USB Exploit on Asus, Linksys, and other Brand Routers

Discussion in 'PC Hardware' started by J0hnBlaze, Feb 23, 2014.

  1. J0hnBlaze

    J0hnBlaze MDL Novice

    Feb 4, 2014
    17
    0
    0
    #1 J0hnBlaze, Feb 23, 2014
    Last edited: Feb 23, 2014
    Hey All,

    I previously posted on Daz's Loader troubleshooting thread about this issue. There has been a relatively quiet news release regarding ASUS Routers, Linksys, and other lesser known brand name routers that were hacked via an exploit in the USB port. I have a text file with the logs. Check your router model and see if you were affected. I am running the Merlin Build for the ASUS RT-N66R and was affected by this. Maybe this will help you all but some funny prick at midnight decided to release this: The Merlin build I was running was 3.0.0.4.374_35_4 I had DHCP disabled uPnP disabled, no dlna, no media streaming. I had a SAMBA setup with a 2TB Seagate Backup Plus drive that was affected. IP filters were for mac addresses only and the DHCP pool was set to a range of only 10 ip address 8 for my devices and 2 open for additional allocation if/when I needed to add and if/when settings accidently re-instated DHCP. Hope this helps some of you. *note* It may be a gross over estimation that you are affected by the same thing I was o_O j/k j/k

