What happening?!

Hello

This is not my router, but I am helping person with it.

I also have OpenWRT router but such crap I see first time.

Logs:

Tue May 13 12:35:01 2024 daemon.warn dnsmasq[12345]: ICMP echo request from 192.168.1.100 to 192.168.1.1
Tue May 13 12:35:02 2024 daemon.warn dnsmasq[12345]: ICMP echo request from 192.168.1.100 to 192.168.1.1
Tue May 13 12:35:03 2024 daemon.warn dnsmasq[12345]: ICMP echo request from 192.168.1.100 to 192.168.1.1
Tue May 13 12:35:04 2024 daemon.warn dnsmasq[12345]: ICMP echo request from 192.168.1.100 to 192.168.1.1
Tue May 13 12:35:05 2024 daemon.warn dnsmasq[12345]: ICMP echo request from 192.168.1.100 to 192.168.1.1
Tue May 13 12:00:00 2024 daemon.warn uhttpd[12345]: Handling 1000 requests/sec
Tue May 13 12:00:01 2024 daemon.warn uhttpd[12345]: Handling 1100 requests/sec
Tue May 13 12:00:02 2024 daemon.warn uhttpd[12345]: Handling 1200 requests/sec
Tue May 13 12:00:03 2024 daemon.warn uhttpd[12345]: Handling 1300 requests/sec
Tue May 13 12:00:04 2024 daemon.warn uhttpd[12345]: Handling 1400 requests/sec
Tue May 13 12:00:05 2024 daemon.warn uhttpd[12345]: Handling 1500 requests/sec
Tue May 13 12:00:06 2024 daemon.warn firewall: Rule 'Block_In_Not_SYN' triggered
Tue May 13 12:00:07 2024 daemon.warn firewall: Rule 'Block_FWD_Not_SYN' triggered
Tue May 13 12:00:08 2024 daemon.warn firewall: Rule 'Block_In_Not_SYN' triggered
Tue May 13 12:00:09 2024 daemon.warn firewall: Rule 'Block_FWD_Not_SYN' triggered

There is no information for us to work with here... start with this:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Looks like your friend has a rogue device in their network.

2 Likes

Save mtd partitions from the device, they will make interesting journey in forensics later.

For the log shown reset and reinstall router as hard as you can and cuarantine all devices present on current network.

I couldn't help but notice that you have rules that I posted here on the forum.

Just FYI, those are normal. I'm not sure about the HTTP and pings. I would verify the router's firewall settings to ensure it hasn't been accidentally exposed.

Also the rules were written for an older version of OpenWrt. What version is your friend's device running?

We'll need to see the configs as psherman suggested.

What exact hardware we are talkin' 'bout here?

1 Like