Hi everyone! My RT-AC88U with stock-firmware has also been hacked, so I can confirm it has nothing to do with Merlin. I was unaware of the intrusions until last week (9/2) when my ISP contacted me about attempts to access some of their services through SSH.
It was a chock to find out that I've been having unwanted visitors for a month, starting 10/1 for what I can tell when someone logged in to dropbear on the first attempt. And I always use strong unique passwords and I'm almost 100% sure it wasn't compromised by virus or malware. I guess my misstake was to have webaccess to the WAN enabled. I thought it would be safe considering my strong password
But I can't remember I enabled telnet or SSH, which was now open on port 2222. I also havn't been using AiCloud or AiDisk. I've been using the router-app for iPhone, not Android.
When my ISP contacted me I was running version 3.0.0.4.380.4180 released late december with the securityfix for dropbox. But I'm not really sure when I updated to that version, it could be after the initial attack 10/1. In my logfile it's seems like the router restared about 4 hours before the first login (since the date according to the log was Aug 1 which I believe means a restart). Is it possible to somehow see when the FW was updated?
I see some suspicious things in my log but luckily I can't find any execute commands like someone in this forum had. I don't know if they managed to break through to my computers, but since my anti-virus doesn't find anything I hope my files where left alone. But around 1/2 my systemdrive (SSD) crashed and I don't know if that got infected. I mean the drive really CRASHED, I can't reinstall it since it's not found by the system. I guess this is just a coincidence and has nothing to do with the attacks.