I have at least 1 router board that is sending out traffic even though nothing is connected to it. Most of the traffic source is port 1080 socks and many of the dest port is 25 smtp.
this is causing my network to be attacked from outside and I am geting a lot of email about abuse from outside people.
Any ideas?
Thanks
David
Netinstall a fresh copy of ROS on it and see if it still does it.
RouterOS can not be infected. Unless you are running some illegaly modified or cracked version, then anything could be possible, I suppose.
Heard that one before. 
Even if you prohibit writing to disk, infected code can still be run from RAM. 
I would love to see some actual evidence for this.
Evidence for what? That ROS can be infected or that it’s possible to run code from RAM?
Seriously normis, stop arguing that way, that’s highly unprofessional. Systems(regardless of the base OS) have been hijacked that way in the past, that’s nothing left for speculation.
However you are probably right in saying, that ROS hasn’t been hijacked yet, but that doesn’t guarantee a bit.
A lot of stuff is possible in pure theory, however, until somebody has actually done it, there is no point in scaring people.
That wasn’t my intention but stating “RouterOS can not be infected.” isn’t really better. 
Anyway, I hope the report from gcs was bogus.
i would put this like that:
Using all means provided by RouterOS to protect itself it is impossible to execute 3rd party malicious code on it.
can you tell us more about what Mikrotik does to minimize the possibility that it executes malicious code?
i would also say that it’s unlikely that this happens, but to say it’s impossible is really unprofessional.
I’m working as a security analyst for some time and have seen some crazy of compromised systems.
There is no system in th world about you can say it’s 100% secure. Ok all systems can be 100% but you need to unplug the power cable to secure it
you can say there is no known vulnerability, the system have multiple layers to mitigate intrusions. but than tell us more about that.
what gcs is describing sound more like some “usual” infection used for sending spam and such stuff. If seen a lot of compromised linux based boxes in my life getting abused for such activity. But during forensics it usually turned out they got hacked via known and not patched vulnerabilities.
It’s unlikely that those bad guys spend a lot of time to find a vulnerability to compromise systems with the (spam)-bots especially if the possible count of targets is very low. they just interested in the count of infected hosts.
some questions at gcs
at mirkrotik:
please don’t just say something stupid like “RouterOS can not be infected.” even if this is unlikely it’s worth to investigate so you should help the user to find the problem. if it’s just something like a open socksproxy we’re all happy. if there is really the unlikely case that someone have a 0day exploited for routeros and use it just to send spam you should be really interested in find it as soon as possible.
I did not say it’s impossible to make. I said that it’s not likely that the OP has such problems, because nobody has done it yet.