Hey, everyone! Welcome to another Consumer Tech Advice article. Today, we’re discussing ASUS routers getting hacked—fun times, right?
I own an ASUS router, so this might affect me too. I’ll keep this simple, even for non-tech folks. We’ll go over how to check if you’re compromised and how to fix it, that’s the key takeaway!
If you’re after the quick fix. here it is: update your router’s firmware, factory reset it and re-enter your Wi-Fi settings. Boom! Done.
However, I don’t recommend just doing that—you won’t know if hackers used your router to push malware onto other devices, like an old tablet that doesn’t get security updates anymore. Not knowing means you could still be vulnerable.
If you’re not tech-savvy, stick around—you might learn something useful for the future!
I’ll cover:
– What the attack is
– How to prepare for the fix (it’s super easy!)
– How to check if you’re hacked & fix it
– How to prevent future attacks
What the Attack Is
This botnet attack was discovered by GreyNoise, a security firm that used AI to detect it. Love when AI helps instead of stealing jobs, right?
GreyNoise found the attack in March, reported it to ASUS, and now there are fixes available from ASUS.
The attack is called ” AyySSHush” (super original, right?). A botnet hack can automate a DDoS attack, steal login info through keylogging, mine crypto, and other nasty stuff.
So far, 9,000 ASUS routers are confirmed hacked, but the actual number is likely much higher.
Bad actors inject their own SSH key on port TCP 53282, exploiting a legit router feature by brute forcing credentials. Because they use built-in functionality, simply updating firmware or rebooting won’t fix it—you need the full remediation steps I’m about to share.
To stay undetected, hackers disable logs so you can’t track IP addresses or confirm an intrusion. They even turn off Trend Micro AiProtection, ASUS’s built-in security feature. Trend Micro, known for antivirus products, also monitors network traffic—but if hackers deactivate it, you won’t be protected.
So far, no malicious activity has been reported, but they could be preparing for a larger attack, as cybercriminals often do.
How to prepare for the fix
– Do not attempt remotely—be physically connected to your home network.
– Use a wired connection, not Wi-Fi, since you may need to factory reset, and wireless setup could disconnect mid-process.
– Prepare for at least one router, possibly more, depending on severity.
– Warn family members—your internet will go down temporarily. If you’ve got kids glued to Netflix or someone working remotely, pick a time when downtime won’t cause chaos.
– Back up your router’s advanced configurations (most users don’t need this, but ASUS has a guide).
– Need to factory reset during the process? Save your Wi-Fi name & password beforehand. One typo in your 2.4 or 5 GHz network name and devices won’t reconnect properly.
Sounds like you’ve done some serious digging to get to the correct fix—not just the lazy factory reset that most tech sites suggest. You’re absolutely right: simply resetting the router without properly updating the firmware won’t actually remove the exploit—it could just re-enable the vulnerabilities.
How to check if you’re hacked & fix it
Step 1: Connect to Your Router
There are two main ways to do this, but it depends on your router model and firmware version:
– Old method—going to router.asus.com (which no longer works).
– New method—using your router’s IP address in your web browser.
Finding Your Router’s IP Address (Windows)
– Press the Windows Start button and type “cmd”, then open Command Prompt.
– Type “ipconfig” and hit Enter.
– Look for the Default Gateway—this is your router’s IP address (e.g., 192.168.50.1).
– Copy and paste this into your browser to access the login page.
Finding Your IP Address (Mac)
-Click the Apple menu in the top-left corner – Select System Settings (or System Preferences in older macOS versions) – Click Network in the left panel -Select your Wi-Fi or Ethernet connection -Click Details next to your connected network -Go to the TCP/IP tab—your router’s IP address will be listed next to Router.
Step 2: Check if You’ve Been Hacked
Once logged in, don’t be overwhelmed by the interface, we’ll navigate through it step by step.
– Go to Advanced Settings on the left-hand menu – Select System Log—this shows logs of IP addresses that have accessed your router.
There are four key logs attackers seem to use.
– If you’re on Windows, hit Ctrl + F to search within the page. On Mac, use Command + F.
– Search for these 4 IP addresses (source of the bad actor attacks):
-101.99.91.151
-101.99.94.173
-79.141.163.179
-111.90.146.237
-If No Results Appear, good news—your router is likely safe! If results show up, you’ve most likely been hacked, and you’ll need to:
– Update to the latest firmware first—this prevents hackers from exploiting the router while it’s still vulnerable.
– Factory reset your router second—this wipes out unauthorized SSH keys and resets settings.
Why update first?
If hackers are actively attacking, factory resetting before updating firmware could leave the router exposed long enough for another breach.
Assuming you weren’t hacked, let’s continue.
Step 3: SSH Attack Check
– In Advanced Settings – Go to Administration – At the top, click System – Under Service, look for Enable SSH.
– Default setting = “No” → You’re in the clear.
– If it’s set to “LAN only” = Likely safe—because this restricted to internal traffic.
– “LAN and WAN” = Risky—this means outside devices can remotely access your router.
– If you see a long SSH public key (truncated key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…), attackers may have injected one.
– The TCP port 53282 connection is another red flag.
The remaining steps weren’t provided from GreyNoise, instead ASUS gave these recommended steps to various tech news websites and recommended people follow them.
Step 4: Check DDNS Settings
Next, navigate to WAN on the left menu and look for DDNS at the top.
– If DDNS is set to “No” → You’re good, move to the next step.
– If it’s enabled → Disable it.
Step 5: Block Malicious IPs
Even though bad actors might rotate between botnets, blocking known attacking IPs is still a smart move to minimize risk.
How to Block IPs
– Go to Firewall (bottom left menu) – Enable Network Services Filter → Set to Yes.
– Select Deny List and keep it User Defined.
– Leave other settings as-is (per ASUS’s recommendations).
– Enter the four malicious IP addresses under Source IP.
Why Block Source IPs? ASUS routers use Source IPs to identify incoming connections. Since hackers are trying to access your router, they are the source of the attack. Destination IPs are for outbound connections (e.g., accessing Google’s 8.8.8.8 DNS). Because hackers are trying to reach you, blocking their source IPs prevents future attempts.
Click Add (+) to enter each of the four IPs and save the settings.
Step 6: Update Your Router Firmware
Now that we’ve confirmed whether your router was hacked and blocked future intrusions, the final step is updating the firmware to patch vulnerabilities.
How to Update Firmware
– Go to Administration on the left panel – Select Firmware Upgrade and hit Check for Update.
– If an update is available, install it directly.
– If the automated method fails, download the firmware manually from ASUS’s website, save it to a USB drive, and install it via your router’s USB port.
Firmware updates typically take 3-5 minutes and will disconnect your network temporarily, so plan ahead.
Step 7: Final Considerations
For power users who had SSH enabled on WAN, you might wonder if it’s safe to turn it back on. Right now, ASUS hasn’t provided clear guidance, so proceed with caution—SSH over WAN is another potential entry point for attacks.
– Use strong passwords.
– Be mindful of security risks if enabling SSH on WAN.
That’s a wrap—hopefully, this helped you secure your network and learn a few useful tricks!
