Hey All, I previously posted on Daz's Loader troubleshooting thread about this issue. There has been a relatively quiet news release regarding ASUS Routers, Linksys, and other lesser known brand name routers that were hacked via an exploit in the USB port. I have a text file with the logs. Check your router model and see if you were affected. I am running the Merlin Build for the ASUS RT-N66R and was affected by this. Maybe this will help you all but some funny prick at midnight decided to release this: The Merlin build I was running was 3.0.0.4.374_35_4 I had DHCP disabled uPnP disabled, no dlna, no media streaming. I had a SAMBA setup with a 2TB Seagate Backup Plus drive that was affected. IP filters were for mac addresses only and the DHCP pool was set to a range of only 10 ip address 8 for my devices and 2 open for additional allocation if/when I needed to add and if/when settings accidently re-instated DHCP. Hope this helps some of you. *note* It may be a gross over estimation that you are affected by the same thing I was j/k j/k Jan 1 00:00:09 syslogd started: BusyBox v1.20.2 Jan 1 00:00:09 kernel: klogd started: BusyBox v1.20.2 (2013-11-30 18:02:35 EST) Jan 1 00:00:09 kernel: Linux version 2.6.22.19 (root@asus) (gcc version 4.2.4) #1 Sat Nov 30 18:05:26 EST 2013 Jan 1 00:00:09 kernel: CPU revision is: 00019749 Jan 1 00:00:09 kernel: Determined physical RAM map: Jan 1 00:00:09 kernel: memory: 07fff000 @ 00000000 (usable) Jan 1 00:00:09 kernel: memory: 08000000 @ 87fff000 (usable) Jan 1 00:00:09 kernel: Built 1 zonelists. Total pages: 585216 Jan 1 00:00:09 kernel: Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200 Jan 1 00:00:09 kernel: Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes. Jan 1 00:00:09 kernel: Primary data cache 32kB, 4-way, linesize 32 bytes. Jan 1 00:00:09 kernel: Synthesized TLB refill handler (20 instructions). Jan 1 00:00:09 syslog: module ledtrig-usbdev not found in modules.dep Jan 1 00:00:09 syslog: module leds-usb not found in modules.dep Jan 1 00:00:09 kernel: Synthesized TLB load handler fastpath (32 instructions). Jan 1 00:00:09 kernel: Synthesized TLB store handler fastpath (32 instructions). Jan 1 00:00:09 kernel: Synthesized TLB modify handler fastpath (31 instructions). Jan 1 00:00:09 kernel: PID hash table entries: 2048 (order: 11, 8192 bytes) Jan 1 00:00:09 kernel: CPU: BCM5300 rev 1 pkg 0 at 600 MHz Jan 1 00:00:09 kernel: Using 300.000 MHz high precision timer. Jan 1 00:00:09 kernel: console [ttyS0] enabled Jan 1 00:00:09 kernel: Dentry cache hash table entries: 65536 (order: 6, 262144 bytes) Jan 1 00:00:09 kernel: Inode-cache hash table entries: 32768 (order: 5, 131072 bytes) Jan 1 00:00:09 kernel: Memory: 238608k/131068k available (2564k kernel code, 22616k reserved, 515k data, 196k init, 131072k highmem) Jan 1 00:00:09 kernel: Mount-cache hash table entries: 512 Jan 1 00:00:09 kernel: NET: Registered protocol family 16 Jan 1 00:00:09 kernel: PCI: Initializing host Jan 1 00:00:09 kernel: PCI: Reset RC Jan 1 00:00:09 kernel: PCI: Initializing host Jan 1 00:00:09 kernel: PCI: Reset RC Jan 1 00:00:09 kernel: PCI: Fixing up bus 0 Jan 1 00:00:09 kernel: PCI/PCIe coreunit 0 is set to bus 1. Jan 1 00:00:09 kernel: PCI: Fixing up bridge Jan 1 00:00:09 kernel: PCI: Fixing up bridge Jan 1 00:00:09 kernel: PCI: Enabling device 0000:01:00.1 (0004 -> 0006) Jan 1 00:00:10 kernel: PCI: Fixing up