    Jan 1 00:00:09 syslogd started: BusyBox v1.20.2
    Jan 1 00:00:09 kernel: klogd started: BusyBox v1.20.2 (2013-11-30 18:02:35 EST)
    Jan 1 00:00:09 kernel: Linux version 2.6.22.19 (root@asus) (gcc version 4.2.4) #1 Sat Nov 30 18:05:26 EST 2013
    Jan 1 00:00:09 kernel: CPU revision is: 00019749
    Jan 1 00:00:09 kernel: Determined physical RAM map:
    Jan 1 00:00:09 kernel: memory: 07fff000 @ 00000000 (usable)
    Jan 1 00:00:09 kernel: memory: 08000000 @ 87fff000 (usable)
    Jan 1 00:00:09 kernel: Built 1 zonelists. Total pages: 585216
    Jan 1 00:00:09 kernel: Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
    Jan 1 00:00:09 kernel: Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
    Jan 1 00:00:09 kernel: Primary data cache 32kB, 4-way, linesize 32 bytes.
    Jan 1 00:00:09 kernel: Synthesized TLB refill handler (20 instructions).
    Jan 1 00:00:09 syslog: module ledtrig-usbdev not found in modules.dep
    Jan 1 00:00:09 syslog: module leds-usb not found in modules.dep
    Jan 1 00:00:09 kernel: Synthesized TLB load handler fastpath (32 instructions).
    Jan 1 00:00:09 kernel: Synthesized TLB store handler fastpath (32 instructions).
    Jan 1 00:00:09 kernel: Synthesized TLB modify handler fastpath (31 instructions).
    Jan 1 00:00:09 kernel: PID hash table entries: 2048 (order: 11, 8192 bytes)
    Jan 1 00:00:09 kernel: CPU: BCM5300 rev 1 pkg 0 at 600 MHz
    Jan 1 00:00:09 kernel: Using 300.000 MHz high precision timer.
    Jan 1 00:00:09 kernel: console [ttyS0] enabled
    Jan 1 00:00:09 kernel: Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
    Jan 1 00:00:09 kernel: Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
    Jan 1 00:00:09 kernel: Memory: 238608k/131068k available (2564k kernel code, 22616k reserved, 515k data, 196k init, 131072k highmem)
    Jan 1 00:00:09 kernel: Mount-cache hash table entries: 512
    Jan 1 00:00:09 kernel: NET: Registered protocol family 16
    Jan 1 00:00:09 kernel: PCI: Initializing host
    Jan 1 00:00:09 kernel: PCI: Reset RC
    Jan 1 00:00:09 kernel: PCI: Initializing host
    Jan 1 00:00:09 kernel: PCI: Reset RC
    Jan 1 00:00:09 kernel: PCI: Fixing up bus 0
    Jan 1 00:00:09 kernel: PCI/PCIe coreunit 0 is set to bus 1.
    Jan 1 00:00:09 kernel: PCI: Fixing up bridge
    Jan 1 00:00:09 kernel: PCI: Fixing up bridge
    Jan 1 00:00:09 kernel: PCI: Enabling device 0000:01:00.1 (0004 -> 0006)
    Jan 1 00:00:10 kernel: PCI: Fixing up bus 1
    Jan 1 00:00:10 kernel: PCI/PCIe coreunit 1 is set to bus 2.
    Jan 1 00:00:10 kernel: PCI: Fixing up bridge
    Jan 1 00:00:10 kernel: PCI: Fixing up bridge
    Jan 1 00:00:10 kernel: PCI: Enabling device 0000:02:00.1 (0004 -> 0006)
    Jan 1 00:00:10 kernel: PCI: Fixing up bus 2
    Jan 1 00:00:10 kernel: NET: Registered protocol family 2
    Jan 1 00:00:10 kernel: Time: MIPS clocksource has been installed.
    Jan 1 00:00:10 kernel: IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
    Jan 1 00:00:10 kernel: TCP established hash table entries: 16384 (order: 5, 131072 bytes)
    Jan 1 00:00:10 kernel: TCP bind hash table entries: 16384 (order: 4, 65536 bytes)
    Jan 1 00:00:10 kernel: TCP: Hash tables configured (established 16384 bind 16384)
    Jan 1 00:00:10 kernel: TCP reno registered
    Jan 1 00:00:10 kernel: highmem bounce pool size: 64 pages
    Jan 1 00:00:10 kernel: squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
    Jan 1 00:00:10 kernel: io scheduler noop registered (default)
    Jan 1 00:00:10 kernel: HDLC line discipline: version $Revision: 4.8 $, maxframe=4096
    Jan 1 00:00:10 kernel: N_HDLC line discipline registered.
    Jan 1 00:00:10 kernel: Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled
    Jan 1 00:00:10 kernel: serial8250: ttyS0 at MMIO 0xb8000300 (irq = 8) is a 16550A
    Jan 1 00:00:10 kernel: serial8250: ttyS1 at MMIO 0xb8000400 (irq = 8) is a 16550A
    Jan 1 00:00:10 kernel: PPP generic driver version 2.4.2
    Jan 1 00:00:10 kernel: MPPE/MPPC encryption/compression module registered
    Jan 1 00:00:10 kernel: NET: Registered protocol family 24
    Jan 1 00:00:10 kernel: PPPoL2TP kernel driver, V0.18.3
