A victim report
I own a ZyXEL P-660HN-T1A router connected via ADSL to a UK ISP. The router is updated to the latest manufacturer configuration. When the weather is wet, I suffer from a lot of line drops so I often have the router configuration page open in a background browser page. My service was up and down a lot 14 days ago and then worked normally. Two days ago, I suffered a couple of long disconnections after which the connection recovered.
Yesterday morning was different. I noticed that the web configuration page (left open over night) displayed an internal error. I powered off/on the router which reconnected to my ISP. However I was unable to open the configuration page or to connect via Telnet. The ADSL connection was unreliable but I had enough time online to determine that my router was vulnerable and had been hacked.
So I hard reset the router to its base settings, reapplied a three year old configuration backup, sorted out the differences, checked for obvious unnecessary services and reconnected to the internet. I have a new configuration backup but it isn't complete...
It took about six hours for my router to be hacked again. All of the time I had the configuration/status page running in the background so I noticed two soft reboots -- just when my TV programme stopped. On the third reboot, the configuration/status page displayed the internal error again. I powered off/on the router and I was locked out from web or Telnet access -- alas I didn't try Telnet when the the web server displayed an error. The web page error, I presume, was generated when the injector hack code disabled access (chmod) to the web pages. The web server continued to run until I powered the router off.
So I'm writing this via a hacked router which I have physically placed so that I can see the blinking lights. The ADSL and wireless connections drop out occasionally but it mostly works.
My understanding is that the Mirai attack code (ELF binary) is held in RAM and will not survive a hard reboot. Apologies to my ISP and anyone else affected if I'm wrong. I think that I'm not hurting anyone else but I can't manage my router again until I perform another hard reset etc
Where can I find the latest injector code? As the injector code develops, I doubt that iptables drop tcp 7547 will be enough.
Oops, it happened again. I lost my ADSL connection and I'm still waiting for reconnection. Still waiting.