bus 1 Jan 1 00:00:10 kernel: PCI/PCIe coreunit 1 is set to bus 2. Jan 1 00:00:10 kernel: PCI: Fixing up bridge Jan 1 00:00:10 kernel: PCI: Fixing up bridge Jan 1 00:00:10 kernel: PCI: Enabling device 0000:02:00.1 (0004 -> 0006) Jan 1 00:00:10 kernel: PCI: Fixing up bus 2 Jan 1 00:00:10 kernel: NET: Registered protocol family 2 Jan 1 00:00:10 kernel: Time: MIPS clocksource has been installed. Jan 1 00:00:10 kernel: IP route cache hash table entries: 4096 (order: 2, 16384 bytes) Jan 1 00:00:10 kernel: TCP established hash table entries: 16384 (order: 5, 131072 bytes) Jan 1 00:00:10 kernel: TCP bind hash table entries: 16384 (order: 4, 65536 bytes) Jan 1 00:00:10 kernel: TCP: Hash tables configured (established 16384 bind 16384) Jan 1 00:00:10 kernel: TCP reno registered Jan 1 00:00:10 kernel: highmem bounce pool size: 64 pages Jan 1 00:00:10 kernel: squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher Jan 1 00:00:10 kernel: io scheduler noop registered (default) Jan 1 00:00:10 kernel: HDLC line discipline: version $Revision: 4.8 $, maxframe=4096 Jan 1 00:00:10 kernel: N_HDLC line discipline registered. Jan 1 00:00:10 kernel: Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled Jan 1 00:00:10 kernel: serial8250: ttyS0 at MMIO 0xb8000300 (irq = 8) is a 16550A Jan 1 00:00:10 kernel: serial8250: ttyS1 at MMIO 0xb8000400 (irq = 8) is a 16550A Jan 1 00:00:10 kernel: PPP generic driver version 2.4.2 Jan 1 00:00:10 kernel: MPPE/MPPC encryption/compression module registered Jan 1 00:00:10 kernel: NET: Registered protocol family 24 Jan 1 00:00:10 kernel: PPPoL2TP kernel driver, V0.18.3 Jan 1 00:00:10 kernel: PPTP driver version 0.8.5 Jan 1 00:00:10 kernel: Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank Jan 1 00:00:10 kernel: Amd/Fujitsu Extended Query Table at 0x0040 Jan 1 00:00:10 kernel: Physically mapped flash: CFI does not contain boot bank location. Assuming top. Jan 1 00:00:10 kernel: number of CFI chips: 1 Jan 1 00:00:10 kernel: cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. Jan 1 00:00:10 kernel: Flash device: 0x2000000 at 0x1c000000 Jan 1 00:00:10 kernel: Creating 5 MTD partitions on "Physically mapped flash": Jan 1 00:00:10 kernel: 0x00000000-0x00040000 : "pmon" Jan 1 00:00:10 kernel: 0x00040000-0x01fe0000 : "linux" Jan 1 00:00:10 kernel: 0x00174b0c-0x019e0000 : "rootfs" Jan 1 00:00:10 kernel: 0x01fe0000-0x02000000 : "nvram" Jan 1 00:00:10 kernel: 0x019e0000-0x01fe0000 : "jffs2" Jan 1 00:00:10 kernel: Found an serial flash with 0 0KB blocks; total size 0MB Jan 1 00:00:10 kernel: sflash: found no supported devices Jan 1 00:00:10 kernel: dev_nvram_init: _nvram_init Jan 1 00:00:10 kernel: _nvram_init: allocat size= 65536 Jan 1 00:00:10 kernel: sdhci: Secure Digital Host Controller Interface driver Jan 1 00:00:10 kernel: sdhci: Copyright(c) Pierre Ossman Jan 1 00:00:10 kernel: u32 classifier Jan 1 00:00:10 kernel: OLD policer on Jan 1 00:00:10 kernel: Netfilter messages via NETLINK v0.30. Jan 1 00:00:10 kernel: nf_conntrack version 0.5.0 (2048 buckets, 16384 max) Jan 1 00:00:10 kernel: ipt_time loading Jan 1 00:00:10 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team Jan 1 00:00:10 kernel: net/ipv4/netfilter/tomato_ct.c [Nov 30 2013 18:04:45] Jan 1 00:00:10 kernel: ipt_account 0.1.21 : Piotr Gasidlo <quaker@barbara.eu.org>, h**pcode.google.com/p/ipt-account/ Jan 1 00:00:10 kernel: NET: Registered protocol