AC87U running Merlin 384.13.10 hacked?


New Around Here
Running latest Merlin on the now unsupported AC87U.
Remote access disabled.
Running nginx, openvpn server, AIcloud, which should be the only services open from WAN.
SSH, FTP and SMB shares not open from WAN.

A week ago my internet provider had some hw issues affecting a lot of customers. At the same time I was suddenly no longer able to connect with openVPN, or access the webservers that are using nginx.
I did however still have access to webcams on the LAN and still got notifications from my servers, so it was nginx and openvpn that failed..

Did not have access to router until yesterday, and after a reboot of the fiberbox and router, nginx worked again, but vpn was still not working.
The openVPN server would not start, it kept saying "initializing" and I found out that it was because it was trying to use this custom configuration

No other router settings has been changed.

So it seems my router has been hacked or am I wrong?

Is this a vulnerability in openVPN or the fw?

I have changed router password, deleted the etc folder and the file that "profile" referred to (called ntp). Everything works fine, including vpn server..
How can I know if the router fw (and maybe my servers on the LAN) has been compromised?

How do I prevent this from happening again?

Thanks for any help


  • IMG-20221205-WA0001.jpg
    34.6 KB · Views: 88


Part of the Furniture
This is known malware. AFAIK nobody knows the infection path, but it's probably through AiCloud or from the LAN.

I don't know how you can prevent it happening again as you router is EOL. Maybe use stock firmware as it's more recent.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!