    Jan 1 00:00:10 kernel: PPTP driver version 0.8.5
    Jan 1 00:00:10 kernel: Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank
    Jan 1 00:00:10 kernel: Amd/Fujitsu Extended Query Table at 0x0040
    Jan 1 00:00:10 kernel: Physically mapped flash: CFI does not contain boot bank location. Assuming top.
    Jan 1 00:00:10 kernel: number of CFI chips: 1
    Jan 1 00:00:10 kernel: cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
    Jan 1 00:00:10 kernel: Flash device: 0x2000000 at 0x1c000000
    Jan 1 00:00:10 kernel: Creating 5 MTD partitions on "Physically mapped flash":
    Jan 1 00:00:10 kernel: 0x00000000-0x00040000 : "pmon"
    Jan 1 00:00:10 kernel: 0x00040000-0x01fe0000 : "linux"
    Jan 1 00:00:10 kernel: 0x00174b0c-0x019e0000 : "rootfs"
    Jan 1 00:00:10 kernel: 0x01fe0000-0x02000000 : "nvram"
    Jan 1 00:00:10 kernel: 0x019e0000-0x01fe0000 : "jffs2"
    Jan 1 00:00:10 kernel: Found an serial flash with 0 0KB blocks; total size 0MB
    Jan 1 00:00:10 kernel: sflash: found no supported devices
    Jan 1 00:00:10 kernel: dev_nvram_init: _nvram_init
    Jan 1 00:00:10 kernel: _nvram_init: allocat size= 65536
    Jan 1 00:00:10 kernel: sdhci: Secure Digital Host Controller Interface driver
    Jan 1 00:00:10 kernel: sdhci: Copyright(c) Pierre Ossman
    Jan 1 00:00:10 kernel: u32 classifier
    Jan 1 00:00:10 kernel: OLD policer on
    Jan 1 00:00:10 kernel: Netfilter messages via NETLINK v0.30.
    Jan 1 00:00:10 kernel: nf_conntrack version 0.5.0 (2048 buckets, 16384 max)
    Jan 1 00:00:10 kernel: ipt_time loading
    Jan 1 00:00:10 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
    Jan 1 00:00:10 kernel: net/ipv4/netfilter/tomato_ct.c [Nov 30 2013 18:04:45]
    Jan 1 00:00:10 kernel: ipt_account 0.1.21 : Piotr Gasidlo <quaker@barbara.eu.org>, h**pcode.google.com/p/ipt-account/
    Jan 1 00:00:10 kernel: NET: Registered protocol family 1
    Jan 1 00:00:10 kernel: NET: Registered protocol family 10
    Jan 1 00:00:10 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
    Jan 1 00:00:10 kernel: NET: Registered protocol family 17
    Jan 1 00:00:10 kernel: 802.1Q VLAN Support v1.8 Ben Greear greearb@candelatechDOTcommm
    Jan 1 00:00:10 kernel: All bugs added by David S. Miller davem@redhat****dotcommm
    Jan 1 00:00:10 kernel: VFS: Mounted root (squashfs filesystem) readonly.
    Jan 1 00:00:10 kernel: Freeing unused kernel memory: 196k freed
    Jan 1 00:00:10 kernel: Warning: unable to open an initial console.
    Jan 1 00:00:10 kernel: ctf: module license 'Proprietary' taints kernel.
    Jan 1 00:00:10 kernel: et_module_init: passivemode set to 0x0
    Jan 1 00:00:10 kernel: et_module_init: et_txq_thresh set to 0x400
    Jan 1 00:00:10 kernel: bcm_robo_enable_switch: EEE is disabled
    Jan 1 00:00:10 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.30.102.9 (r366174)
    Jan 1 00:00:10 kernel: PCI: Enabling device 0000:01:01.0 (0000 -> 0002)
    Jan 1 00:00:10 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
    Jan 1 00:00:10 kernel: PCI: Enabling device 0000:02:01.0 (0000 -> 0002)
    Jan 1 00:00:10 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
    Jan 1 00:00:10 kernel: Algorithmics/MIPS FPU Emulator v1.5
    Jan 1 00:00:10 kernel: usbcore: registered new interface driver usbfs
    Jan 1 00:00:10 kernel: usbcore: registered new interface driver hub
    Jan 1 00:00:10 kernel: usbcore: registered new device driver usb
    Jan 1 00:00:10 kernel: SCSI subsystem initialized
    Jan 1 00:00:10 kernel: Initializing USB Mass Storage driver...
    Jan 1 00:00:10 kernel: usbcore: registered new interface driver usb-storage
    Jan 1 00:00:10 kernel: USB Mass Storage support registered.
    Jan 1 00:00:10 kernel: ufsd: driver (8.6 U86_r187446_b122, LBD=ON, acl, ioctl, rwm, ws, sd) loaded at c0208000
    Jan 1 00:00:10 kernel: NTFS (with native replay) support included
    Jan 1 00:00:10 kernel: optimized: speed
    Jan 1 00:00:10 kernel: Build_for__asus_n66u_2011-10-27_U86_r187446_b122
    Jan 1 00:00:10 kernel: ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
    Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: EHCI Host Controller
    Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: new USB bus registered, assigned bus number 1
    Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: EHCI Fastpath: New EHCI driver starting
    Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
    Jan 1 00:00:10 kernel: ehci_hcd 0000:00:04.1: USB 0.0 started, EHCI 1.00
    Jan 1 00:00:10 kernel: usb usb1: configuration #1 chosen from 1 choice
    Jan 1 00:00:10 kernel: hub 1-0:1.0: USB hub found
    Jan 1 00:00:10 kernel: hub 1-0:1.0: 2 ports detected
    Jan 1 00:00:10 kernel: ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
    Jan 1 00:00:10 kernel: ohci_hcd 0000:00:04.0: OHCI Host Controller
    Jan 1 00:00:10 kernel: ohci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 2
    Jan 1 00:00:10 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
    Jan 1 00:00:10 kernel: usb usb2: configuration #1 chosen from 1 choice
    Jan 1 00:00:10 kernel: hub 2-0:1.0: USB hub found
    Jan 1 00:00:10 kernel: hub 2-0:1.0: 2 ports detected
    Jan 1 00:00:10 kernel: usbcore: registered new interface driver usblp
    Jan 1 00:00:10 kernel: drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
    Jan 1 00:00:10 kernel: usbcore: registered new interface driver asix
    Jan 1 00:00:10 kernel: usb 1-1: new high speed USB device using ehci_hcd and address 2
    Jan 1 00:00:10 kernel: usb 1-1: configuration #1 chosen from 1 choice
    Jan 1 00:00:10 kernel: hub 1-1:1.0: USB hub found
    Jan 1 00:00:10 kernel: hub 1-1:1.0: 4 ports detected
    Jan 1 00:00:11 kernel: usbcore: registered new interface driver cdc_ether
    Jan 1 00:00:11 kernel: usbcore: registered new interface driver net1080
    Jan 1 00:00:11 kernel: usbcore: registered new interface driver rndis_host
    Jan 1 00:00:11 kernel: usbcore: registered new interface driver zaurus
    Jan 1 00:00:11 kernel: usb 1-1.4: new high speed USB device using ehci_hcd and address 3
    Jan 1 00:00:11 kernel: usb 1-1.4: configuration #1 chosen from 1 choice
    Jan 1 00:00:11 kernel: scsi0 : SCSI emulation for USB Mass Storage devices
    Jan 1 00:00:12 kernel: br0: starting userspace STP failed, staring kernel STP
    Jan 1 00:00:12 kernel: vlan1: dev_set_promiscuity(master, 1)
    Jan 1 00:00:12 kernel: device eth0 entered promiscuous mode
    Jan 1 00:00:12 kernel: device vlan1 entered promiscuous mode
    Jan 1 00:00:13 kernel: scsi 0:0:0:0: Direct-Access Multi Flash Reader 1.00 PQ: 0 ANSI: 0
    Jan 1 00:00:13 kernel: sd 0:0:0:0: [sda] Attached SCSI removable disk
    Jan 1 00:00:13 kernel: sd 0:0:0:0: Attached scsi generic sg0 type 0
    Jan 1 00:00:13 kernel: device eth1 entered promiscuous mode
    Jan 1 00:00:14 kernel: device eth2 entered promiscuous mode
    Jan 1 00:00:14 kernel: br0: port 3(eth2) entering listening state
    Jan 1 00:00:14 kernel: br0: port 2(eth1) entering listening state
    Jan 1 00:00:14 kernel: br0: port 1(vlan1) entering listening state
    Jan 1 00:00:14 kernel: br0: port 3(eth2) entering learning state
    Jan 1 00:00:14 kernel: br0: port 2(eth1) entering learning state
    Jan 1 00:00:14 kernel: br0: port 1(vlan1) entering learning state
    Jan 1 00:00:14 kernel: br0: topology change detected, propagating
    Jan 1 00:00:14 kernel: br0: port 3(eth2) entering forwarding state
    Jan 1 00:00:14 kernel: br0: topology change detected, propagating
    Jan 1 00:00:14 kernel: br0: port 2(eth1) entering forwarding state
    Jan 1 00:00:14 kernel: br0: topology change detected, propagating
    Jan 1 00:00:14 kernel: br0: port 1(vlan1) entering forwarding state
    Jan 1 00:00:14 stop_nat_rules: apply the redirect_rules!
    Jan 1 00:00:14 dnsmasq[301]: started, version 2.67 cachesize 1500
    Jan 1 00:00:14 dnsmasq[301]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth
    Jan 1 00:00:14 dnsmasq[301]: warning: interface ppp1* does not currently exist
    Jan 1 00:00:14 dnsmasq[301]: asynchronous logging enabled, queue limit is 5 messages
    Jan 1 00:00:14 dnsmasq-dhcp[301]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
    Jan 1 00:00:14 dnsmasq[301]: read /etc/hosts - 5 addresses
    Jan 1 00:00:14 WAN Connection: ISP's DHCP did not function properly.