family 1 Jan 1 00:00:10 kernel: NET: Registered protocol family 10 Jan 1 00:00:10 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team Jan 1 00:00:10 kernel: NET: Registered protocol family 17 Jan 1 00:00:10 kernel: 802.1Q VLAN Support v1.8 Ben Greear greearb@candelatechDOTcommm Jan 1 00:00:10 kernel: All bugs added by David S. Miller davem@redhat****dotcommm Jan 1 00:00:10 kernel: VFS: Mounted root (squashfs filesystem) readonly. Jan 1 00:00:10 kernel: Freeing unused kernel memory: 196k freed Jan 1 00:00:10 kernel: Warning: unable to open an initial console. Jan 1 00:00:10 kernel: ctf: module license 'Proprietary' taints kernel. Jan 1 00:00:10 kernel: et_module_init: passivemode set to 0x0 Jan 1 00:00:10 kernel: et_module_init: et_txq_thresh set to 0x400 Jan 1 00:00:10 kernel: bcm_robo_enable_switch: EEE is disabled Jan 1 00:00:10 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.30.102.9 (r366174) Jan 1 00:00:10 kernel: PCI: Enabling device 0000:01:01.0 (0000 -> 0002) Jan 1 00:00:10 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174) Jan 1 00:00:10 kernel: PCI: Enabling device 0000:02:01.0 (0000 -> 0002) Jan 1 00:00:10 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174) Jan 1 00:00:10 kernel: Algorithmics/MIPS FPU Emulator v1.5 Jan 1 00:00:10 kernel: usbcore: registered new interface driver usbfs Jan 1 00:00:10 kernel: usbcore: registered new interface driver hub Jan 1 00:00:10 kernel: usbcore: registered new device driver usb Jan 1 00:00:10 kernel: SCSI subsystem initialized Jan 1 00:00:10 kernel: Initializing USB Mass Storage driver... Jan 1 00:00:10 kernel: usbcore: registered new interface driver usb-storage Jan 1 00:00:10 kernel: USB Mass Storage support registered. Jan 1 00:00:10 kernel: ufsd: driver (8.6 U86_r187446_b122, LBD=ON, acl, ioctl, rwm, ws, sd) loaded at c0208000 Jan 1 00:00:10 kernel: NTFS (with native replay) support included Jan 1 00:00:10 kernel: optimized: speed Jan 1 00:00:10 kernel: Build_for__asus_n66u_2011-10-27_U86_r187446_b122 Jan 1 00:00:10 kernel: ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: EHCI Host Controller Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: new USB bus registered, assigned bus number 1 Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: EHCI Fastpath: New EHCI driver starting Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000 Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: USB 0.0 started, EHCI 1.00 Jan 1 00:00:10 kernel: usb usb1: configuration #1 chosen from 1 choice Jan 1 00:00:10 kernel: hub 1-0:1.0: USB hub found Jan 1 00:00:10 kernel: hub 1-0:1.0: 2 ports detected Jan 1 00:00:10 kernel: ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver Jan 1 00:00:10 kernel: ohci_hcd 0000:00:04.0: OHCI Host Controller Jan 1 00:00:10 kernel: ohci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 2 Jan 1 00:00:10 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000 Jan 1 00:00:10 kernel: usb usb2: configuration #1 chosen from 1 choice Jan 1 00:00:10 kernel: hub 2-0:1.0: USB hub found Jan 1 00:00:10 kernel: hub 2-0:1.0: 2 ports detected Jan 1 00:00:10 kernel: usbcore: registered new interface driver usblp Jan 1 00:00:10 kernel: drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver Jan 1 00:00:10 kernel: usbcore: registered new interface driver asix Jan 1 00:00:10 kernel: usb 1-1: new high speed USB device using ehci_hcd and