, if you have sum all questions up, we would be happy to answer it if any want it.

Just wanted to open a discussion on something that's been nagging at me in case I'm missing something. In one of the early reports of this
http://www.snbforums.com/threads/was-my-routers-username-and-password-hacked.36602/#post-299090
the syslog shows a dropbear 'Child connection' immediately followed by the restart of the httpd services. Notice there is no 'Password auth' message from dropbear. Without logging in, how did they initiate the restart?

They manage to restart the service before authentication takes place?

 

[eddiez]

You changed the admin username? I thought the admin username was kinda hard-wired.

Is the admin username non-existant on your device?

Never used default admin name as well

Verstuurd vanaf mijn SM-G935F met Tapatalk

 

[Wutikorn]

You changed the admin username? I thought the admin username was kinda hard-wired.

Is the admin username non-existent on your device?

I didn't use default admin username. In fact, my username also has capitalized characters which the attacker has that info too as seen from my logs.

 

[martinr]

You changed the admin username? I thought the admin username was kinda hard-wired.

Is the admin username non-existant on your device?

I also changed the admin username from when I first got the router 2.5 years ago.

 

[RMerlin]

Without logging in, how did they initiate the restart?

The series of services restarted is identical to what is found on the Advanced_System_Content.asp page. That implies a separate web connection most likely, which changed and applied changes on that specific page.

 

[john9527]

The series of services restarted is identical to what is found on the Advanced_System_Content.asp page. That implies a separate web connection most likely, which changed and applied changes on that specific page.

But that would imply an attack vector that allows them to either bypass httpd password authorization or get the password via some other means. And if they could do that, why do the initial dropbear connect unless it facilitates one of those attacks? This one is still nagging at me.

 

[sfx2000]

But that would imply an attack vector that allows them to either bypass httpd password authorization or get the password via some other means. And if they could do that, why do the initial dropbear connect unless it facilitates one of those attacks? This one is still nagging at me.

My best guess would be that Dropbear gives them an interactive shell that they can do whatever is needed... not uncommon.

 

[john9527]

My best guess would be that Dropbear gives them an interactive shell that they can do whatever is needed... not uncommon.

But then we are back to my original 'nag'.....why no password auth for dropbear?

 

[dilantin22]

I saw something similar by eddiez in the SNB ASUSWRT subforum. Quick question, is this hack/exploit mainly seen in Merlin/non-stock ASUSWRT builds or is there a chance it's in factory firmware also? I'm running the latest 3.0.0.4.380_4180 on an AC66

Just asking so I can be better informed. I'm a security novice, but trying to follow some of this in the thread. I've been checking my settings and I think I've been following most of your suggestions since day one. Let me know if there is more things I can check for. I apologize if this is the wrong thread since it's in the Merlin subforum.

Spoiler: My security checklist to keep attack surface as small as possible

1. username/password are completely different. I don't use "admin" as username.
2. In Administration>Enable telnet "NO"
3. In Administration>Enable web access from WAN "NO"
4. In WAN>Internet Connection tab> Enable WAN "Yes"
5. In WAN>Internet Connection tab> Enable NAT "Yes"
6. In WAN>Internet Connection tab> Enable UPnP "NO"
7. AiCloud and any services like that have been disabled since day 1. DDNS disabled too.
8. I used ShieldsUP and I didn't find any open ports, even on 22, 2222, or the 16161. Everything was "stealth"
9. I used Fing on iOS to scan for services directly on the asus router and only thing I saw open was ports 53, 80, 515 (printer spooler lpd) and 9100 (jetdirect - HP JetDirect card). My printer is not attached via usb. Only via WiFi.
10. I have used the Asus router app on iOS, but I logged into it via 192.168.x.x. Never remotely.
11. No IoT devices like cameras, sensors, thermostats, etc on my network.