    Jan 1 00:00:14 RT-N66R: start httpd
    Jan 1 00:00:14 crond[315]: crond: crond (busybox 1.20.2) started, log level 8
    Jan 1 00:00:15 disk monitor: be idle
    Jan 1 00:00:15 Samba Server: daemon is started
    Jan 1 00:00:16 dnsmasq[301]: read /etc/hosts - 5 addresses
    Jan 1 00:00:16 dnsmasq[301]: read /etc/hosts - 5 addresses
    Jan 1 00:00:16 dnsmasq[301]: using nameserver 209.18.47.62#53
    Jan 1 00:00:16 dnsmasq[301]: using nameserver 209.18.47.61#53
    Jan 1 00:00:16 stop_nat_rules: apply the redirect_rules!
    Jan 1 00:00:16 dnsmasq[301]: exiting on receipt of SIGTERM
    Jan 1 00:00:16 dnsmasq[369]: started, version 2.67 cachesize 1500
    Jan 1 00:00:16 dnsmasq[369]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth
    Jan 1 00:00:16 dnsmasq[369]: warning: interface ppp1* does not currently exist
    Jan 1 00:00:16 dnsmasq[369]: asynchronous logging enabled, queue limit is 5 messages
    Jan 1 00:00:16 dnsmasq-dhcp[369]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
    Jan 1 00:00:16 dnsmasq[369]: read /etc/hosts - 5 addresses
    Jan 1 00:00:16 dnsmasq[369]: using nameserver 209.18.47.62#53
    Jan 1 00:00:16 dnsmasq[369]: using nameserver 209.18.47.61#53
    Jan 1 00:00:17 kernel: nf_conntrack_rtsp v0.6.21 loading
    Jan 1 00:00:17 kernel: nf_nat_rtsp v0.6.21 loading
    Jan 1 00:00:17 rc_service: udhcpc 351:notify_rc stop_upnp
    Jan 1 00:00:17 rc_service: udhcpc 351:notify_rc start_upnp
    Jan 1 00:00:17 rc_service: waitting "stop_upnp" via udhcpc ...
    Jan 1 00:00:18 kernel: device eth1 left promiscuous mode
    Jan 1 00:00:18 kernel: br0: port 2(eth1) entering disabled state
    Jan 1 00:00:18 kernel: device eth2 left promiscuous mode
    Jan 1 00:00:18 kernel: br0: port 3(eth2) entering disabled state
    Jan 1 00:00:19 WAN Connection: WAN was restored.
    Jan 1 00:00:21 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
    Jan 1 00:00:21 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
    Jan 1 00:00:22 kernel: device eth1 entered promiscuous mode
    Jan 1 00:00:22 kernel: br0: port 2(eth1) entering listening state
    Jan 1 00:00:22 kernel: br0: port 2(eth1) entering learning state
    Jan 1 00:00:22 kernel: br0: topology change detected, propagating
    Jan 1 00:00:22 kernel: br0: port 2(eth1) entering forwarding state
    Jan 1 00:00:23 kernel: device eth2 entered promiscuous mode
    Jan 1 00:00:23 kernel: br0: port 3(eth2) entering listening state
    Jan 1 00:00:23 kernel: br0: port 3(eth2) entering learning state
    Jan 1 00:00:23 kernel: br0: topology change detected, propagating
    Jan 1 00:00:23 kernel: br0: port 3(eth2) entering forwarding state
    Jan 1 00:00:28 rc_service: udhcpc 351:notify_rc stop_ntpc
    Jan 1 00:00:28 rc_service: waitting "start_upnp" via udhcpc ...
    Jan 1 00:00:28 miniupnpd[487]: HTTP listening on port 37515
    Jan 1 00:00:28 miniupnpd[487]: Listening for NAT-PMP traffic on port 5351
    Jan 1 00:00:29 rc_service: udhcpc 351:notify_rc start_ntpc
    Jan 1 00:00:29 rc_service: waitting "stop_ntpc" via udhcpc ...
    Jan 1 00:00:30 dhcp client: bound 67.253.165.215 via 67.253.160.1 during 81593 seconds.
    Feb 22 16:10:15 rc_service: ntp 488:notify_rc restart_upnp
    Feb 22 16:10:15 miniupnpd[497]: HTTP listening on port 56982
    Feb 22 16:10:15 miniupnpd[497]: Listening for NAT-PMP traffic on port 5351
    Feb 22 16:10:15 rc_service: ntp 488:notify_rc restart_diskmon
    Feb 22 16:10:15 disk monitor: be idle
    Feb 22 16:10:46 crond[315]: time disparity of 1654090 minutes detected
    Feb 22 16:11:05 nmbd[344]: [2014/02/22 16:11:05, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(392)
    Feb 22 16:11:05 nmbd[344]: Samba name server RT-N66R is now a local master browser for workgroup WORKGROUP on subnet 192.168.1.1
    Feb 22 16:12:42 kernel: device eth1 left promiscuous mode
    Feb 22 16:12:42 kernel: br0: port 2(eth1) entering disabled state
    Feb 22 16:12:42 kernel: device eth2 left promiscuous mode
    Feb 22 16:12:42 kernel: br0: port 3(eth2) entering disabled state
    Feb 22 16:12:45 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
    Feb 22 16:12:45 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
