5

Has my ASUS router been hacked or just glitchy?

When I tried to login to 'router.asus.com' it would redirect to "[censored just in case].us-west-2.compute.amazonaws.com/find/device.html" and it said that I would have to connect to the router directly through WiFi or Ethernet instead of through a repeater? (This was after I disabled my VPN)

I tried resetting it multiple times, but I couldn't seem to login after the initial (re)setup process after copying and pasting my new randomly generated password.

Now, I am aware that WPA2 is vulnerable to brute-forcing, but even if they could brute force my WiFi password, I thought the ASUS login password couldn't be brute-forced? I remember disabling WPS, so how did they get in (if this was a hack)?

Also - why would a hacker disable the router login screen - wouldn't that just make the owners aware that something might be wrong?

UPDATE: okay so after spending two hours trying to figure it out, it seems like the altered state only happens after a specific windows machine (normally connected to the router) logs in. After spending two hours trying to reset it multiple times, it seemed to stay fixed. Then the next day maybe twenty hours later, I realized that the login screen was disabled again.

Does anyone have a shop they could recommend to check to see if my router firmware was modified?

Mark
  • 34,390
  • 9
  • 85
  • 134
user3272992
  • 61
  • 1
  • 5
  • I imagine the site is just trying to work out what IP address your router is at. At first glance, seems like legitimate traffic. What happens if you go to the IP address directly? – Chris Murray Jun 16 '15 at 10:15
  • Going to the IP address directly prompts me to a login window - not the ASUS login, but a pop-up that looks like it came from Google Chrome. Do you think you can check the AmazonAWS information to see if it is legitimate? Btw, could a hacked router hack my computer even in Google Chrome? – user3272992 Jun 16 '15 at 20:49
  • Update: When using Chrome and Safari on Mac to try to login, after the login fails, it shows a page that says "401 Unauthorized [line break] authorization required" and what's interesting is that the page is pink. – user3272992 Jun 16 '15 at 21:20
  • What's really bothering me is that it doesn't seem to be fixed (including not being able to login with the updated password each time) after I hit the 'reset' button on the router. I didn't think malware could survive a reset? – user3272992 Jun 16 '15 at 23:08

3 Answers3

2

Your router is just glitchy.

"router.asus.com" returns a 301 redirect to "ec2-54-202-251-7.us-west-2.compute.amazonaws.com/find/router.html" (at least for me; it may redirect to other Amazon datacenters for people in other locations), a website hosted on Amazon's cloud.

The website itself appears to attempt to find your router's IP address by making connections to 50-someodd domains such as ""rt-n10pv2" or "findasus.local", and counting on the router's DNS resolver to intercept the request. This is rather fragile, as any change to the default DNS settings can break it.

Mark
  • 34,390
  • 9
  • 85
  • 134
2

Here is what finally worked for me and I was having the same response when I tried logging in.Instead of logging into the default router GUI 192.168.1.1 or entering http://router.asus.com try using one of these addresses: http://www.asusnetwork.net/ or https://www.asusnetwork.net:8443 There are a couple other alternatives but I don't have a good enough reputation to post more links, sorry.

JScot
  • 21
  • 3
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/66042) – Vilican Dec 20 '15 at 18:12
  • @Vilican, the links are not meant to be references to the answer posted elsewhere. They are the essential part of the answer. The addresses are possible alternative ways to log into the router's gui. – JScot Dec 22 '15 at 03:43
  • Sorry, I picked wrong reason. There is for example question "Has my ASUS router been hacked or just glitchy?". This does not answer to it. – Vilican Dec 22 '15 at 10:58
0

Some ASUS devices had a DNS entry that resolves asusnetwork.net to the device configuration and error pages (see this answer for more info). Without an internet connection, that's what you see. It used to look something like this:

enter image description here

When you have an internet connection, it bypasses that and uses your ISP's DNS to access whatever is at asusnetwork.net. ASUS used to own that domain, but they don't anymore. This was taken advantage of, and it now redirects to malicious sites like this one:

enter image description here

Therefore, if you lost internet, you'd get to the ASUS error page, and when you regained internet and reloaded the page (or your device reloads the page automatically when regaining connectivity), it'd take you to malware sites. More details on this vulnerability here. ASUS released a firmware update that makes it redirect you to router.asus.com instead, which is (as of right now) legit, and it look something like this:

enter image description here

They probably should have also included with that update an entry in the block list for the old domain that's now malicious, but you can do that yourself too. So if you have this issue, the solution should be to get the firmware update (available on ASUS's site). As far as the Amazonaws page, I think that one is legit.

Community
  • 1
derpface
  • 101
  • 2