I have a new CCR1009 that I’ve only played with for a few days. Today while working through Winbox, trying to get IPv6 working with my Comcast modem, suddenly I lost connectivity to the router. Trying to log back in fails with “wrong username or password”. The router seems to function normally otherwise.
I remember the last thing I did in Winbox was setting IPv6 discovery with /ipv6 nd set [ find default=yes ] interface=vlan100
I did not touch the password settings at all after initially setting the password. Nobody but myself uses the router.
Because I have disabled all other services on the router (webfig, SSH, telnet etc), leaving only Winbox and Mac Winbox running on one interface, I have no way to test if I can get into the router by any other way (tested both IP winbox and MAC winbox, both fails).
What could have happened? Can some bug do this? Does ipv6 even have anything to do with the router user/password?
Can the router get hacked within the hour or so window that I initially turned it on and did not set a password or set up firewall?
If it was accessible from internet without password and firewall, then it was just asking for problems Sorry to hear you have such experience. Even one hour is enough for being unlucky target of scanning script and then getting targeted once script see that your port is opened.
If it was not accessible from internet, then it is hard to guess what happened.
I believe it is not related to your IPv6 because you already had your password set at that time. (although you must remember to set up IPv6 firewall once you start playing with IPv6, otherwise everything including your internal network will be exposed via IPv6)
As the router says “wrong username or password”, it clearly shows that connection was successful but access was not granted - it can’t be blocked accidentally by something else, you cant get in some “other way”. Something/someone had to change username/password (or you are repeatedly entering typo which is not very probable but still possible…)
First recommendation everyone will give you is - disconnect router from internet and your network, do netinstall which should completely wipe whole storage and set up your security before you connect device to network and internet.
Once you do your netinstall, make sure that you are using correct (TILE) and new (at least 6.40.8 bugfix or 6.42.1 current) version of RouterOS. Older versions have known vulnerabilities.
There is detailed manual how to do it: https://wiki.mikrotik.com/wiki/Manual:Netinstall
You might read that config reset is enough, or config reset and package upgrade is enough - well… it might help but there is no guarantee. If someone was in, there is no simple way to tell what has been changed (including some low-level system files)
I did reset and reinstall. I fully understand that I should have changed password immediately after logging in for the first time while being disconnected from WAN. But being the first MT unit I ever played with, my attention during that first hour was on the ocean of options presented to me after logging into Winbox hehe. I think the better and super easy thing for MT to implement would be forcing a password immediately upon first login.
It still stuns me that one can potentially get hacked in such a short period. After reading some other recent posts and articles, it seems MT is a “hot target” for hacking and there was apparently some huge wave of hacking back in may. It kind of scares me a little, considering the entire reason I bought this thing is to tighten the security of my network by implementing isolations and custom firewall rules, something my previous SOHO router couldn’t do. My impression was that MT is an industrial grade router used by ISPs and hosting providers etc, and it should be considered a very secure device. But now I understand that responsibility fully falls on the user, at least for the CCR model. Without careful configuration this thing really is a “open 24/7 free-for-all”.
Not really that MT specifically is a “hot target”, but any internet connected machine. If you would spin up a temporary device on the amazon EC2 system, any OS, you will see that scripts will hit it within minutes, any OS.
Some of those scripts are smart, they detect the type of system and then can use default logins and commands optimised for that type of system. So normally you ONLY connect the LAN, set some basic settings, only then plug your ISP cable.
Sorry to hear you have such experience. Even one hour is enough for being unlucky target of scanning script and then getting targeted once script see that your port is opened.