this post was submitted on 29 May 2025

140 points (98.6% liked)

Cybersecurity

7252 readers

132 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

140

Thousands of Asus routers are being hit with stealthy, persistent backdoors (arstechnica.com)

submitted 2 days ago by PhilipTheBucket@ponder.cat to c/cybersecurity@sh.itjust.works

12 comments fedilink hide all child comments

top 12 comments

sorted by: hot top controversial new old

[–] JoMomma@lemm.ee 25 points 2 days ago (5 children)

...and this article doesn't tell you which models or link to any resources that do? How is this helping?

[–] skabbywag02@lemm.ee 40 points 2 days ago

From article: "Recommendations

Check ASUS routers for SSH access on TCP/53282.
Review the authorized_keys file for unauthorized entries.
Block the four IPs listed above.
If compromise is suspected, perform a full factory reset and reconfigure manually."

[–] PhilipTheBucket@ponder.cat 15 points 2 days ago (1 children)

researchers from security firm GreyNoise reported Wednesday

Why sure, I would be happy to help you find literally the very first link in the article, which is in the third paragraph. Since you asked politely and all.

[–] JoMomma@lemm.ee 0 points 1 day ago (1 children)

I read all that, I just didnt believe that the end result was that we were supposed to manually check every ASUS router in order to find the vulnerable ones. Seems like it should be limited to certain models/firmwares, or am I missing something still?

[–] PhilipTheBucket@ponder.cat 2 points 1 day ago

Just read dohpaz42's comment. They literally copy and pasted for you the relevant text: How to check if you're infected already, and how to protect yourself in the future (which means apply updates).

[–] stoy@lemmy.zip 15 points 2 days ago

This affects multiple FW versions and models.

The article does tell you how to check if you are infected, and how to remove the access.

[–] joshcodes@programming.dev 7 points 2 days ago

It referenced this btw, which does have the details you're looking for. Not sure if it updated.

https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers

[–] dohpaz42@lemmy.world 5 points 2 days ago (1 children)

Probably because it’s not limited to one or two specific models. Read the article:

The only way for router users to determine whether their devices are infected is by checking the SSH settings in the configuration panel. Infected routers will show that the device can be logged into by SSH over port 53282 using a digital certificate with a truncated key of

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ... To remove the backdoor, infected users should remove the key and the port setting.

People can also determine if they’ve been targeted if system logs indicate that they have been accessed through the IP addresses 101.99.91[.]151, 101.99.94[.]173, 79.141.163[.]179, or 111.90.146[.]237. Users of any router brand should always ensure their devices receive security updates in a timely manner.

There’s your answer.

[–] thermal_shock@lemmy.world 2 points 2 days ago

Users of any router brand should always ensure their devices receive security updates in a timely manner.

I like how you're supposed to get updates from the same company that left the security holes open, or are actively monitoring them.

[–] Hello_there@fedia.io 11 points 2 days ago (2 children)

I wish the article can discuss in more detail how to do the things it's suggesting. I've looked for a few mins but there's no easy button to press to block an IP or check for ssh connections Anyone point me to where to look in Asus settings?

[–] echolalia@lemmy.ml 4 points 2 days ago

On my Asus router, the relevent SSH screen is under Administration -> System and looks like this:

My router wasn't compromised. If it was, ssh would be set to yes, and the sus key/port would be visible here. Please forgive the ultra paranoid purple boxes.

As far as IP blocking, I'm not sure it's necessary, but I followed this link. It's pretty easy to get new IPs, so if the attacker wanted to, they would do that. It's more important to update your router.

[–] ewigkaiwelo@lemmy.world 1 points 2 days ago

Maybe see if you router is supported by Openwrt and if so install it and then run an iptable to block those ip's? But I'll also wait for an answer/recommendation from an expert