    Feb 22 16:12:45 kernel: device eth1 entered promiscuous mode
    Feb 22 16:12:45 kernel: br0: port 2(eth1) entering listening state
    Feb 22 16:12:45 kernel: br0: port 2(eth1) entering learning state
    Feb 22 16:12:45 kernel: br0: topology change detected, propagating
    Feb 22 16:12:45 kernel: br0: port 2(eth1) entering forwarding state
    Feb 22 16:12:46 kernel: device eth2 entered promiscuous mode
    Feb 22 16:12:46 kernel: br0: port 3(eth2) entering listening state
    Feb 22 16:12:46 kernel: br0: port 3(eth2) entering learning state
    Feb 22 16:12:46 kernel: br0: topology change detected, propagating
    Feb 22 16:12:46 kernel: br0: port 3(eth2) entering forwarding state
    Feb 22 16:12:54 dnsmasq-dhcp[369]: DHCPREQUEST(br0) 192.168.33.125 70:18:8b:2d:2b:4b
    Feb 22 16:12:54 dnsmasq-dhcp[369]: DHCPNAK(br0) 192.168.33.125 70:18:8b:2d:2b:4b wrong network
    Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPDISCOVER(br0) 70:18:8b:2d:2b:4b
    Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPOFFER(br0) 192.168.1.50 70:18:8b:2d:2b:4b
    Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPREQUEST(br0) 192.168.1.50 70:18:8b:2d:2b:4b
    Feb 22 16:12:56 dnsmasq-dhcp[369]: DHCPACK(br0) 192.168.1.50 70:18:8b:2d:2b:4b
    Feb 22 16:13:02 rc_service: httpd 312:notify_rc start_autodet
    Feb 22 16:13:02 kernel: autodet uses obsolete (PF_INET,SOCK_PACKET)
    Feb 22 16:14:00 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
    Feb 22 16:14:00 dnsmasq[369]: exiting on receipt of SIGTERM
    Feb 22 16:14:00 dnsmasq[578]: started, version 2.67 cachesize 1500
    Feb 22 16:14:00 dnsmasq[578]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth
    Feb 22 16:14:00 dnsmasq[578]: warning: interface ppp1* does not currently exist
    Feb 22 16:14:00 dnsmasq[578]: asynchronous logging enabled, queue limit is 5 messages
    Feb 22 16:14:00 dnsmasq-dhcp[578]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
    Feb 22 16:14:00 dnsmasq[578]: read /etc/hosts - 5 addresses
    Feb 22 16:14:00 dnsmasq[578]: using nameserver 209.18.47.62#53
    Feb 22 16:14:00 dnsmasq[578]: using nameserver 209.18.47.61#53
    Feb 22 16:14:02 rc_service: httpd 312:notify_rc restart_wireless
    Feb 22 16:14:03 kernel: device eth1 left promiscuous mode
    Feb 22 16:14:03 kernel: br0: port 2(eth1) entering disabled state
    Feb 22 16:14:03 kernel: device eth2 left promiscuous mode
    Feb 22 16:14:03 kernel: br0: port 3(eth2) entering disabled state
    Feb 22 16:14:06 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
    Feb 22 16:14:06 kernel: eth2: Broadcom BCM4331 802.11 Wireless Controller 6.30.102.9 (r366174)
    Feb 22 16:14:07 kernel: device eth1 entered promiscuous mode
    Feb 22 16:14:07 kernel: br0: port 2(eth1) entering listening state
    Feb 22 16:14:07 kernel: br0: port 2(eth1) entering learning state
    Feb 22 16:14:07 kernel: br0: topology change detected, propagating
    Feb 22 16:14:07 kernel: br0: port 2(eth1) entering forwarding state
    Feb 22 16:14:08 kernel: device eth2 entered promiscuous mode
    Feb 22 16:14:08 kernel: br0: port 3(eth2) entering listening state
    Feb 22 16:14:08 kernel: br0: port 3(eth2) entering learning state
    Feb 22 16:14:08 kernel: br0: topology change detected, propagating
    Feb 22 16:14:08 kernel: br0: port 3(eth2) entering forwarding state
    Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPDISCOVER(br0) 70:18:8b:2d:2b:4b
    Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPOFFER(br0) 192.168.1.50 70:18:8b:2d:2b:4b
    Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPREQUEST(br0) 192.168.1.50 70:18:8b:2d:2b:4b
    Feb 22 16:15:04 dnsmasq-dhcp[578]: DHCPACK(br0) 192.168.1.50 70:18:8b:2d:2b:4b
    Feb 22 18:08:05 smbd[659]: [2014/02/22 18:08:05, 0] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(55)
    Feb 22 18:08:05 smbd[659]: smb_pwd_check_ntlmv1: incorrect password length (74)
    Feb 22 18:08:05 smbd[659]: [2014/02/22 18:08:05, 0] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(55)
    Feb 22 18:08:05 smbd[659]: smb_pwd_check_ntlmv1: incorrect password length (74)
     
