Just try to use the "set tracefile" bug to gain a root shell and look inside what's going on.

There was the only user at the device with a subnet 199.0.0.0/8 added as allowed one. It's rather easy then to find a proxy host within this range. Luckily, the vulnerability worked still, and in combination with the working pptp server it has become possible to find inside the OP's network an anoth...

I have the telegram account, yes.

Ok, I'm @jabberd there.

Yes, it's open. Winbox tells login incorrect when trying to connect

Do you have Telegram/Jabber/Twitter to directly contact me? I have an idea...

Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...

Is 8291 port open at the hijacked devices?

Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can't load main page. When trying to connect from winbox it still reports incor...

Seems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome The version should be beta, right from there:...

Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here. I don't know, but there's the default setting to automatically send out the results to the server, so it has to be configured properly first. It's just a tool th...

Both winbox and web are open, but all passwords are changed or locked. There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you...

some VPN works with previous passwords. which other services should I try? Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable R...

No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here viewtopic.php?f=2&t=132368

Are they accessible in any way? I mean any open services there.

In addition, there's a new Mirai variant available spreading over. Dropbear ssh server listens at port 62508/tcp, an instance of busybox+tcpdump+libpcap and a startup script for dropbear are in the file system.

And what is the solution?

The solution is to use the winbox email tool bug, which I had reported to the support. I don't want to share the details here, sorry.

Did it

Still nothing. What's your username there?

I have tweeted you. Please find the solution.

Please tweet me again, I haven't got anything yet.

Same problem as yours and this is the full scrip.

Can you contact me directly at Twitter/Telegram (@jabberd), please? Just before removing the NAND

The process of NAND Gate removal

OMG, I thought you're gonna contact me directly to get a hint on removing that script, but now I see you've chosen a hard(ware) way for resolution of the problem

For now I can still access with my "admin" account with limited priviledges. I can only see but can't config anything. I tried to copy script to *.txt file but it can't copy to clipboard thay why I posted screenshot here Can you contact me directly in Telegram or Twitter? (@jabberd). I ha...

I can't do anything just say RIP to this Router

You posted the screenshot from there above, so do you have any access to the router? Or you had it once and have lost finally?

In the Users section, It has another account "sys" which is set to group "full" Anyone here knows the password of "sys" account , please tell me. So I will change the group of "admin" to "full" Thanks Have you resolved your issue? If not yet, what a...

OK, I should've reported this "feature" to the support. I thought that mentioning it here was enough for things to get fixed

Any way I could avoid doing a factory reset for this?

Yes. You could use a Netwatch trick to gain full privileges and then remove the rogue user.

If you have the "router" user with full privileges, and have your "admin" set to "admin" group with reduced set of privileges (ssh, telnet, policy are disabled), you may try to log in with admin and add a netwatch up rule for 127.0.0.1 with something like this: /user se...

Any recommendation? Have you seen this before? Is there other investigation I can do? To figure out if anything has been changed I've seen this before on some devices: there was also the user "router" with full privileges (with unknown password), and "admin" with newly created &...

The gist mentioned above has been updated (e.g. listening to UDP 37008 explicitly, not all the interface traffic, and a note on Ethernet TZSP conversion).