Posted: Tue Aug 12, 2025 21:12 Post subject: Is it possible my Netgear R7000 has been hacked?
Despite using DD-WRT firmware since Kong builds, is it possible my R7000 is hacked?
- Reboots seem to be doubling up,
- dmesg shows me getting hit every second on WAN port lan2.
- my ISP has reduced my download speed,
and I do not recognize this entry in Netstat.
I know it is a routing protocol, just never noticed the "bold" entries.
raw 0 0 ::%89700:58::%1995208896:* 58 1778/radvd
The incoming firewall log shows lots of connect attempts , but all seem to be are dropped or rejected.
If I want to start from scratch, from what I read these are the steps...
1) Load factory settings by holding in reset button for at least 7 seconds (Or should I use the DD-WRT Administration/Factory Reset function?)
2) Restart
3) Select the DD-WRT v3.0-r62036 std (08/08/25) factory-to-dd-wrt.chk file.
4) Upload file, and wait for restart to complete.
5) Re-enter all settings saving as I go along, then Reboot.
Joined: 08 May 2018 Posts: 16557 Location: Texas, USA
Posted: Wed Aug 13, 2025 0:17 Post subject:
If DD-WRT is already on the router, you don't use the factory-to-ddwrt.chk file. You use the netgear-r7000-webflash.bin file. If it's already on the latest DD-WRT version. all you need to do is do a reset either by button, webUI (factory defaults), or 'nvram erase && reboot' via telnet / ssh.
That is what I have been doing for the last 10 years, however with my ISP throttling my speed, and others indicating I might be hacked, I thought going back to factory and starting over might clear out some fragments.
I am already happily running build 62036, and can't see anything in syslog, dmesg and firewall logs.
The consensus on another site is that the router is too old. I don't believe that.
I am getting 948Mbps WAN to LAN , and the same LAN port to LAN port.
The only thing that I noticed, is when rebooting it seems to do it 2X before network access is restored.
Looking through dmesg on bootup I see these messages of ports going in and out of promiscuous mode.
I simply changed a DNS server IP, and did "Save and Apply" and it rebooted twice.
I assume this is completely normal, but somehow my ISP is throttling my WAN speed on my router, but their modem when I connect a PC directly to it, maintains 940Mbps.
[ 12.544010] device br0 entered promiscuous mode
[ 12.601213] device vlan1 entered promiscuous mode
[ 12.605990] device eth0 entered promiscuous mode
[ 13.008794] device eth1 entered promiscuous mode
[ 13.403883] device eth2 entered promiscuous mode
[ 13.418628] br0: port 3(eth2) entered forwarding state
[ 13.424057] br0: port 3(eth2) entered forwarding state
[ 13.429441] br0: port 2(eth1) entered forwarding state
[ 13.434858] br0: port 2(eth1) entered forwarding state
[ 13.440267] br0: port 1(vlan1) entered forwarding state
[ 13.445679] br0: port 1(vlan1) entered forwarding state
[ 13.450959] device br0 left promiscuous mode
[ 13.460370] device br0 entered promiscuous mode
[ 13.477069] device br0 left promiscuous mode
[ 13.653915] device eth0 left promiscuous mode
[ 13.659521] br0: port 1(vlan1) entered disabled state
[ 13.680732] device eth0 entered promiscuous mode
[ 13.685674] br0: port 1(vlan1) entered forwarding state
[ 13.690956] br0: port 1(vlan1) entered forwarding state
[ 13.756983] b53_robo_cpu_port_upd, pdesc[8].cpu=1
[ 13.761821] bcm_robo_config_vlan_fun vid=1, vlan->members=0x3e, vlan->untag=0x1e
[ 13.769357] bcm_robo_config_vlan_fun ports=1 2 3 4 5t
[ 13.774538] bcm_robo_config_vlan_fun vid=2, vlan->members=0x21, vlan->untag=0x1
[ 13.781959] bcm_robo_config_vlan_fun ports=0 5t
[ 14.092584] device vlan2 entered promiscuous mode
[ 18.140249] device vlan2 left promiscuous mode
I presume you are not using CTF / CTF+FA under Shortcut Forwarding Engine. And there have been mixed reports on recent builds regarding presence or whether it's functional or not.
Yes, I am using CTF / CTF+FA
This line shows up in syslog 6x
Aug 12 21:36:06.922 Bedrock user.info : [ctf] : fast path (CTF) forwarding successfully started
I checked syslog and with every restart/reboot it restarts 2X.
Joined: 18 Mar 2014 Posts: 13869 Location: Netherlands
Posted: Wed Aug 13, 2025 5:10 Post subject:
linksman wrote:
The consensus on another site is that the router is too old. I don't believe that.
I am getting 948Mbps WAN to LAN , and the same LAN port to LAN port.
It is not about how old the router is it is about the software and DDWRT is up to date, running on Kernel 4.4. which is still supported as SLTS release.
I too am testing at 940+Mbps on the R7000 , on the WAN side using online test servers, and the same over the LAN ports using iPerf3.
My problem is when switching my provider's modem to Bridge mode, I test at 940Mbps for the first few minutes, then the WAN DHCP lease renews and I drop to 240Mbps. But the "unbridged" side stays at 940Mbps+.
This happens with 2 different routers, one R7000 DD-WRT and one factory firmware D-LInk router, so I know it is not my equipment.
I've convinced my provider to replace the modem...but I think it is time to switch.