  2. Ming_the_Merciless

    Ming_the_Merciless MDL Member

    Feb 7, 2014
    139
    48
    10
    I posted the TechSpot link in the other thread. I have reread the article a number of times. Don't get me wrong, I am not attempting to downplay the issue, but it appears that so far, hackers have only managed to place a benign text file on the router's usb connected drive.

    No evidence a hacker has read directories/folders or files.
    No evidence a hacker has deleted any files.
    No evidence a hacker has uploaded an infected program.

    This may explain why Asus was down playing the issue. Again, it's not acceptable, but possibly it is not harmful either.
     
  3. J0hnBlaze

    J0hnBlaze MDL Novice

    Feb 4, 2014
    17
    0
    0
    #3 J0hnBlaze, Feb 23, 2014
    Last edited: Feb 23, 2014
    (OP)
    RE: Evidence



    I'll post some text files in the post itself. I don't know if these are malicious or give details that should not be publicly visible. Posting in a few minutes. I also setup my camera and recorded logging into my machine and booting from bios etc that would provide more valuable data than I can offer regurgitating what I have observed. I don't write code in any language so its all greek to me except for the logical concept of what the line is telling the file, program, or whatever to look at or go to. It could be my ignorance and its all normal or as it sometimes does, common sense prevails. However I am leaning towards the later only because of all I have witnessed vs posted. Hopefully these files provide some more insight! IF you pm me I am available to chat via teamspeak/Skype/oovoo/whatever if you're interested in specific files vs forum conversations. Im eager to find a resolution to this myself.

    I appreciate the feedback

    I'm not sure how it can be called benign as its affected my HP Split which is solely a wireless device with no lan port. My phone, has not touched any pc and is also affected. I believe via Bluetooth due to the hidden folders specificially labeled Bluetooth that were not there prior to the affliction.
     
  4. J0hnBlaze

    J0hnBlaze MDL Novice

    Feb 4, 2014
    17
    0
    0
    RE: Evidence

    I'm going to PM you with the syslog.txt file that I pulled off my other box. Its similar to the original log posted from the router with the exception I think its showing the (purely for reference purpose) benign file attaching itself to my main desktop and it contains a lot of local data for example ip addresses comp names and shares etc. As I dig through other files at least you will have that to view. Obviously, feel free to post any non-sensitive and pertinent information you may find in that file.

    If anyone feels as though they are fully protected and wants to use Logmein (if this is against forum code I apologize in advance and will edit the statement out) to access this box, I would be willing to have you poke around and view the files (in safe mode w/networking of course) I clearly made this account recently and have not posted much at all until now. I am intelligent enough to read and discover most things on my own without begging for someone to hold my hand and astute enough to catch my mistakes when proofing. That being said I am also humble enough to know when I'm out of my league. This is without a doubt the later.
     
  5. speedingcheetah

    speedingcheetah MDL Novice

    Aug 11, 2012
    9
    2
    0
    #5 speedingcheetah, Feb 23, 2014
    Last edited: Feb 23, 2014
    Did u have Samba setup as open or share with account? If you did not have it secured with an account, anyone can access your files.

    Also, I see nothing in that log file that isn't normal. Although, I suggest you change your "Workgroup" name to something other than default on you router and all devices.
     
  6. speedingcheetah

    speedingcheetah MDL Novice

    Aug 11, 2012
    9
    2
    0
    #6 speedingcheetah, Feb 23, 2014
    Last edited: Feb 23, 2014
    So....all connect to your network...wired or wifi makes no difference.. How do you think your phone is affected?....just because there are folders called Bluetooth on your computer means nothing....if your computer has a Bluetooth adapter those folders are normal.
     
  7. CaptainKirk1966

    CaptainKirk1966 Former MDL Guru

    Oct 31, 2009
    1,901
    908
    60
    #7 CaptainKirk1966, Feb 23, 2014
    Last edited: Feb 23, 2014
    Yes, although not yet reported they could just as easily place an infected exe file, that would do bad things if a curious user saw it and opened it.

    I guess I still don't understand the OP's problem, his machine seems seriously compromised, and he is connecting it with a not so serious router vulnerability.

    Also, is the router in promiscuous mode, letting somebody sniff passwords? (edit - from what I have read elsewhere, promiscuous mode seems normal on the interface device connected to the internet)
     
  8. leebo_28

    leebo_28 MDL Senior Member

    Jun 12, 2011
    457
    169
    10
    This says different, also DHCP range was set to full through setup..
    Jan 1 00:00:28 miniupnpd[487]: HTTP listening on port 37515
    Jan 1 00:00:28 miniupnpd[487]: Listening for NAT-PMP traffic on port 5351

    nothing but a router restart happened on feb 22nd , up to the point you gave us anyway.
     
