[xichael]

At least that's what seems to have happened. I've since reset it and got a very secure password. I regret not getting a backup of the config beforehand to see what could be gleaned. But now I have YAMon keeping an eye on things, and after the reset, data flow has been normal.

Which leads me to conclude that it was the router, as opposed to a device on my network. I haven't changed the wifi password, and all connected devices are accounted for, all traffic, normal.

The days while it was happening, I'd noticed a sluggish connection, and rebooted a couple times thinking that was all it needed. But after this eerily similar story poped up in my feed, I had a look at my ISP's usage meter (which was normal when I'd checked a week earlier) only to see this:



So, I suppose, it's not just stock firmware coming under attack these days. I had never enabled Remote Access, so the Web-GUI and Telnet shouldn't have been accessible from outside the LAN.

Anyone have any ideas how this hack could've happened? Are there any known vulnerabilities with this v3.0-r31205M Kong release? Anything I can do to make sure it doesn't happen again?

[thekk]

Ofcourse not just stock firmware being hacked.
On custom firmwares that open all possible functions, hackers have more possibilities to act, too.
And a "hack" is often not what most peoples think like scenes in the movie Firewall where a hack is just hitting buttons as fast as you can an you're "in".

Too bad that you reset your router. It would have been better if you overwatch your router, saving proofs and footsteps like running processes, open connections, logs etc.

In the current situation, you will not find out what was happened.

In your case, and this is the caes in most cases, i guess that one of your computers are infected with a trojan because that's the simplest way to get in a network and get a router password.

Maybe the router wasn't infected and one of your computers is the member of a botnet IF it was the result of a botnet. Some programs, like torrent clients or other filesharing tools act in the background.

My last word applies to the statistik that you posted. An upload of 400 to 600 gigabytes per months are realy much for an user. It is even much for maybe 5 users.
Either you upload files regulary or you posted the wrong statistic.

If I had botnet and would infect a custom router with dd-wrt or openwrt, I would install a vlan interface that doesn't affect the traffic counter. Thats not so hard and the signs for regulary user aren't so bright.

[egc]

Things you can do to slow down an attack on your router:

1.Use a nodescript username and a long (12 characters or more) nondescript password

2. Disable "Enable info Site" on Administration/Management/Web Access

3.On the Security tab check every item on "Impede WAN DoS/Bruteforce"

4. There are of course known vulnerabilities on older builds (heartbleed etc) so use a recent build

5. Do not use "Remote Access" on Administration/Management tab

If you stick to these settings it is highly unlikely that your router can be hacked (but not impossible )

[xichael]

Ok, I just disabled the Info Site and ticked all the boxes under the Bruteforce area and now I can't login.

It won't login to the web interface or telnet. Is there some obvious reason why?

Wish I had backed up before doing that...

[egc]

Hmm, that is really odd, I have no problem login in or telnetting or SSH to my routers and have all the boxes on the Impede WAN DoS/Bruteforce ticked.

You did not change anything else?

You are connecting from the LAN or WLAN?

What build are you using?

[xichael]

It must be a bug then. After I reset, I'll narrow down the cause and make a report (where does one do that, by the way)?

v3.0-r31205M (Kong), just changed those 2 settings and became locked out, with wrong pass on both web and telnet.

Nothing a reset can't fix, though not looking forward to reconfiguring YAMon. I had painstakingly named all the devices. Not sure I can export those now that it's not running (and can't be started without telnet, afaik).

Ho hum.

[egc]

bug reports can be filed here: http://svn.dd-wrt.com/

[<Kong>]

[xichael]

Very weird stuff here. I was finally able to log in when I tried the old password on a whim. Pretty sure this was the pre-reset pass, so I'm having trouble understanding how it could still be around, or how switching those settings could've caused it to revert. I had been logging in with the new password up till then.

Anyway, I've set an extra-super-secure password now. Hopefully this is the end of the weirdness.

Thanks for the insight, Kong. It does sound more likely that it came from within the LAN. We have almost 20 devices regularly connecting here, not counting guests (who I should really put on a guest network). As long as it was just a one-time drive-by thing and not an ongoing compromised system, I'll be tentatively happy.

[Alozaros]

if you are not running pppoe ISP connection, you can limit
access to the router GUI (port 80) via IP tables and specify only particular MAC address to access only...


iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

before apply make sure: you save all your current settings in a file, you do have telnet/shh access to the router, reset button enabled, and mac address spelled correctly (capital letters), otherwise you can lock yourself out

p.s. you have to save those lines in Administration>Commands>paste and save in firewall script

[cassie123eee]

Try Password Manager,it can help to give you a solution to your password,work out with iOS,windows,and Android password and files manager.It is free and awsome!