1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Asus RT-AC66U DNS hacking

Discussion in 'Routers' started by Mpuk7, Mar 11, 2018.

  1. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Hi all,
    I'm hoping I might be able to get advice on this please.
    I have an Asus RT-AC66U I bought 2nd hand in January and twice now I have discovered the DNS has een manually added after I set it as automatic.
    The router logs indicate something happening at around 5am when I would have been fast asleep.
    I've looked into various DNS changer type hacks and run scans for malware etc. No PCs would be on at that time, possibly mobile phones if anything.
    I have the latest stock Asus firmware installed, a long complex password on the router as well as default user id changed. Web access is allowed and I use the Asus android app. I can't figure out where this is happening or if this is a new security exploit even?
    The new fake dns is different both times but still same provider in the Netherlands.
    I can supply router logs or the IP if interested.
    I tried Asus support but they were immensely useless and sent a standard unhelpful reply. I'm thinking about going to Merlin instead now does that work with the android app all or is there an alternative?
     
    Last edited: Mar 11, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,494
    Location:
    UK
    If you post a link to the complete syslog we can have a look.
     
  4. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Hi ColinTaylor,
    No worries, have attached the file to this post.
    I edited out IP addresses for my own connection but to confirm the two changes seemed to have been on:
    Feb 24th @ 0524hrs
    March 11th @ 0458hrs
    Please also ignore the failed logins showing for around 9am today (11th) as that was me using the incorrect case for the username in a panic to restore it to automatic DNS before any damage occurred.
     

    Attached Files:

  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,494
    Location:
    UK
    Unfortunately the aren't any messages regarding DNS in the log :(. Looks like they're being suppressed. Are there any options on the router to increase the logging level?

    Regarding the events on the 24th and 11th; it looks like they were caused by your WAN connection going down. My guess is that your ISP did some maintenance at that time. That shouldn't change your router's DNS settings though.

    To clarify; you're saying that previously "WAN - Internet Connection" > "Connect to DNS Server automatically" was previously set to "Yes" but was changed to "No"? What were the new DNS IP addresses?
     
    Mpuk7 likes this.
  6. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,225
    Location:
    United States
    It looks like you were actually hacked on Feb 15 and Mar 7, and they came back later to cause trouble.
    My best assessment is that this may be an exploit of CVE-2018-5721, but I can't find an official ASUS OEM release for the AC66 that contains the fix. Merlin release 380.69 does pick up the fix, and I'd recommend you update to that release to rule things out. I would do a factory reset and reconfigure manually, make sure you do not have WAN access enabled, and change your router password.
     
    Mpuk7 likes this.
  7. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Many thanks both, the last time it was set to 185.117.75.242 and 8.8.8.8 in the DNS, this time it was a different IP. I did report that initial IP to the abuse e-mail and actionfraud in the UK. When I tested making that my primary DNS and tried pinging www.ebay.co.uk for example it came back with IPs in the same range so dread to think what sites were being redirected by it.
    I have attached a screenshot of the DNS settings as shown this morning. the new primary DNS was set to 185.183.96.174 with 8.8.8.8 again for secondary as I think is normal for DNS hacks?
    That would make sense about the connection going down to maintenance by the ISP.
    Thanks for the info on CVE-2018-5721 john9527 and the hack dates, I'll transition over to Merlin asap.
     

    Attached Files:

  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,494
    Location:
    UK
    Same thing reported here and here (unless that's you as well).

    I take it you are in the UK. Who is your ISP?
     
    Mpuk7 likes this.
  9. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    The second one was me, interesting reading the first one. Yes, in the UK with Virginmedia.
     
  10. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,089
    Location:
    Canada
    Disable that. Every few months Asus fixes newly discovered security exploits related to the built-in web server. That code is simply not reliable enough to be exposed to the Internet.
     
    loftshed and Mpuk7 like this.
  11. coxhaus

    coxhaus Very Senior Member

    Joined:
    Oct 7, 2010
    Messages:
    1,991
    Location:
    texas
    I don't know how you guys do ACL access lists but you need to block all DNS access but the ones you want that way if you are hacked their DNS will fail immediately because it is blocked by the firewall and none of your machines will be compromised. The only cure for a bad DNS is to reinstall all devices.
     
    Mpuk7 likes this.
  12. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Many thanks RMerlin, am I safe to enable web access with your firmware as it looks like a much better option than the Asus stock one or is web access too risky generally?
     
  13. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Good point, I did consider means of blocking any IPs owned by that one company or something as it seems to direct websites to IPs owned by Host Sailor Ltd
     
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,494
    Location:
    UK
    Asuswrt doesn't have ACL's, it's a consumer device.
     
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,089
    Location:
    Canada
    No, it's the same httpd code as Asus. While I might have fixed a few extra buffer overrun issues, the whole code is still not something I would trust in the open. I recommend using a VPN tunnel for remote management.
     
    Mpuk7 likes this.
  16. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,089
    Location:
    Canada
    Could manually be done through iptables most likely, a bit similar to how DNSFilter works, except instead of rerouting, you'd just be allowing outbound connections to port 53 of your desired DNS, followed by a rule dropping all outbound port 53 access.
     
    Mpuk7 likes this.
  17. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    That's great, thanks. I'll get the VPN option set up.
     
  18. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Sorry, can I just ask on the best VPN to use as I can see PPTP and OpenVPN and would like to set up with the built in VPN on my Android phone. Is there a guide for the best and most secure setup that anyone can suggest at all please?
     
  19. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,494
    Location:
    UK
    100% OpenVPN. PPTP is regarded as insecure nowadays.
     
    Mpuk7 likes this.
  20. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Sorry just before I transition over to Merlin, am I ok to do the factory reset via the router web interface or does it need to be the reset button?
     
  21. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,225
    Location:
    United States
    The factory reset is done after the new firmware is loaded. My favorite reset method is via the WPS button.
    Hold in the WPS button while powering on the router. After about 10 secs the power led will start a 'fast' blink. Release the WPS button and the router will reboot having been reset.
     
    Mpuk7 likes this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!