Help a Repeated Hacking Victim

Plasko · May 28, 2025, 6:43pm

Disclaimer: I am not a coder. It all reads like Chinese to me. This is my first day here and first post.
But I am a victim of repeated hacking. I will be moving onto router 7 since the last 6 months.
(1 Arris G34, 2x Arris G36, 1 Gryphon AX, now 2x Opal 1200 Gli.Net).

They initially targeted features like Parental Controls, now they are moving into my security cam systems, phones and laptops.

Current setup: 2 Opal 1200, daisy-chained, running 4.7.2 firmware. One as a VPN client for ioT devices, the other no-VPN for regular stuff (I have personal VPN on my computer), but with WPA3 security. I love the OpenWRT system. Makes me feel like I have a fighting chance, rather than have my hands tied together like with a closed system.
But, I understand not much. The terminology is alien, and people assume way too much background knowledge.

In a nutshell my question is "how many ways are there into a router, and how do I close those doors so only I can get in?"

So far for SSH entry I have (1) deleted Dropbear, (2) moved port 22 entry to a different number, (3) hopefully shut down SSH through a number of ways (a) The LuCI GUI, (b) a puny attempt at coding I got from the internet, basically to turn off SSH, close the interface, and mask SSH completely. I put that code in the "init" startup boot box thingy (in LuCI) so it goes through it every time (just in case).

For Telnet all I could do was tell the router to drop any communications to/from those ports involved. I also did that with a whole bunch of ports for various external entrypoints (e.g. Samba4) I read about online.

I also downloaded Snort. However, have no idea how to turn it on or configure it. There seems to be no web-based way to do that.

I also blocked zero Mac-IDs (00:00:00:00:00:00) on my SSID interfaces which can be used for ARP-poisoning (I am an IpV4 user. Cannot use IpV6 with VPNs). And turned off WDS access ponts, choosing regular Access Points. And randomize the MacIDs of the SSIDs with every power restart (which happens daily).

However, they seem to have activated WPS on my routers (it normally lays dormant in Opal), which I know is a hacker's dream. I have literally no idea how to turn it off. If anyone can make a step-by-step YouTube for beginners that would be cool). And I think they are editing my system logs now to try and cover their tracks (I try to fight back. I moved the port from 514 elsewhere, and switched to TCP rather than UDP, and increased the size 10-fold to 640kb). I also just downloaded "syslog-ng" today for more in-depth log reports. But have literally no idea how to get the logs out of it. Like, where to go or what to type where.

I also deleted the Repeater module, and shut down SMS modules, and the Cloud modules. If it has anything to do with remote entry, I want it gone.

I also create alphanumeric passwords around 30 characters long. I save them nowhere but a little book I take with me everywhere. Books cannot be hacked. I only enter the web GUI on a wire to avoid putting passwords out there over WiFi.

But I keep reading about more ways in all the time. Now there is something called JSON-RPC which I have no idea how to stop, as the module for that is a kernel one.

And I read that CLI can still happen, even without SSH. Darn. How to stop that?

Some tips you may be able to give, also:

• How to turn off promiscuous mode (in case I am being Wiresharked)?
• How to turn off WPS once it is on? There is no web-interface for that on firmware I have.

If it is code, where do I type that? (talk to me as if I am a baby, rather than assume too much knowledge). All I know is the Gli.net interfaces and that is about it. I can perhaps do SSH on Mac Terminal (but would need to switch SSH back on for that).

I am being totally hammered by hackers. That was why I got the Opals. They are 1/10th the price of other routers (like, 30 bucks each) so I could toss them easily without any financial sting.
But I want to move up to stronger ones like Flint 3, or Slate 7. Opal WiFi is too weak to get outside, and no way am I using repeaters or access points. I want 1 single access point - the router. And nothing else.

Thanks for your time reading this. Sorry it went on a bit. I am desperate.

psherman · May 28, 2025, 6:44pm

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Plasko · May 28, 2025, 7:03pm

Oh, sorry. Newbie.
The source code from Gli.Net is here:
https://dl.gl-inet.com/release/router/testing/b3000/4.7.2

It is not a stable build, but has several security features I needed (e.g. random MacIDs for SSIDs. Sadly, the feature of a random MacID for the router itself does not function with Opal 1200).

frollic · May 28, 2025, 7:08pm

It changes nothing, it's not our firmware, C&P you post at the gl.inet forum.

brada4 · May 28, 2025, 7:11pm

Set up a router isolated from compromised infrasrtucture, and quarantine all suspect devices in guest/iot network, them move decontaminated devices back to sane network. Ask a friend to do that for you in isolated/unrelated network place.

Without buying try quad9 or clodflare family dns, those know a thing or two about botnet hacks. But for that archaic OpenWrt glinet user forums are better place to start.

Good devices listed here (includes gl-inet models except yours), cudy ??3000? are cheapest, glinet are next, but any on the list is valid.

johan666 · May 29, 2025, 2:44am

Can't see anything related to Openwrt.
Can't see anything is being hacked, or you just thought you have been hacked!?

Telnet, Openwrt doesn't come with telnet, except you install it manually.
SSH, Samba ports, etc., by default firewall blocks everything from WAN.
WPS, by default it is Off in Openwrt.
WDS, by default all are AP(s), I think most people use mesh instead, why matter ?
So why don't you use pure Openwrt ?

To secure (Luci)web management access, setup tunneling http through ssh,
then you always need ssh...

Password in 30chars long...
my SSH just use 3chars, come hack me if you can.

Feel like you're in panic of something.
If there are hacking activities, most likely they are from inside of your LAN,
means that some of your devices or users' devices are infected,
or someone using your LAN but doing something else.

sync · May 29, 2025, 3:50am

Welcome to the OpenWrt project @Plasko
If you ever do want to flash official, secure, OpenWrt firmware, you can do so at: https://firmware-selector.openwrt.org/ Pick 24.10.1 and your current device?

I would definitely disconnect WAN before the process.
Turn off WIFI and use wired connection for the official install.

slh · June 8, 2025, 3:50am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.