RT-AC68U: No internet, suspect sys log, and persistent unauthorized client

Discussion in 'Networking & Security' started by fatryan, Mar 28, 2019.

  1. fatryan

    fatryan [H]ard|Gawd

    Feb 19, 2004
    To start, I don't know much about networking, so please dumb your responses down for me ha ha

    I have an RT-AC68U router connected to CM1000 modem and 250Mbps service.

    BACKGROUND INFO (feel free to skim, as its wordy)
    The hardware is somewhat new (6-9 months); I installed it when I moved in (my fiance's house) to replace the crappy 2-in-1 modem provided by Comcast. When I installed the new hardware, I did NOT change the SSIDs or passwords. My fiance had previous had roommates, one of which later moved a couple doors down, and they would obviously still know these credentials.

    I discovered a few weeks ago that several devices had been accessing the networks without authorization. Some were quite obvious, in that they literally were named after her old roommate (Stephanie_AppleTV or some shit). Others were not so obvious. So I set out to discover all the devices by matching MAC addresses on all devices in our house to that in the Asus client list. One device in particular that I could not match was coming up as "Hon Hei" from Foxconn, but I initially mistook it for the moca adapter for my DirecTV.

    After disconnecting DirecTV, I noticed the "Hon Hei" device was still showing up in the 5GHz client list (should have been LAN anyway if it was moca). That's when I realized you can hover over the Foxconn icon in the Asus UI and it gives you a model number. A quick Google turned up a streaming device by Netgear similar to a Roku. We own no such devices. The only streaming devices we own are Chromecasts, all of which had already been accounted for by MAC address in the client lists. Additionally, this device was using GBs of data up & down. Traffic analysis was showing usage was heavy with Netflix, Amazon video, and general http/https, but there was also Sony Playstation network (which neither of us have).

    So on that, I changed the passwords of both networks and turned on some security settings in the router. One setting I turned on was the WAN remote access, which I'm guessing is likely the cause of the problem I have now.

    So last night my fiance texts me that the internet is down. I run through the usual diagnostics via text. She says Comcast has an outage, so I think nothing of it. This morning it's still out with no outage listed. So I manage to get into the router (takes multiple tries), and I see all this in the sys log. Note the odd dates and mention of BusyBox? in particular. I'm probably going to embarrass myself here, but I remember hearing the name BusyBox from the days of rooting phones lol. So did someone get into my router?

    Sys Log (Drive link due to size):

    Also, I noticed there were 3 ports forwarded on the router. I know not to forward ports, though I don't know if this was done automatically by the WAN settings.

    I've already factory reset the router, but I didn't have time to reset it back up. My fiance is working from home today too unfortunately. She's just using our Verizon hotspot for internet access until I can get it back up and running.

    So does this look like my router was compromised? I def won't be using that WAN setting in the future anyway, as I'm building a custom surveillance PC that will need VPN for remote access. So I'll be utilizing the router's built-in VPN service this time around.
  2. Biznatch

    Biznatch 2[H]4U

    Nov 16, 2009
    Never turn on remote access from WAN.... That should only be allowed from the internal network (or vpn). But those logs show on 2 interfaces, so that's not coming from the outside or it would only be the WAN interface.

    There was some kind of vulnerability recently with a bunch of routers, but it was a pretty specific list. You can check to see if your model is included on that list, then see if there are steps required to remove.

    BUT, I would just flash it with DD-WRT and call it a day. I have the same router at home, and that was the first thing I did when I opened it. I've run dd-wrt for years on quite a few different devices and it's always been MUCH more stable than any buggy/insecure garbage released from OEM.
  3. fatryan

    fatryan [H]ard|Gawd

    Feb 19, 2004
    Well hindsight is 20/20. Like I said, I don't know much about networking, so I'd assumed a juggernaut like Asus wouldn't be foolish enough to offer their own remote access to their routers without providing some kind of security. Clearly I was way wrong on that.

    Can you please explain what you mean by "...But those logs show on 2 interfaces, so that's not coming from the outside or it would only be the WAN interface."

    IIRC, doesn't DD-WRT void the warranty? Not sure what the warranty even is on these, but given that it's Asus it might actually be decent. Also, is DD-WRT beginner friendly, cause again, I really don't know much about this stuff. I absolutely love the layout of the Asus UI. But if it's got security vulnerabilities as you say, that concerns me a lot.
  4. tporter

    tporter [H]Lite

    Mar 7, 2013
    Eth1/2 should be the wireless 2.4/5ghz radios and those entries are wireless clients constantly connecting and disconnecting... either they have poor signal strength or it's the recent Asus firmware bug where wireless clients can somehow connect enough to get dhcp. Not sure the details on the bug since I use and swear by tomato firmware on Asus devices.
  5. Ultima99

    Ultima99 [H]ardness Supreme

    Jul 31, 2004
    I'm curious to know what the outcome of this was. Still having issues?
  6. TheSlySyl

    TheSlySyl n00b

    May 30, 2018
    If you haven't flashed MERLIN firmware, i suggest doing that. Made my RT-AC68u far, far more stable and generally awesome.