address 2 Jan 1 00:00:10 kernel: usb 1-1: configuration #1 chosen from 1 choice Jan 1 00:00:10 kernel: hub 1-1:1.0: USB hub found Jan 1 00:00:10 kernel: hub 1-1:1.0: 4 ports detected Jan 1 00:00:11 kernel: usbcore: registered new interface driver cdc_ether Jan 1 00:00:11 kernel: usbcore: registered new interface driver net1080 Jan 1 00:00:11 kernel: usbcore: registered new interface driver rndis_host Jan 1 00:00:11 kernel: usbcore: registered new interface driver zaurus Jan 1 00:00:11 kernel: usb 1-1.4: new high speed USB device using ehci_hcd and address 3 Jan 1 00:00:11 kernel: usb 1-1.4: configuration #1 chosen from 1 choice Jan 1 00:00:11 kernel: scsi0 : SCSI emulation for USB Mass Storage devices Jan 1 00:00:12 kernel: br0: starting userspace STP failed, staring kernel STP Jan 1 00:00:12 kernel: vlan1: dev_set_promiscuity(master, 1) Jan 1 00:00:12 kernel: device eth0 entered promiscuous mode Jan 1 00:00:12 kernel: device vlan1 entered promiscuous mode Jan 1 00:00:13 kernel: scsi 0:0:0:0: Direct-Access Multi Flash Reader 1.00 PQ: 0 ANSI: 0 Jan 1 00:00:13 kernel: sd 0:0:0:0: [sda] Attached SCSI removable disk Jan 1 00:00:13 kernel: sd 0:0:0:0: Attached scsi generic sg0 type 0 Jan 1 00:00:13 kernel: device eth1 entered promiscuous mode Jan 1 00:00:14 kernel: device eth2 entered promiscuous mode Jan 1 00:00:14 kernel: br0: port 3(eth2) entering listening state Jan 1 00:00:14 kernel: br0: port 2(eth1) entering listening state Jan 1 00:00:14 kernel: br0: port 1(vlan1) entering listening state Jan 1 00:00:14 kernel: br0: port 3(eth2) entering learning state Jan 1 00:00:14 kernel: br0: port 2(eth1) entering learning state Jan 1 00:00:14 kernel: br0: port 1(vlan1) entering learning state Jan 1 00:00:14 kernel: br0: topology change detected, propagating Jan 1 00:00:14 kernel: br0: port 3(eth2) entering forwarding state Jan 1 00:00:14 kernel: br0: topology change detected, propagating Jan 1 00:00:14 kernel: br0: port 2(eth1) entering forwarding state Jan 1 00:00:14 kernel: br0: topology change detected, propagating Jan 1 00:00:14 kernel: br0: port 1(vlan1) entering forwarding state Jan 1 00:00:14 stop_nat_rules: apply the redirect_rules! Jan 1 00:00:14 dnsmasq[301]: started, version 2.67 cachesize 1500 Jan 1 00:00:14 dnsmasq[301]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth Jan 1 00:00:14 dnsmasq[301]: warning: interface ppp1* does not currently exist Jan 1 00:00:14 dnsmasq[301]: asynchronous logging enabled, queue limit is 5 messages Jan 1 00:00:14 dnsmasq-dhcp[301]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d Jan 1 00:00:14 dnsmasq[301]: read /etc/hosts - 5 addresses Jan 1 00:00:14 WAN Connection: ISP's DHCP did not function properly. Jan 1 00:00:14 RT-N66R: start httpd Jan 1 00:00:14 crond[315]: crond: crond (busybox 1.20.2) started, log level 8 Jan 1 00:00:15 disk monitor: be idle Jan 1 00:00:15 Samba Server: daemon is started Jan 1 00:00:16 dnsmasq[301]: read /etc/hosts - 5 addresses Jan 1 00:00:16 dnsmasq[301]: read /etc/hosts - 5 addresses Jan 1 00:00:16 dnsmasq[301]: using nameserver 209.18.47.62#53 Jan 1 00:00:16 dnsmasq[301]: using nameserver 209.18.47.61#53 Jan 1 00:00:16 stop_nat_rules: apply the redirect_rules! Jan 1 00:00:16 dnsmasq[301]: exiting on receipt of SIGTERM Jan 1 00:00:16 dnsmasq[369]: started, version 2.67 cachesize 1500 Jan 1 00:00:16 dnsmasq[369]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth