To start, I don't know much about networking, so please dumb your responses down for me ha ha
I have an RT-AC68U router connected to CM1000 modem and 250Mbps service.
BACKGROUND INFO (feel free to skim, as its wordy)
The hardware is somewhat new (6-9 months); I installed it when I moved in (my fiance's house) to replace the crappy 2-in-1 modem provided by Comcast. When I installed the new hardware, I did NOT change the SSIDs or passwords. My fiance had previous had roommates, one of which later moved a couple doors down, and they would obviously still know these credentials.
I discovered a few weeks ago that several devices had been accessing the networks without authorization. Some were quite obvious, in that they literally were named after her old roommate (Stephanie_AppleTV or some shit). Others were not so obvious. So I set out to discover all the devices by matching MAC addresses on all devices in our house to that in the Asus client list. One device in particular that I could not match was coming up as "Hon Hei" from Foxconn, but I initially mistook it for the moca adapter for my DirecTV.
After disconnecting DirecTV, I noticed the "Hon Hei" device was still showing up in the 5GHz client list (should have been LAN anyway if it was moca). That's when I realized you can hover over the Foxconn icon in the Asus UI and it gives you a model number. A quick Google turned up a streaming device by Netgear similar to a Roku. We own no such devices. The only streaming devices we own are Chromecasts, all of which had already been accounted for by MAC address in the client lists. Additionally, this device was using GBs of data up & down. Traffic analysis was showing usage was heavy with Netflix, Amazon video, and general http/https, but there was also Sony Playstation network (which neither of us have).
So on that, I changed the passwords of both networks and turned on some security settings in the router. One setting I turned on was the WAN remote access, which I'm guessing is likely the cause of the problem I have now.
/BACKGROUND INFO
So last night my fiance texts me that the internet is down. I run through the usual diagnostics via text. She says Comcast has an outage, so I think nothing of it. This morning it's still out with no outage listed. So I manage to get into the router (takes multiple tries), and I see all this in the sys log. Note the odd dates and mention of BusyBox? in particular. I'm probably going to embarrass myself here, but I remember hearing the name BusyBox from the days of rooting phones lol. So did someone get into my router?
Sys Log (Drive link due to size):
Also, I noticed there were 3 ports forwarded on the router. I know not to forward ports, though I don't know if this was done automatically by the WAN settings.
I've already factory reset the router, but I didn't have time to reset it back up. My fiance is working from home today too unfortunately. She's just using our Verizon hotspot for internet access until I can get it back up and running.
So does this look like my router was compromised? I def won't be using that WAN setting in the future anyway, as I'm building a custom surveillance PC that will need VPN for remote access. So I'll be utilizing the router's built-in VPN service this time around.
I have an RT-AC68U router connected to CM1000 modem and 250Mbps service.
BACKGROUND INFO (feel free to skim, as its wordy)
The hardware is somewhat new (6-9 months); I installed it when I moved in (my fiance's house) to replace the crappy 2-in-1 modem provided by Comcast. When I installed the new hardware, I did NOT change the SSIDs or passwords. My fiance had previous had roommates, one of which later moved a couple doors down, and they would obviously still know these credentials.
I discovered a few weeks ago that several devices had been accessing the networks without authorization. Some were quite obvious, in that they literally were named after her old roommate (Stephanie_AppleTV or some shit). Others were not so obvious. So I set out to discover all the devices by matching MAC addresses on all devices in our house to that in the Asus client list. One device in particular that I could not match was coming up as "Hon Hei" from Foxconn, but I initially mistook it for the moca adapter for my DirecTV.
After disconnecting DirecTV, I noticed the "Hon Hei" device was still showing up in the 5GHz client list (should have been LAN anyway if it was moca). That's when I realized you can hover over the Foxconn icon in the Asus UI and it gives you a model number. A quick Google turned up a streaming device by Netgear similar to a Roku. We own no such devices. The only streaming devices we own are Chromecasts, all of which had already been accounted for by MAC address in the client lists. Additionally, this device was using GBs of data up & down. Traffic analysis was showing usage was heavy with Netflix, Amazon video, and general http/https, but there was also Sony Playstation network (which neither of us have).
So on that, I changed the passwords of both networks and turned on some security settings in the router. One setting I turned on was the WAN remote access, which I'm guessing is likely the cause of the problem I have now.
/BACKGROUND INFO
So last night my fiance texts me that the internet is down. I run through the usual diagnostics via text. She says Comcast has an outage, so I think nothing of it. This morning it's still out with no outage listed. So I manage to get into the router (takes multiple tries), and I see all this in the sys log. Note the odd dates and mention of BusyBox? in particular. I'm probably going to embarrass myself here, but I remember hearing the name BusyBox from the days of rooting phones lol. So did someone get into my router?
Sys Log (Drive link due to size):
Also, I noticed there were 3 ports forwarded on the router. I know not to forward ports, though I don't know if this was done automatically by the WAN settings.
I've already factory reset the router, but I didn't have time to reset it back up. My fiance is working from home today too unfortunately. She's just using our Verizon hotspot for internet access until I can get it back up and running.
So does this look like my router was compromised? I def won't be using that WAN setting in the future anyway, as I'm building a custom surveillance PC that will need VPN for remote access. So I'll be utilizing the router's built-in VPN service this time around.