Hi there,

some how my HAP AC2 got hacked by a white-hat-hacker, which as far as I figured, has made it to shutdown or to turn off all WAN and LANs as soon as is it done booting.
I see it booting, I see it initialising the WAN and LANs and for a second or two LANs are on but then they just turn off or it shuts down (can't really tell).

The router was behind a DSL modem for almost four years, I had some drop rules on WAN side to some common ports, I had some allow rules on the WAN side to allow known DDNS names to its resources as in L2TP/IPsec & Wireguard and some port forwards. I usually disable all services that I not required (winbox and www were ON, the rest off). There was one user access, admin with a password of 5 characters, one big letter, two numbers, one small letter and a sign (not the most complex of all, but should have sufficed).

I don't mind setting it up again, even though was not a good time to get hacked (bussy in the personal and professional life).
But what gets my boat floating is: what had I done wrong? I know, I know, maybe it wasn't the safest setup but still, I need to learn what/where I failed.

Is there a way to to stop the boot process? and/or get a hold of startup script/configuration?

as per this thread: viewtopic.php?t=154154 , there is no functional UART....

Ideas?

Thanks.

Having access to any management services from internet is a bad idea to start with. And doesn't matter if it's winbox, ssh, WebUI or anything else.

You don't write which ROS version your device is running, but some while ago winbox service had a serious flaw which allowed attacker to get in pretty easy. The hole has been patched quite a while ago, but if you didn't upgrade ROS, then it's still vulnerable.

OTOH, the symptoms you're describing can also point at some HW failure in development. E.g. marginal power adapter which can not sustain nominal output current - after device boots up, it's probably using maximum power (it drops afterwards a bit). Similar effects could be dried capacitors in the device itself.

Concur.

a. First check power supply so its removed as an issue.
b. Regardless do not continue to internet with said device.
USE NETINSTALL and put vers7.9 stable on it ( unless a really old version and then start with latest 6 stable version, then upgrade to 7)
c. Use a basic firewall setup (default) and do not open up WAN to anything but an incoming VPN connection.

my HAP AC2 got hacked by a white-hat-hacker

?????

Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has.

The router was behind a DSL modem

If you did not set port forwarding in that DSL modem, there is probably no hacker involved.

Is there a way to to stop the boot process? and/or get a hold of startup script/configuration?

Reset the device? (reset button procedures).

as per this thread: viewtopic.php?t=154154 , there is no functional UART....

link to what thread?

Having access to any management services from internet is a bad idea to start with.

Generally speaking true BUT I had a whitelist of ~5 DDNS names/IPs. This means nothing was permitted except those 5 IPs.

You don't write which ROS version

My mistake, it had v7.7 or v7.8.

OTOH, the symptoms you're describing can also point at some HW failure in development. E.g. marginal power adapter which can not sustain nominal output current - after device boots up, it's probably using maximum power (it drops afterwards a bit). Similar effects could be dried capacitors in the device itself.

Its a HAP AC2, about 2 to 3 years old and sits in a furnished basement room, no direct sun on it. The power supply's voltage is 24,028V without a load. I didn't open it to measure the Voltage under load.
To be honest, this is not the first time but rather the second time when one of my devices got hacked. I know this points out that I am clearly at fault, it was almost a year ago, same device different location, different version of ROS ~v6.47, I had hoped that in-between I have gained some experience.

a. First check power supply so its removed as an issue.
b. Regardless do not continue to internet with said device.
USE NETINSTALL and put vers7.9 stable on it ( unless a really old version and then start with latest 6 stable version, then upgrade to 7)
c. Use a basic firewall setup (default) and do not open up WAN to anything but an incoming VPN connection.

will Do!

Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has.

fine it was a "greyish" one!

If you did not set port forwarding in that DSL modem, there is probably no hacker involved.

I just double checked, there are a few VPN ports open and then...... "Completely exposed" was checked too.....

link to what thread?

My bad, wrong link. This should be the right one: viewtopic.php?t=137262


I replaced the affected device with a spare, so, I still have it and was hoping I could get into it per UART.

Thanks for the contribution!