Jan 1 00:00:16 dnsmasq[369]: warning: interface ppp1* does not currently exist Jan 1 00:00:16 dnsmasq[369]: asynchronous logging enabled, queue limit is 5 messages Jan 1 00:00:16 dnsmasq-dhcp[369]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d Jan 1 00:00:16 dnsmasq[369]: read /etc/hosts - 5 addresses Jan 1 00:00:16 dnsmasq[369]: using nameserver 209.18.47.62#53 Jan 1 00:00:16 dnsmasq[369]: using nameserver 209.18.47.61#53 Jan 1 00:00:17 kernel: nf_conntrack_rtsp v0.6.21 loading Jan 1 00:00:17 kernel: nf_nat_rtsp v0.6.21 loading Jan 1 00:00:17 rc_service: udhcpc 351:notify_rc stop_upnp Jan 1 00:00:17 rc_service: udhcpc 351:notify_rc start_upnp Jan 1 00:00:17 rc_service: waitting "stop_upnp" via udhcpc ... Jan 1 00:00:18 kernel: device eth1 left promiscuous mode Jan 1 00:00:18 kernel: br0: port 2(eth1) entering disabled state Jan 1 00:00:18 kernel: device eth2 left promiscuous mode Jan 1 00:00:18 kernel: br0: port 3(eth2) entering disabled state Jan 1 00:00:19 WAN Connection: WAN was restored. Jan 1 00:00:21 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174) Jan 1 00:00:21 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174) Jan 1 00:00:22 kernel: device eth1 entered promiscuous mode Jan 1 00:00:22 kernel: br0: port 2(eth1) entering listening state Jan 1 00:00:22 kernel: br0: port 2(eth1) entering learning state Jan 1 00:00:22 kernel: br0: topology change detected, propagating Jan 1 00:00:22 kernel: br0: port 2(eth1) entering forwarding state Jan 1 00:00:23 kernel: device eth2 entered promiscuous mode Jan 1 00:00:23 kernel: br0: port 3(eth2) entering listening state Jan 1 00:00:23 kernel: br0: port 3(eth2) entering learning state Jan 1 00:00:23 kernel: br0: topology change detected, propagating Jan 1 00:00:23 kernel: br0: port 3(eth2) entering forwarding state Jan 1 00:00:28 rc_service: udhcpc 351:notify_rc stop_ntpc Jan 1 00:00:28 rc_service: waitting "start_upnp" via udhcpc ... Jan 1 00:00:28 miniupnpd[487]: HTTP listening on port 37515 Jan 1 00:00:28 miniupnpd[487]: Listening for NAT-PMP traffic on port 5351 Jan 1 00:00:29 rc_service: udhcpc 351:notify_rc start_ntpc Jan 1 00:00:29 rc_service: waitting "stop_ntpc" via udhcpc ... Jan 1 00:00:30 dhcp client: bound 67.253.165.215 via 67.253.160.1 during 81593 seconds. Feb 22 16:10:15 rc_service: ntp 488:notify_rc restart_upnp Feb 22 16:10:15 miniupnpd[497]: HTTP listening on port 56982 Feb 22 16:10:15 miniupnpd[497]: Listening for NAT-PMP traffic on port 5351 Feb 22 16:10:15 rc_service: ntp 488:notify_rc restart_diskmon Feb 22 16:10:15 disk monitor: be idle Feb 22 16:10:46 crond[315]: time disparity of 1654090 minutes detected Feb 22 16:11:05 nmbd[344]: [2014/02/22 16:11:05, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(392) Feb 22 16:11:05 nmbd[344]: Samba name server RT-N66R is now a local master browser for workgroup WORKGROUP on subnet 192.168.1.1 Feb 22 16:12:42 kernel: device eth1 left promiscuous mode Feb 22 16:12:42 kernel: br0: port 2(eth1) entering disabled state Feb 22 16:12:42 kernel: device eth2 left promiscuous mode Feb 22 16:12:42 kernel: br0: port 3(eth2) entering disabled state Feb 22 16:12:45 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174) Feb 22 16:12:45 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174) Feb 22 16:12:45 kernel: device eth1 entered promiscuous mode Feb 22 16:12:45 kernel: br0: port 2(eth1) entering