If a router has been compromised, can Netinstall provide 100% assurance that no traces of the compromise are left behind?
If the answer is “Yes”, than may be I am having a hardware failure. If the answer is “No”, than - is there anything I can do?
The facts:
A MikroTik Chateau 5G became unresponsive. I have no clue what exactly happened. I did Netinstall and I managed to login to the router and the first thing I did was to change the password. After rebooting the router the password is erased, there is no config and I am getting the following errors:
system, error, critical router was rebooted without proper shutdown, probably kernel failure
system, error, critical, unknown, unknown error while running customized default configuration script: cannot open output file (6)
Unfortunately, after rebooting the router the LTE1 interface is enabled by default. This means that this specific router was exposed to the Internet without admin password for at least 1 hour with a public IP address and winbox/telnet/web services working. During that 1 hour period someone else could have compromised the router even more.
The default firewall would have drop traffic to the management services…but no config, no firewall. But logs don’t show any access or modifications to config.
Netinstall be a good idea, which formats the disk. Theoretically, the boot firmware could be modified somehow – which isn’t replaced by netinstall — but AFAIK there isn’t an attack vector without some management interface to replace (which there isn’t any evidence of in the logs). But after netinstall, upgrading firmware to match routeros be a good idea.
Also V7 in there is /system/device-mode/print which should show “flagged” as yes if system files were modified.
One more detail…Your default configuration script clearly had an error. Attributes have changed in various V7 versions & one bad one, the script will fail — especially wi-fi.
Also, I don’t know how your building your default configuration scripts, but you generally want to base any customize one on the original one for the device you are using (e.g. /system/default-configuration/…) & from the same routeros version your planning to deploy.
I did not upload, nor modify the default configuration script.
Most probably the issue is related to the fact that when I did the Netinstall I uploaded the routeros.npk + the container.npk and the wifiwave2.npk packages. In my desperation today I decided to remove the container and the wifiwave2 packages and the error is gone. Now the router behaves as expected.
Edit:
And, damn it, I just realized that this is not an AX model so wifiwave2.npk is not needed at all.
