Was my router's username and password hacked?

[RMerlin]

I think this is a good change...

Actually, it's not. sizeof (char *) == 4... That commit is wrong.

but that's assuming 63 chari in ISO-Latin or UTF-8

That's not what this commit is for. That commit is merely to ensure that you don't overrun the 64 bytes buffer on copy, something Asus failed to do, as they were blindly taking the hostname from dnsmasq's lease file, and copying it to a static sized buffer. Truncating a hostname to 63 characters (who the hell has a hostname THAT long anyway?) is perfectly fine, especially since this is strictly for display purposes on the webui.

Also, it's strictly a hostname, it's not a FQDN.

 

[blbeczech82]

I once again checked log after intrusion:

Jan 5 12:12:26 dropbear[31873]: Password auth succeeded for 'username' from 46.32.205.52:34440
Jan 5 12:12:28 dropbear[31873]: User username executing '/sbin/ifconfig'
Jan 5 12:12:31 dropbear[31873]: User username executing 'cat /proc/meminfo'
Jan 5 12:12:32 dropbear[31873]: User username executing '2>/dev/null sh -c 'cat /lib/libdl.so* || cat /lib/librt.so* || cat /bin/cat || cat /sbin/ifconfig''
Jan 5 12:12:34 dropbear[31873]: User username executing 'cat /proc/version'
Jan 5 12:12:36 dropbear[31873]: User username executing 'uptime'
Jan 5 12:12:37 dropbear[31873]: User username executing '1>/dev/null 2>/dev/null /sbin/iptables -L -n && echo 1 || echo 0'
Jan 5 12:12:39 dropbear[31873]: User username executing '(python -V 2>/dev/null && echo python && python -V) || (/usr/local/bin/python -V 2>/dev/null && echo /usr/local/bin/python && /usr/local/bin/python -V)'
Jan 5 12:12:40 dropbear[31873]: Exit (username): Exited normally
Jan 5 12:17:43 dropbear[32694]: Password auth succeeded for 'username' from 197.50.148.112:56460
Jan 5 12:18:01 dropbear[32694]: Exit (username): Exited normally


They tried to do some operations with python which is not installed on routers usually (true is that on mine Ac87u was installed).
Anyway this leads me to opinion that it was generic attack on Linux machines not just wrt.

 

[Nullity]

...
They tried to do some operations with python which is not installed on routers usually (true is that on mine Ac87u was installed).
Anyway this leads me to opinion that it was generic attack on Linux machines not just wrt.

Yeah, but most have said that the non-standard httpd was the exploited service, which isn't found in generic Linux installs, unless they exploited some code that was inherited from the upstream httpd (lighttpd?).

It'd be rather embarassing if some generic web-scraper was able to steal the username/passwords without needing to exploit the httpd beforehand...

 

[XIII]

I have ssh access via the WAN enabled but have disabled password login (I use keys).

Maybe I missed the answer, but I would like to know this too: is that safe (enough)?

 

[eddiez]

Maybe I missed the answer, but I would like to know this too: is that safe (enough)?

Is web access also enabled?

Verstuurd vanaf mijn SM-G935F met Tapatalk

 

[Nullity]

Maybe I missed the answer, but I would like to know this too: is that safe (enough)?

Yeah. The problem in this thread seems to be that people exposed the httpd GUI to the WAN.

 

[XIII]

Is web access also enabled?

No.

 

[ColinTaylor]

No.

Then you're probably not vulnerable to this particular attack.

 

[unsynaps]

Indirectly related.

I have ssh access via the WAN enabled but have disabled password login (I use keys). I've also enabled brute force protection and changed the default login name from 'admin'. I then use port forwards etc. aas a SOCKS5 proxy and others.

Is this considered safe? Should I look at setting up a VPN server? I'm much more familiar with ssh.

Another question. Is dropbear considered safe enough? Should I be using openssh-server (via Entware) instead?

Thanks

Edit: I have disabled telnet and web access from WAN.

No. Its rather stupid to allow any access to your router from a remote source unless it is through the VPN. There should be no need to access SSH or the web interface from anywhere other than the network it is routing.

Im sorry. The insane stupidity of opening SSH and HTTP/HTTPS to the WAN interface on the router makes me throw up a little.

 

[XIII]

Then you're probably not vulnerable to this particular attack.

And in general?

(I see several smart people recommending turning off all WAN access, so also key only?)

 

[sfx2000]

And in general?

(I see several smart people recommending turning off all WAN access, so also key only?)

One should never state that things are invulnerable, but limiting services exposed to the WAN is always a smart idea, especially for services that run on the very box that protects the network - that's what makes this potential bug very scary - as once they're in, they have a level of trusted access to the entire LAN...