listening state Feb 22 16:12:45 kernel: br0: port 2(eth1) entering learning state Feb 22 16:12:45 kernel: br0: topology change detected, propagating Feb 22 16:12:45 kernel: br0: port 2(eth1) entering forwarding state Feb 22 16:12:46 kernel: device eth2 entered promiscuous mode Feb 22 16:12:46 kernel: br0: port 3(eth2) entering listening state Feb 22 16:12:46 kernel: br0: port 3(eth2) entering learning state Feb 22 16:12:46 kernel: br0: topology change detected, propagating Feb 22 16:12:46 kernel: br0: port 3(eth2) entering forwarding state Feb 22 16:12:54 dnsmasq-dhcp[369]: DHCPREQUEST(br0) 192.168.33.125 70:18:8b:2d:2b:4b Feb 22 16:12:54 dnsmasq-dhcp[369]: DHCPNAK(br0) 192.168.33.125 70:18:8b:2d:2b:4b wrong network Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPDISCOVER(br0) 70:18:8b:2d:2b:4b Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPOFFER(br0) 192.168.1.50 70:18:8b:2d:2b:4b Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPREQUEST(br0) 192.168.1.50 70:18:8b:2d:2b:4b Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPACK(br0) 192.168.1.50 70:18:8b:2d:2b:4b Feb 22 16:13:02 rc_service: httpd 312:notify_rc start_autodet Feb 22 16:13:02 kernel: autodet uses obsolete (PF_INET,SOCK_PACKET) Feb 22 16:14:00 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)! Feb 22 16:14:00 dnsmasq[369]: exiting on receipt of SIGTERM Feb 22 16:14:00 dnsmasq[578]: started, version 2.67 cachesize 1500 Feb 22 16:14:00 dnsmasq[578]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth Feb 22 16:14:00 dnsmasq[578]: warning: interface ppp1* does not currently exist Feb 22 16:14:00 dnsmasq[578]: asynchronous logging enabled, queue limit is 5 messages Feb 22 16:14:00 dnsmasq-dhcp[578]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d Feb 22 16:14:00 dnsmasq[578]: read /etc/hosts - 5 addresses Feb 22 16:14:00 dnsmasq[578]: using nameserver 209.18.47.62#53 Feb 22 16:14:00 dnsmasq[578]: using nameserver 209.18.47.61#53 Feb 22 16:14:02 rc_service: httpd 312:notify_rc restart_wireless Feb 22 16:14:03 kernel: device eth1 left promiscuous mode Feb 22 16:14:03 kernel: br0: port 2(eth1) entering disabled state Feb 22 16:14:03 kernel: device eth2 left promiscuous mode Feb 22 16:14:03 kernel: br0: port 3(eth2) entering disabled state Feb 22 16:14:06 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174) Feb 22 16:14:06 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174) Feb 22 16:14:07 kernel: device eth1 entered promiscuous mode Feb 22 16:14:07 kernel: br0: port 2(eth1) entering listening state Feb 22 16:14:07 kernel: br0: port 2(eth1) entering learning state Feb 22 16:14:07 kernel: br0: topology change detected, propagating Feb 22 16:14:07 kernel: br0: port 2(eth1) entering forwarding state Feb 22 16:14:08 kernel: device eth2 entered promiscuous mode Feb 22 16:14:08 kernel: br0: port 3(eth2) entering listening state Feb 22 16:14:08 kernel: br0: port 3(eth2) entering learning state Feb 22 16:14:08 kernel: br0: topology change detected, propagating Feb 22 16:14:08 kernel: br0: port 3(eth2) entering forwarding state Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPDISCOVER(br0) 70:18:8b:2d:2b:4b Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPOFFER(br0) 192.168.1.50 70:18:8b:2d:2b:4b Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPREQUEST(br0) 192.168.1.50 70:18:8b:2d:2b:4b Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPACK(br0) 192.168.1.50 70:18:8b:2d:2b:4b Feb 22 18:08:05 smbd[659]: [2014/02/22 18:08:05, 0] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(55) Feb 22 18:08:05 smbd[659]: smb_pwd_check_ntlmv1: incorrect password length (74) Feb 22 18:08:05 smbd[659]: [2014/02/22 18:08:05, 0] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(55) Feb 22 18:08:05 smbd[659]: smb_pwd_check_ntlmv1: incorrect password length (74)
