Without knowing how passwords were compromised secure erase any local computers or at very least run scans.
I would backup everything, start over then scan images later offline or maybe sandbox or VM such as VirtualBox.
I have too many local devices connected is the issue, but you're right. Having root level access on the router has potentially deep consequences.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Sat Nov 19, 2022 10:10 Post subject:
yep untrusted devices and IoT's you should put on their own vlans(bridged), so separate the "harmful traffic"..in your case x86 system you may need a proper managed vlan capable switch and may be x86 license(not that expensive)...and of course a good internet hygiene...+ a complex password for GUI access, as well GUI access to be limited to a specific clients only(mac based via iptables rules)..and SSh access is also limited with keyfile login only and the key is pass-protected(itself)...where no option left for ssh login with GUI password...its my basic security...kinds of.. as well use dedicated browser in private mode (lets say pale moon) only for DDWRT GUI and nothing else...and deff no Avahi(mDNS) for local discovery... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sat Nov 19, 2022 13:27; edited 2 times in total
Were you surfing the internet with the same browser that you access DD-WRT webUI? Were you storing your DD-WRT webUI password in the in-browser password manager? How much do you like your p0rn and w4r3z? Thankfully, there is no evidence that we're aware of that DD-WRT "phones home" or broadcasts a fingerprint. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
My password was literally 6 consecutive numbers. There is no mystery how that password was cracked. I simply relied on the "no remote access" which is something I forgot to set when I upgraded the firmware, because it defaults to on (which again, makes sense that it is that way for people who manage dd-wrt clients remotely and need to erase the nvram or do firmware upgrades).
I do of course save it in the password managers of my various browsers and computers, but they shouldn't be on any cloud servers.
I imagine over the past several months some bots scanning for open devices found mine and cracked the password (again, not difficult to crack) and installed their stupid bitcoin miner.
I've upgraded the firmware, changed my password from 6 consecutive numbers, and changed the appropriate security settings.
No more login attempts detected in syslog.
What's wrong with avahi? _________________ Google is Spyware
It's not the default on other builds?! If it were the default everywhere that would be one thing, but since it is not, it would be good to put an alert right at the beginning with the prompt to change the password.
I know this is my fuckup, but certainly I'm not the first person to fall victim to this. The remote management setting is buried deep and it is IMPERATIVE this is turned off if it's not needed. _________________ Google is Spyware