Xentrk
Part of the Furniture
Hi @Wutikorn
The reason kapok.com is on the blacklist is the sites I support are a children's home for 30 orphans along with a grade school. It is the leadership team who asked me to blacklist it. I guess the kids were spending a lot of time on the site. They deemed the content not appropriate for them. Maybe it is because some of the girly pictures on the site show too much cleavage? 555
Regarding Baidu, even though it has been blacklisted for awhile now, it ranks as the top site being blacklisted on the OpenDNS stats page at the school. This tells me there may be malware on the clients that keep trying to talk to baidu. I have seen the teachers download freeware from the site. I cleaned up the school workstations but can't do anything about their personal clients. I am researching installing the Netflow plug-in from entware called "ipcad" to pull data. Then using something like Solarwinds Free Netflow Traffic Analyzer to see the offending clients, then work with them to remove any malicious software.
Glad to know you are in the same province. I see others in the forum from Land of Smiles as well. Maybe we need to have a snbforums gathering sometime soon?
Last edited:
380.64_1 was uploaded to Mediafire, and published on the update server. I backported Asus's security fixes from 4180 (now that I was able to fix the webui pages those fixes were breaking), as well as the additional fixes I mentioned previously in this thread. Note that I have no idea if all of these fixes will address the security issues reported here, since I have no information as to which security hole was exploited here.
Use the Check button on the FW update page to be taken directly to the download location.
Use the Check button on the FW update page to be taken directly to the download location.
Thanks. Will leave the hacked box now and update.
Understandably, there's so much gone on in this thread that you've forgotten the answer!
http://www.snbforums.com/threads/wa...-and-password-hacked.36602/page-6#post-299662
Wutikorn
Senior Member
Kapok blacklist now makes sense to me. Baidu troubled me badly, its apps are, most of the time, not malware, but PUP, which can avoid detection by most antivirus. So now I have both McAfee(use it as it costs less than $20 a year for unlimited devices, and not too bad detection rate) and Malwarebytes to help when users do not know how to uncheck for extra apps when installing software. I haven't seen other Thai yet except you. At least this vulnerability allow me to know someone in Thailand is also running Merlin firmware, I tried to spread my experience, but many people don't have supported firmware as AC68U is too expensive here, and AC56U is not imported to Thailand.
I think it should be in the system log as well. However, that is different case than what we faced. What that case was showing is that the attacker was trying to use known default user/pass sets to login to the router, but that won't get him/her into my router as I don't use default username or password.
This hack did get non-default login/passwords right, it seems. So that would also grant access to the UI of the router. But apparently that was not the intention of the hack.
ColinTaylor
Part of the Furniture
As I previously stated, what @bmi saw is not the same attack we are discussing here.
Xentrk
Part of the Furniture
A web search of "defcon 18 - craig heffner - how to hack millions of routers" will give you a link to a pdf and videos of a 35 minute presentation on this topic. It is a 2010 presentation and one would hope that manufacturers have plugged the DNS Rebinding security flaw by now. At the end, there are some tips to secure the router, which have all been written in the forum. One of the suggestions it to block incoming traffic from ISP ranges by creating a firewall rule. For example:
iptables -A INPUT -i eth0 -d 172.69.0.0/16 -j DROP
One would need to find out the IP block ranges used by their ISP for this to work. Is something like this recommended if we have all external connections turned off? Does the built in firewall take care of this?
iptables -A INPUT -i eth0 -d 172.69.0.0/16 -j DROP
One would need to find out the IP block ranges used by their ISP for this to work. Is something like this recommended if we have all external connections turned off? Does the built in firewall take care of this?
ColinTaylor
Part of the Furniture
No need. By default the router drops all unsolicited incoming packets..
dnsmasq fixed that a few years ago. Routers like Asuswrt are fine, however there are a number of manufacturers out there still running prehistoric versions of dnsmasq, and which are possibly still vulnerable.
Related to this perhaps?
https://w00tsec.blogspot.nl/2014/07/hacking-asus-rt-ac66u-and-preparing-for.html
May or may not be relevant.
A couple of weeks ago I noticed that the various lights on the router were pretty much constantly on. I do not believe this was normal. This occurs with only 1 PC not doing anything in particular and an Ooma VOIP box. I do not use the default user/psw. I really don't know about the settings under discussion being available to the web. But I believe I at least had it setup to allow a telnet connection.