I posted the TechSpot link in the other thread. I have reread the article a number of times. Don't get me wrong, I am not attempting to downplay the issue, but it appears that so far, hackers have only managed to place a benign text file on the router's usb connected drive. No evidence a hacker has read directories/folders or files. No evidence a hacker has deleted any files. No evidence a hacker has uploaded an infected program. This may explain why Asus was down playing the issue. Again, it's not acceptable, but possibly it is not harmful either.
RE: Evidence I'll post some text files in the post itself. I don't know if these are malicious or give details that should not be publicly visible. Posting in a few minutes. I also setup my camera and recorded logging into my machine and booting from bios etc that would provide more valuable data than I can offer regurgitating what I have observed. I don't write code in any language so its all greek to me except for the logical concept of what the line is telling the file, program, or whatever to look at or go to. It could be my ignorance and its all normal or as it sometimes does, common sense prevails. However I am leaning towards the later only because of all I have witnessed vs posted. Hopefully these files provide some more insight! IF you pm me I am available to chat via teamspeak/Skype/oovoo/whatever if you're interested in specific files vs forum conversations. Im eager to find a resolution to this myself. I appreciate the feedback I'm not sure how it can be called benign as its affected my HP Split which is solely a wireless device with no lan port. My phone, has not touched any pc and is also affected. I believe via Bluetooth due to the hidden folders specificially labeled Bluetooth that were not there prior to the affliction.
RE: Evidence I'm going to PM you with the syslog.txt file that I pulled off my other box. Its similar to the original log posted from the router with the exception I think its showing the (purely for reference purpose) benign file attaching itself to my main desktop and it contains a lot of local data for example ip addresses comp names and shares etc. As I dig through other files at least you will have that to view. Obviously, feel free to post any non-sensitive and pertinent information you may find in that file. If anyone feels as though they are fully protected and wants to use Logmein (if this is against forum code I apologize in advance and will edit the statement out) to access this box, I would be willing to have you poke around and view the files (in safe mode w/networking of course) I clearly made this account recently and have not posted much at all until now. I am intelligent enough to read and discover most things on my own without begging for someone to hold my hand and astute enough to catch my mistakes when proofing. That being said I am also humble enough to know when I'm out of my league. This is without a doubt the later.
