1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is my router hacked?

Discussion in 'Tomato Firmware' started by haazee, May 30, 2013.

  1. haazee

    haazee Reformed Router Member

    I've used Shibby Build (tomato-K26USB-1.28.RT-MIPSR2-102-AIO.trx) on an Asus RT-N16 until yesterday.
    Yesterday morning I seen that WAN was too busy (WAN LED blinked very fast), but all of my machines was powered off.
    The WAN was set to connect on demand, but after disconnecting, it never tried to reconnect to the ISP (it has worked some days ago)
    Other weird thing: an entry in the log.
    Normally, at starting pppd, it writes two lines to /var/log/messages something like this:
    daemon.info pppd[497]: Open UDP <my wan IP>:26178 -> <DNS1 IP>:53
    daemon.info pppd[497]: Open UDP <my wan IP>:26178 -> <DNS2 IP>:53

    Since yesterday, instead of these I found only one line every time I started a pppoe connection:
    daemon.info pppd[1819]: Open ICMP <my wan IP> ->

    If it is not enough, I've found a new process, which is unknown to me (I never seen it in ps's output) :

    2300 root 1392 D listen br0

    I don't know what can it be, but it keeps open (among others) the /lib/libcrypt.so.0
    Yes, I'm a little bit paranoid, but I fear in this case not groundlessly…
    Could you help me? Am I really hacked/cracked?
    Or what could it be?

    If my router is broken, how can I clean it up? OK, I will reset the nvram and reinstall Tomato. Is it enough?
    Is it possible, that boot loader, or other thing needs to be cleaned? If yes… How?
    So… I've used build 102, because the later versions (including 108 - I've never tested build 109) boots in 15-20 minutes(!!!) on my router. :(

    A newer thing: I've plugged out the WAN cable, switched on the router, and tried to access the web GUI from a linux but it doesn't work too... The web server stopped working on SSL. (previously I've set to use SSL)
    I logged in via ssh, and executed command "netstat -lntpu" and seen: httpd doesn't listen on port 443...

Share This Page