CCR1009-8G-1S
Router was infected by hacker, had Socks enabled, scheduler running a script, service user account.
I’ve removed those but under FIREWALL the Bytes and Packets are staying ZERO. See attached M1.GIF
I can’t find anything out of the ordinary in the config.
I want to get firewall rules working again so I can lock down this router.
You should netinstall with a known good config. Once a router is compromised an attacker can get system level access that you cannot detect or repair from RouterOS UI.
Looks like its working, had wrong ‘address list subnet’ for chain input so was confused why I had 0 bytes on filter rule #0
If your router was compromised, netinstall it from zero. Use a known good export to restore (the backups would be easier - but there is no way to inspect what would be restored to the router), and go from there.
In other words: nuke’m from orbit - it’s the only way!