Home Internet routers, with different capabilities, provide a range of services such as access management, shared disk services or Wifi for your laptop or iPad. Many users install these devices and don’t realize that they still retain their default passwords. Knowing this, hackers have using this fact to load hacked software into these devices and launch various attacks on vunerable internet hosts.
US-CERT has a long list of vulnerabilities and attack vectors for this type of hack at https://www.us-cert.gov/ncas/alerts/TA13-175A. .
The bad guys have been exploring other methods to use home routers to do their dirty work.
Workfence, creator of one of my favourite wordpress plugins used to protect WP websites, looked at a recent set of network attacks from addresses owned by Telcom Algeria and surveyed a number of those addresses to see what was there and received responses from 3,855 IP addresses.
Out of those IPs, 1501 are Zyxel routers that are listening on port 7547 and are running “Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)”.
Allegro RomPager 4.07 is an embedded web server that has a severe vulnerability. This vulnerability, called the Misfortune Cookie by Checkpoint, who discovered it in 2014. The identifier is CVE-2014-9222.
It appears that attackers have exploited the home routers on Algeria’s state owned telecommunications network and are using them to attack WordPress websites globally.
There are a number of other routers in the web-o-sphere that also possess this vulnerability, used by various telecoms around the world. According to Shodan, a popular network analysis tool, over 41 million home routers world-wide have port 7547 open to the public internet.
Wordfence has published an excellent web post on the topic, as well as a link to a tool to check if your router has the vulnerability on port 7547.
Here’s the link to the post: Wordfence router check