 

[eddiez]

I saw something similar by eddiez in the SNB ASUSWRT subforum. Quick question, is this hack/exploit mainly seen in Merlin/non-stock ASUSWRT builds or is there a chance it's in factory firmware also? I'm running the latest 3.0.0.4.380_4180 on an AC66

Just asking so I can be better informed. I'm a security novice, but trying to follow some of this in the thread. I've been checking my settings and I think I've been following most of your suggestions since day one. Let me know if there is more things I can check for. I apologize if this is the wrong thread since it's in the Merlin subforum.

Spoiler: My security checklist to keep attack surface as small as possible

1. username/password are completely different. I don't use "admin" as username.
2. In Administration>Enable telnet "NO"
3. In Administration>Enable web access from WAN "NO"
4. In WAN>Internet Connection tab> Enable WAN "Yes"
5. In WAN>Internet Connection tab> Enable NAT "Yes"
6. In WAN>Internet Connection tab> Enable UPnP "NO"
7. AiCloud and any services like that have been disabled since day 1. DDNS disabled too.
8. I used ShieldsUP and I didn't find any open ports, even on 22, 2222, or the 16161. Everything was "stealth"
9. I used Fing on iOS to scan for services directly on the asus router and only thing I saw open was ports 53, 80, 515 (printer spooler lpd) and 9100 (jetdirect - HP JetDirect card). My printer is not attached via usb. Only via WiFi.
10. I have used the Asus router app on iOS, but I logged into it via 192.168.x.x. Never remotely.
11. No IoT devices like cameras, sensors, thermostats, etc on my network.

We don't know yet. Is has been observed 4 times now, all with non-stock builds. But that might be the tip of the proverbial iceberg since we tend to check these logs and stuff a bit more than the average consumer who checks in twice year to adjust his parental settings.

 

[eddiez]

As for my case, I did not have SSH enabled in web gui. Did have WAN web access open though. So I assume that's the point of entry, unless there was an open SSH without me knowing/seeing it.

 

[dilantin22]

As for my case, I did not have SSH enabled in web gui. Did have WAN web access open though. So I assume that's the point of entry, unless there was an open SSH without me knowing/seeing it.

Thanks for the info. I guess I'll keep a close eye in this thread for anything new. I hope you all figure it out soon. Glad to be apart of such an advanced community even as the newb I am.

 

[wedwabbit]

Indirectly related.

I have ssh access via the WAN enabled but have disabled password login (I use keys). I've also enabled brute force protection and changed the default login name from 'admin'. I then use port forwards etc. aas a SOCKS5 proxy and others.

Is this considered safe? Should I look at setting up a VPN server? I'm much more familiar with ssh.

Another question. Is dropbear considered safe enough? Should I be using openssh-server (via Entware) instead?

Thanks

Edit: I have disabled telnet and web access from WAN.

 

[RMerlin]

But then we are back to my original 'nag'.....why no password auth for dropbear?

If they accessed the Advanced_System page, it means they could either change the password to anything they wanted, or retrieve the existing password, and use that to login over SSH to gain a shell access, and do what they wanted to do.

My guess is that the web exploit is allowing them to bypass authentication at the webui level, or to retrieve the stored login credentials.

 

[sfx2000]

If they accessed the Advanced_System page, it means they could either change the password to anything they wanted, or retrieve the existing password, and use that to login over SSH to gain a shell access, and do what they wanted to do.

My guess is that the web exploit is allowing them to bypass authentication at the webui level, or to retrieve the stored login credentials.

It's not the advanced system page... that's the target that they're aiming for, but to get there - they have to smash the webserver... (or find another way in...)

Do I get a t-shirt for this?

 

[RMerlin]

It's not the advanced system page... that's the target that they're aiming for, but to get there - they have to smash the webserver...

And that's what I wrote in the last sentence you quoted from my post.

 

[tomsk]

And that's what I wrote in the last sentence you quoted from my post.

Does that mean you get the t-shirt?

 

[RMerlin]

Does that mean you get the t-shirt?

It was -10C here today, too cold to wear t-shirts.