Did u have Samba setup as open or share with account? If you did not have it secured with an account, anyone can access your files. Also, I see nothing in that log file that isn't normal. Although, I suggest you change your "Workgroup" name to something other than default on you router and all devices.
So....all connect to your network...wired or wifi makes no difference.. How do you think your phone is affected?....just because there are folders called Bluetooth on your computer means nothing....if your computer has a Bluetooth adapter those folders are normal.
Yes, although not yet reported they could just as easily place an infected exe file, that would do bad things if a curious user saw it and opened it. I guess I still don't understand the OP's problem, his machine seems seriously compromised, and he is connecting it with a not so serious router vulnerability. Also, is the router in promiscuous mode, letting somebody sniff passwords? (edit - from what I have read elsewhere, promiscuous mode seems normal on the interface device connected to the internet)
This says different, also DHCP range was set to full through setup.. Jan 1 00:00:28 miniupnpd[487]: HTTP listening on port 37515 Jan 1 00:00:28 miniupnpd[487]: Listening for NAT-PMP traffic on port 5351 nothing but a router restart happened on feb 22nd , up to the point you gave us anyway.
The beauty of MDL is the sharing of information, especially when it comes to solving hardware/software issues. I know I am limited in understanding the router logs and am glad to see others input. OP - two items here concern me. 1) You haven't claimed to have found the .txt file the hackers have placed on affected drives. Do you have it? 2) As already noted, this issue doesn't appear to have anything to do with Bluetooth. While I don't doubt the OP is having a serious problem, in the interest of accuracy, I am not yet convinced the OP's problems are related to the Asus router hack. Just my opinion at the moment.
Same user has already made a fuss over on smallnetbuilder... very rude and offensive. hxxp://forums.smallnetbuilder.com/showthread.php?t=15659 (His created thread) hxxp://forums.smallnetbuilder.com/showthread.php?t=15272&page=10 (he posted to another thread about this...scroll down a bit to find his posts and flaming replies...) EDIT: His flaming posts were removed and his created thread locked by a mod.
As always, you can distort the links by inserting spaces or using hxxp:// so the Forums soft will let you post them .
OP seems to be fairly well behaved here. If Asus has issued a patch, why not apply it and be done with it? OP - how about a short description of your problem? (Did I miss it?) Up/Down load speed slow. Dropped connections. Router needs to be reset often.
OP posted some long notes in Daz loader thread yesterday. It seemed mostly technobabble to me, but then again I am not any sort of computer security expert. It seems that Daz loader will not work on his system, and he is trying to warn others who may not be able to get the loader to work that they may have the same problem as him, whatever that is. btw: @speedingcheetah, I saw your post on other site, and wanted to say that Daz loader downloaded from here at MDL contains no malware. Somebody elsewhere could certainly package malware in something they call Daz Loader
Yes...that is what i was meaning to say....I have used Windows Loader back when I was on win 7 with no isssues, but there are plenty of "fake" versions of it...but now I can't use it since I use Win 8.1 now.
Facts and Contiued Data I am respectful to those who give it. In this forum the people stick to facts and keep the primary focus on the problem. Please don't bring the drama here. Working at the moment will update in my next post with full scope when I get home: Initial and Continued Problem/Symptoms, Data gathered, Troubleshooting Attempts and Steps Taken To Remedy. I thought I would go to the forum of where the firmware was made and work from there since that is what I believed to be the issue or root cause that allowed whatever is affecting all the devices on my network. However Merlin stated it was not the firmware so I am moving on.
Sorry for the delay in a follow up post to bring some clarification of symptoms and data. I am organizing all of this now and it will be available within the hour. Briefly though, I have confirmed inexplicable oddities with a support tech with Logmein Rescue and the ISP is now having their research team look into the matter. Not helpful for clearing anything up I know but, it validates my concerns. I didn't want the thread locked before I had a chance to reply. Thank You
By all means make your report when support tech with Logmein Rescue and the ISP get back to you. Then that may help other members but make it brief we do not need another two or three pages of your interpretation considering no one else on this forum has your actual problem.