Persistent backdoor was my nickname on college
this post was submitted on 29 May 2025
255 points (98.9% liked)
Technology
70995 readers
4397 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
At least one of the named routers (RT-AC3100) is supported by OpenWRT, which generally has a better security track record than stock firmware.
Kinda tricky to tell what exactly I'm supposed to check.
I run an ASUS RT-AX86S
To check if the settings have been compromised:
Log into the router under http://192.168.1.1/
Advanced Settings/Administration
System tab
Service section
Enable SSH should be set to OFF
Wouldn't a factory reset also "fix" it then?
Yes, except if they alter the factory image. In this case a new factory image has to be flashed before factory reset.
I haven't tried on my ASUS router, yet. But there might be a serial port in one of the RJ45 sockets, as on my old netgear. Plug in your PC there and run the manufacturer's flash utility.
This trick worked for me when a normal factory reset didn't help getting back acces to the WebUI.
Nobody is going to install this on my TP-Link. The back door is factory.
Oh wow, the router allows Admin and SSH on the WAN port? That seems like a massive problem to start with.
WAN should allow nothing except established.
It's off by default, but it allows you to turn it on in the advanced settings. Seems like a good compromise, especially since it lets you whitelist clients.
If you were using the router as a secondary network, like for IoT or homelab, it would kind of make sense to allow SSH or other logins from WAN, as long as the WAN was also your network and not the open internet.
Took a while to find a list of router models, I doubt this is an exclusive list, but at least bleeping computer has a list at all.
The threat monitoring firm reports that the attacks combine brute-forcing login credentials, bypassing authentication, and exploiting older vulnerabilities to compromise ASUS routers, including the RT-AC3100, RT-AC3200, and RT-AX55 models.
Is there any way to test for this?
From the article:
The only way for router users to determine whether their devices are infected is by checking the SSH settings in the configuration panel. Infected routers will show that the device can be logged into by SSH over port 53282 using a digital certificate with a truncated key of
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ...
To remove the backdoor, infected users should remove the key and the port setting.
People can also determine if they’ve been targeted if system logs indicate that they have been accessed through the IP addresses 101.99.91[.]151, 101.99.94[.]173, 79.141.163[.]179, or 111.90.146[.]237.
Those "backdoors" are called RJ-45 jacks. That's where the bits get in and out.
You have to fill them with both ends of a cable or the bits leak on the floor
My ports are on the front of the router. No backdoors for me, checkmate Atheists.
Is the RT-AX58U affected?