Some undefined hacker send many-many SMS via my router (until money on account is gone). I deep read a configs and found a vulnerability in HTTP to SMS module.
Even if module HTTP to SMS is turn off in web-interface a gateway allow to send SMS from URL:
If I change a default login and password - everything is ok, gateway answered "Authentication Failed: Need valid username and password"
No matter - turn on or turn off a module.
BTW: lighttpd not check auth if request equal "service" and query string is "action=sendsms"
so hacker not need to know my login and password to web interface for sending SMS.