Hacked again. Changed username and password

RouterOS General
1

My CCR was hacked again. This time they managed to change the username and password. The identity is now “test”
Is there a username and password this exploit uses?

I remember with the ubnt exploit last year they changed some radios to a different username and password, but they were all the same username and password.

Hacking Issue
2
  • Did you update to the latest version?
  • Did you block access to your service ports, e.g. by address list or single subnet?
  • Or did you limit access to IP services (“Available from”)?
  • Did you create supout.rif and mailed to support@mikrotik.com with above information?
3

Yea, I did all that. Except the last one. I don’t know what supout.rif is.

But you didn’t really answer my question.

Is there a new exploit that changes identity to test? Does it have a normal username and password it sets the device to?

4

Sorry, didn’t read your post well.

  • Did you change your username and password after the previous hack?

If you suspect a vulnerability, the only way to get it confirmed and fixed is to contact support with given supout (which can be generated on router if you still have enough credentials: https://wiki.mikrotik.com/wiki/Manual:Support_Output_File).

The best you can get on the forum is affirmation that your device being hacked is to be expected if you open services to the public, run an older version of ROS or upgraded but you didn’t change password / secure services afterwards. There are no default credentials (besides admin / no password) but the credential database could be retrieved in older releases.

5

Thanks for you response.

Yea, i changed the username and password last time we got hacked (on father’s day). Maybe I didn’t clear everything.

Unfortunately, this time we’ll need to reset the MT to default and rebuild since I can’t get into the device. So I won’t be able to send the supout file.

I had just upgraded the device last night to 6.42.4.

The last time it was hacked it also changed the identity to “test” but did not change the password. Are there any forum posts about this particular exploit? I am just curious.

6

This is it: http://forum.mikrotik.com/t/s-o-s-new-vurnelabilty-on-6-42-3-no/120528/1

7

Have you thought about the obvious? Maybe it’s being hacked from the inside?
An angry employee trying to cause havoc seems like the logical answer.

8

angry employee: I don’t have any of those…

I found another line in my most recent backup:
/tool sniffer
set filter-ip-address=142.129.4.71/32

Looks like this must have been put in during the last hack. Someone from California or using a VPN in california.

9

My device is also be hacked. The device entity was changed to test.
My verison is 6.42.5