  9. Ming_the_Merciless

    Ming_the_Merciless MDL Member

    Feb 7, 2014
    139
    48
    10
    The beauty of MDL is the sharing of information, especially when it comes to solving hardware/software issues. I know I am limited in understanding the router logs and am glad to see others input.

    OP - two items here concern me.
    1) You haven't claimed to have found the .txt file the hackers have placed on affected drives. Do you have it?
    2) As already noted, this issue doesn't appear to have anything to do with Bluetooth.

    While I don't doubt the OP is having a serious problem, in the interest of accuracy, I am not yet convinced the OP's problems are related to the Asus router hack. Just my opinion at the moment.
     
  10. leebo_28

    leebo_28 MDL Senior Member

    Jun 12, 2011
    457
    169
    10
    Agreed.. Too many discrepancies in what's being shown , and what is being said..my .02
     
  11. speedingcheetah

    speedingcheetah MDL Novice

    Aug 11, 2012
    9
    2
    0
    #11 speedingcheetah, Feb 23, 2014
    Last edited: Feb 26, 2014
    Same user has already made a fuss over on smallnetbuilder... very rude and offensive.


    hxxp://forums.smallnetbuilder.com/showthread.php?t=15659
    (His created thread)

    hxxp://forums.smallnetbuilder.com/showthread.php?t=15272&page=10
    (he posted to another thread about this...scroll down a bit to find his posts and flaming replies...)

    EDIT: His flaming posts were removed and his created thread locked by a mod.
     
  12. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    14,678
    18,890
    340
    As always, you can distort the links by inserting spaces or using hxxp:// so the Forums soft will let you post them :D.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. speedingcheetah

    speedingcheetah MDL Novice

    Aug 11, 2012
    9
    2
    0
    forgot about that...edited my post
     
  14. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    14,678
    18,890
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Mutagen

    Mutagen MDL Addicted

    Feb 18, 2013
    580
    123
    30
    OP seems to be fairly well behaved here. If Asus has issued a patch, why not apply it and be done with it?

    OP - how about a short description of your problem? (Did I miss it?)
    Up/Down load speed slow.
    Dropped connections.
    Router needs to be reset often.
     
  16. CaptainKirk1966

    CaptainKirk1966 Former MDL Guru

    Oct 31, 2009
    1,901
    908
    60
    #16 CaptainKirk1966, Feb 23, 2014
    Last edited: Feb 23, 2014
    OP posted some long notes in Daz loader thread yesterday. It seemed mostly technobabble to me, but then again I am not any sort of computer security expert. It seems that Daz loader will not work on his system, and he is trying to warn others who may not be able to get the loader to work that they may have the same problem as him, whatever that is.

    btw: @speedingcheetah, I saw your post on other site, and wanted to say that Daz loader downloaded from here at MDL contains no malware. Somebody elsewhere could certainly package malware in something they call Daz Loader

     
  17. speedingcheetah

    speedingcheetah MDL Novice

    Aug 11, 2012
    9
    2
    0

    Yes...that is what i was meaning to say....I have used Windows Loader back when I was on win 7 with no isssues, but there are plenty of "fake" versions of it...but now I can't use it since I use Win 8.1 now.
     
  18. J0hnBlaze

    J0hnBlaze MDL Novice

    Feb 4, 2014
    17
    0
    0
    Facts and Contiued Data

    I am respectful to those who give it. In this forum the people stick to facts and keep the primary focus on the problem. Please don't bring the drama here.

    Working at the moment will update in my next post with full scope when I get home: Initial and Continued Problem/Symptoms, Data gathered, Troubleshooting Attempts and Steps Taken To Remedy.

    I thought I would go to the forum of where the firmware was made and work from there since that is what I believed to be the issue or root cause that allowed whatever is affecting all the devices on my network. However Merlin stated it was not the firmware so I am moving on.
     
  19. J0hnBlaze

    J0hnBlaze MDL Novice

    Feb 4, 2014
    17
    0
    0
    Sorry for the delay in a follow up post to bring some clarification of symptoms and data. I am organizing all of this now and it will be available within the hour.

    Briefly though, I have confirmed inexplicable oddities with a support tech with Logmein Rescue and the ISP is now having their research team look into the matter. Not helpful for clearing anything up I know but, it validates my concerns. I didn't want the thread locked before I had a chance to reply.

    Thank You
     
  20. urie

    urie Moderator
    Staff Member

    May 21, 2007
    8,692
    3,046
    300
    By all means make your report when support tech with Logmein Rescue and the ISP get back to you. Then that may help other members but make it brief we do not need another two or three pages of your interpretation considering no one else on this forum has your actual problem.