Looking for insight on network setup after possible router compromise.

[Elochai]

I’ll give the facts of what happening and what I’m hoping to achieve.

 

My setup: ISP modem is in bridge mode, they (ISP) have provided a static IP to me for years, even when I moved it has stayed the same.

 

So the connection is passed off to my router (ASUS RT-AC5300) for handling. I have had everything setup the way I liked for years, static local IP’s for my NAS, main computer, my dedicated server (old PC repurposed) I use to host games online to play with people once in awhile, all the ports and forwarding ports, ect..

 

Unfortunately I believe my network was compromised; (Which doesn’t actually surprise me as I had RDP attacks in the past that been flagged when I had to use RDP to connect to my home system from out of town). Now to be fair, last month we had rapid power surges and the Router got turned off and on repeatedly within 3 seconds about with each surge for a good 5 to 6 mins before I got it unplugged. But still feel it’s compromised by an attacker who gain access.

 

I went to log into my router as I noticed my main computer had network activity and wasn’t suspicious, just weird as it was for a server company I used to rent dedicated systems from and it kinda looks like their DNS being used. What I was met with was the router login screen and my credentials wouldn’t work (yes I rebooted the network). My username, and password wouldn’t let me login. Which is why I believe someone else managed to get in through my ISP IP and did who knows what, and then changed my login information.

- The Plan -

 

So everything is now unplugged till I can handle it tonight.

 

it sucks having to start from scratch again, but times have changed and maybe someone more up to date on things could help me make sure I set everything up more secure and still be able to game online and once in a blue moon host a few games on my other system.

 

I’m gonna put Asuswrt-Merlin on my RT-AC5300 to try out. I heard it can block attacks from know bad actors by a list using ipset.

 

Also heard it VPN function can be assigned to devices / groups instead of putting the whole router into that VPN mode.

I just need to know the best way to set it up to prevent anyone outside of the local network to get access to the GUI / login page. To keep it locked down, but yet easy to host game servers.

 

Also when I do have to open a port for a game or something, what options do I have to insure no one listening for open ports, can’t take advantage of a game port opened. 

[DoctorNick]

7 minutes ago, Elochai said:

I’ll give the facts of what happening and what I’m hoping to achieve.

 

My setup: ISP modem is in bridge mode, they (ISP) have provided a static IP to me for years, even when I moved it has stayed the same.

 

So the connection is passed off to my router (ASUS RT-AC5300) for handling. I have had everything setup the way I liked for years, static local IP’s for my NAS, main computer, my dedicated server (old PC repurposed) I use to host games online to play with people once in awhile, all the ports and forwarding ports, ect..

 

Unfortunately I believe my network was compromised; (Which doesn’t actually surprise me as I had RDP attacks in the past that been flagged when I had to use RDP to connect to my home system from out of town). Now to be fair, last month we had rapid power surges and the Router got turned off and on repeatedly within 3 seconds about with each surge for a good 5 to 6 mins before I got it unplugged. But still feel it’s compromised by an attacker who gain access.

 

I went to log into my router as I noticed my main computer had network activity and wasn’t suspicious, just weird as it was for a server company I used to rent dedicated systems from and it kinda looks like their DNS being used. What I was met with was the router login screen and my credentials wouldn’t work (yes I rebooted the network). My username, and password wouldn’t let me login. Which is why I believe someone else managed to get in through my ISP IP and did who knows what, and then changed my login information.

- The Plan -

 

So everything is now unplugged till I can handle it tonight.

 

it sucks having to start from scratch again, but times have changed and maybe someone more up to date on things could help me make sure I set everything up more secure and still be able to game online and once in a blue moon host a few games on my other system.

 

I’m gonna put Asuswrt-Merlin on my RT-AC5300 to try out. I heard it can block attacks from know bad actors by a list using ipset.

 

Also heard it VPN function can be assigned instead of putting the whole router into that VPN mode.

I just need to know the best way to set it up to prevent anyone outside of the local network to get access to the GUI / login page. To keep it locked down, but yet easy to host game servers.

 

also when I do have to open a port for a game or something, what options do I have to insure no one listening for open ports, can’t take advantage of a game port opened. 

Are you sure the router wasn't just resetted to factory because of the power surge? Anyway Asuswrt-Merlin sounds like a good idea

[Elochai]

Just now, DoctorNick said:

Are you sure the router wasn't just resetted to factory because of the power surge? Anyway Asuswrt-Merlin sounds like a good idea

Yes, that don on me as well, so I try the factory username and password on the bottom of the router with no luck. 

[DoctorNick]

1 minute ago, Elochai said:

Yes, that don on me as well, so I try the factory username and password on the bottom of the router with no luck. 

I see. Alright if you can't login, then it might be hard to flash the router. Could also be bricked somehow (not compromised), but because we don't know that you might just have to get a new router.

[Elochai]

31 minutes ago, DoctorNick said:

I see. Alright if you can't login, then it might be hard to flash the router. Could also be bricked somehow (not compromised), but because we don't know that you might just have to get a new router.