That's why the black hats are going hard at routers and gateways these days - desktops are getting much better about security - yes, even Windows for that matter.

 

[jimf]

They tried to do some operations with python which is not installed on routers usually (true is that on mine Ac87u was installed).
Anyway this leads me to opinion that it was generic attack on Linux machines not just wrt.

This looks like reconnaissance rather than an outright attack. The python -V looks like just a version (or testing for existence of Python). Looks to me like the use case is "What are you running" and "Where can you go".

 

[john9527]

Just a bit of data as an FYI.....I turned on dropped packet logging for about two hours and got the following (pity those that have telnet exposed)...

 

[netware5]

Just a bit of data as an FYI.....I turned on dropped packet logging for about two hours and got the following (pity those that have telnet exposed)...

It is much more fun if you configure the OpenVPN server to listen on TCP 443. This is my configuration as I am a road warrior traveling a lot in countries that try to filter Internet, so sometimes the OpenVPN on TCP 443 is the only possible configuration. I have about 20+ of these every day:

Jan 9 17:25:56 openvpn[408]: 184.105.247.194:27056 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1594 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jan 9 17:25:56 openvpn[408]: 184.105.247.194:27056 Connection reset, restarting [0]
Jan 9 17:25:56 openvpn[408]: 184.105.247.194:27056 SIGUSR1[soft,connection-reset] received, client-instance restarting

 

[Morac]

I've started seeing what looks like attacks on OpenVPN. The following is just a small portion of what appeared to be a 3 minute continuous attack. Are there any known issues with OpenVPN?

Jan 12 18:59:30 openvpn[1141]: TCP connection established with [AF_INET]208.100.26.229:35769
Jan 12 18:59:30 openvpn[1141]: 208.100.26.229:35769 TCP connection established with [AF_INET]208.100.26.229:438
Jan 12 18:59:30 openvpn[1141]: 208.100.26.229:438 WARNING: Bad encapsulated packet length from peer (32768), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jan 12 18:59:30 openvpn[1141]: 208.100.26.229:438 Connection reset, restarting [0]
Jan 12 18:59:30 openvpn[1141]: 208.100.26.229:438 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jan 12 18:59:35 openvpn[1141]: 208.100.26.229:35769 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jan 12 18:59:35 openvpn[1141]: 208.100.26.229:35769 Connection reset, restarting [0]
Jan 12 18:59:35 openvpn[1141]: 208.100.26.229:35769 SIGUSR1[soft,connection-reset] received, client-instance restarting

 

[RMerlin]

Are there any known issues with OpenVPN?

None that I know of. Note that if you have OpenVPN listening to a well-known port (such as 443), you will get a bunch of bogus connection attempts from worms trying to exploit the service that usually sits on that port.

This is just normal background Internet noise.

 

[Curado Kev]

Hi Guys,

I run 380.64 on AC5300 and Merlin for last 2 years, but I'm a newb on networking logs. Can someone list exactly where everything is that should be off ? Besides setting up SSID, passwords and changing DNS to google plus specifying channels - thats all I do. Where exactly do I turn off all these access to WAN ? Or are they off by default in 380.64.

Help an idiot out...please give pathways where to turn off each option - I read 12 pages and can't find it.

Thanks !

 

[Wutikorn]

Hi Guys,

I run 380.64 on AC5300 and Merlin for last 2 years, but I'm a newb on networking logs. Can someone list exactly where everything is that should be off ? Besides setting up SSID, passwords and changing DNS to google plus specifying channels - thats all I do. Where exactly do I turn off all these access to WAN ? Or are they off by default in 380.64.

Help an idiot out...please give pathways where to turn off each option - I read 12 pages and can't find it.

Thanks !

It's set to be off by default, but if you want to check, go to Administrator->System->Enable Access from WAN, change to "no" then apply. Since you are using Google DNS, you can turn on DNSSEC in LAN-> DHCP server-> Enable DNSSEC support-> yes->apply. If you are using AiProtection, you can use it to help securing your router by going to AiProtection->Network Protection->Router Security Assessment->Scan, and it should tell you want you can do to secure your router, and by clicking at each, it might redirect you to specific setting.

 

[sfx2000]

None that I know of. Note that if you have OpenVPN listening to a well-known port (such as 443), you will get a bunch of bogus connection attempts from worms trying to exploit the service that usually sits on that port.

yep - and if one does UDP - then the noise goes away...

Port Scanners love TCP, they do not like to spend time looking for UDP...

 

[sfx2000]

Just a bit of data as an FYI.....I turned on dropped packet logging for about two hours and got the following (pity those that have telnet exposed)...

I wish I were so lucky

Maybe it's the network I'm on...

Remember - NAT is an absolute firewall for inbound traffic if no ports are open to the WAN...