A few days ago I tried to log into the router via the LAN. I kept getting back problem - try later messages. Tried several times. Then I was able to log in. My thought was "who knows why". However, when I tried to access it again, I was once again rejected. Many tries have not gotten me in. I was intending to install 380.6x at the time. My take on this was that maybe someone had taken over my router and was using it for spam or DDOS uses. I have seen information that this was a fairly wide spread activity in small local net connected devices (e.g., cameras and household devices). Either changing the user/psw or simply using all of the router resources could keep me out. I have not specifically noticed problems using the router. Sometimes there are rather long times for a web site to respond; but that is not unique.
As a result I want to clean everything out and do a fresh install of 380.64 to try to resolve this.
A couple of weeks ago I noticed that the various lights on the router were pretty much constantly on. I do not believe this was normal. This occurs with only 1 PC not doing anything in particular and an Ooma VOIP box. I do not use the default user/psw. I really don't know about the settings under discussion being available to the web. But I believe I at least had it setup to allow a telnet connection.
A few days ago I tried to log into the router via the LAN. I kept getting back problem - try later messages. Tried several times. Then I was able to log in. My thought was "who knows why". However, when I tried to access it again, I was once again rejected. Many tries have not gotten me in. I was intending to install 380.6x at the time. My take on this was that maybe someone had taken over my router and was using it for spam or DDOS uses. I have seen information that this was a fairly wide spread activity in small local net connected devices (e.g., cameras and household devices). Either changing the user/psw or simply using all of the router resources could keep me out. I have not specifically noticed problems using the router. Sometimes there are rather long times for a web site to respond; but that is not unique.
As a result I want to clean everything out and do a fresh install of 380.64 to try to resolve this.
blbeczech82
Occasional Visitor
Good post. One can learn a lot
Quite a recent verdict: https://www.ftc.gov/news-events/pre...rges-insecure-home-routers-cloud-services-put
sfx2000
Part of the Furniture
I took a look at RMerlin's current git repo - some good changes there that could help...
What I can say is that the http server itself is pretty brittle - I was able to break into an older non-RT-AC68 series one time - it was a one off, but during that session I was able to spelunk around inside the other nodes that were attached.
I've said this a couple of times earlier - and others have as well - do not expose the WebGUI to the WAN, folks are looking at it for other potential issues, but it's a big chunk of code that does a lot of different things, and it does it, by nature of configuring the device, with elevated privileges...
@RMerlin - saw your checkin here... I think this is a good change... but that's assuming 63 chari in ISO-Latin or UTF-8
Normally hostname is limited to 64 bytes for posix, the FQDN can be longer at 255 bytes - so dnsmasq should be able to handle it, but there's other items that might not...
What I can say is that the http server itself is pretty brittle - I was able to break into an older non-RT-AC68 series one time - it was a one off, but during that session I was able to spelunk around inside the other nodes that were attached.
I've said this a couple of times earlier - and others have as well - do not expose the WebGUI to the WAN, folks are looking at it for other potential issues, but it's a big chunk of code that does a lot of different things, and it does it, by nature of configuring the device, with elevated privileges...
@RMerlin - saw your checkin here... I think this is a good change... but that's assuming 63 chari in ISO-Latin or UTF-8
Normally hostname is limited to 64 bytes for posix, the FQDN can be longer at 255 bytes - so dnsmasq should be able to handle it, but there's other items that might not...
BTW
Try the AiCloud for a change. An even bigger door.
Similar threads
Similar threads
Similar threads
-
-
-
AX88U Pro (3004.388.5) suddenly rebooted mid-day. Last manual reboot was a few days ago.
- Started by theirongiant
- Replies: 0
-
Unable to add GT-AX11000 as an AiMesh node to GT-BE98 PRO router
- Started by emwgee
- Replies: 0
-
Why can't I associate my router with my iOS account in the app?
- Started by lenovomen
- Replies: 7
-
-
Accessing remotly Server While Using VPN on Asus Router with Merlin Firmware
- Started by psimaker
- Replies: 9
-
-
Latest (Oct 2024) "best" recommended router for Merlin?
- Started by sthornington
- Replies: 19