It’s not bricked, everything works. I’m feeling it compromised. My guest is, someone brute forced access through my static IP till they gain access to the router. They did whatever it was they wanted to do (I don’t know as I can’t get logged in to see what malicious activity they done) and locked me out. Could have been like this for a month or more now. How many people log into their routers often, once setup and running as planned. 
 

So I know without a doubt that I can plug it back in, and factory reset it. Only reason it not running is so whatever the attacker did to it, isn’t being done to me (snooping, botnet, worm, or whatever else was the purpose). What I need to do and what I would like is input on setting it up to avoid these attacks from making it to the login screen while still having functionality to host dedicated games once in a while.

 

As I said, not the 1st time I been attacked, had multiple Remote Desktop attacks in the past, the IP I got from my ISP has been with me for years and years. My guest is they attack the ISP range till they get into a few systems. Only this one wasn’t a RDP attack but one directly geared at access to my full network.

 

Yes it sucks I got to factory reset, I got to redo all the settings when I wake up this evening after I get some sleep from my night shift. But that’s it, things happen. The main thing now is, setting up a whole new network with safeguards to stop these attacks while still being able to enjoy my network. That the whole reason for the post, because in the last 15 years since I was more hands on with networking, things have changed and I want peoples input on the steps to take and best approach / what to do with in Asuswrt-Merlin and even firewall settings in windows if needed to get the results I’m looking for in keeping my network locked down tight and only opened for dedicated gaming servers with no access beyond that. No way for someone outside this network to ever get into the router by its login gui or even shell access.

[DoctorNick]

31 minutes ago, Elochai said:

It’s not bricked, everything works. I’m feeling it compromised. My guest is, someone brute forced access through my static IP till they gain access to the router. They did whatever it was they wanted to do (I don’t know as I can’t get logged in to see what malicious activity they done) and locked me out. Could have been like this for a month or more now. How many people log into their routers often, once setup and running as planned. 
 

So I know without a doubt that I can plug it back in, and factory reset it. Only reason it not running is so whatever the attacker did to it, isn’t being done to me (snooping, botnet, worm, or whatever else was the purpose). What I need to do and what I would like is input on setting it up to avoid these attacks from making it to the login screen while still having functionality to host dedicated games once in a while.

 

As I said, not the 1st time I been attacked, had multiple Remote Desktop attacks in the past, the IP I got from my ISP has been with me for years and years. My guest is they attack the ISP range till they get into a few systems. Only this one wasn’t a RDP attack but one directly geared at access to my full network.

 

Yes it sucks I got to factory reset, I got to redo all the settings when I wake up this evening after I get some sleep from my night shift. But that’s it, things happen. The main thing now is, setting up a whole new network with safeguards to stop these attacks while still being able to enjoy my network. That the whole reason for the post, because in the last 15 years since I was more hands on with networking, things have changed and I want peoples input on the steps to take and best approach / what to do with in Asuswrt-Merlin and even firewall settings in windows if needed to get the results I’m looking for in keeping my network locked down tight and only opened for dedicated gaming servers with no access beyond that. No way for someone outside this network to ever get into the router by its login gui or even shell access.

I understand. I'm sure you can get help here with whatever here, but I may not be the right guy. My experience with this stuff is pretty limited. I would however get a new static IP from your ISP. Maybe you can try rescue mode. Found this forum post: https://www.snbforums.com/threads/rt-ac5300-hacked-with-a-persistent-hack-how-do-i-go-about-nuking-the-flash-and-starting-over.76117/

Which leads to this guide:

https://www.asus.com/support/faq/1000814/

You can get firmware restoration program here: 

https://www.asus.com/supportonly/rt-ac5300/helpdesk_download?model2Name=RT-AC5300

Latest firmware here: https://www.asus.com/supportonly/rt-ac5300/helpdesk_bios?model2Name=RT-AC5300

After you've flashed the new firmware, you should be able to access the router interface. Then you can flash merlin. You might also be able to flash merlin directly from rescue mode.

[Elochai]

4 hours ago, DoctorNick said:

I understand. I'm sure you can get help here with whatever here, but I may not be the right guy. My experience with this stuff is pretty limited. I would however get a new static IP from your ISP. Maybe you can try rescue mode. Found this forum post: https://www.snbforums.com/threads/rt-ac5300-hacked-with-a-persistent-hack-how-do-i-go-about-nuking-the-flash-and-starting-over.76117/

Which leads to this guide:

https://www.asus.com/support/faq/1000814/

You can get firmware restoration program here: 

https://www.asus.com/supportonly/rt-ac5300/helpdesk_download?model2Name=RT-AC5300

Latest firmware here: https://www.asus.com/supportonly/rt-ac5300/helpdesk_bios?model2Name=RT-AC5300

After you've flashed the new firmware, you should be able to access the router interface. Then you can flash merlin. You might also be able to flash merlin directly from rescue mode.

Thanks, I’m gonna just fully reset it. Won’t need to do restoration mode at all. It’ll be out if the box new when I go at it. As for my ISP, no point in even asking them.

 

I’d just like to know what settings I should use and enable for best results of keeping my network safe within the Asuswrt-Merlin, and if I open ports to my game server or any open port for that matter, how do I ensure them ports can only be used for the application needed and not as back doors?