i’m new to mikrotik but have little knowledge on the router configuration
anyhow ,
on thursday someone accessed our company router through SSH and i don’t know exactly what he did to the router or the internet connection settings which seems fine , but he injected some kind of trojan/riskware for the users , i already blocked all kind of access to the router from outside except from winbox , i downloaded malwarebytes and already had installed kaspersky endpoint cloud pro , but sadly it only shows that i have a certificate problem , and it can’t delete the source or tell me from where , and the devices which don’t have antiviruses it directs them to this site
get your gift . life (without spaces)
i blocked the IP Address in the router but still i have the problem , i don’t know what to do exactly .
Cleared and reset all of the configuration for the internet history DNS , but nothing only now it changed from riskware to trojan now in the malwarebytes detection with different IP Address
You also have IT dept issues.
Who was responsible for this disaster?
They need training badly.
You should remove the router, netinstall a fresh version of software you wish to use, and then put a config back on, which is better constructed from a function AND security perspective.
You should also consider after ensuring all computers are clean is instill some software that helps block traffic to bad sites so that malware phoning home is blocked.
I’ve good knowledge in IT regarding network, troubleshooting, easy router setups and stuff like but not too much knowledge in Cisco or Mikrotik .
I’ll lookup for your solutions later on when the router is at front of me
No we don’t have for the time being the company (my supervisor) after the attack wants to buy Kaspersky endpoint cloud pro for all employees , I’ll check and inform you what will happen
I’m thinking to load a load configuration file is it going to be helpful and deletes the traces that he did to us , or do I need a fresh install for everything and after that load the configuration?
Generally there are two types of exploits: most of time attacker alters configuration or adds some scripts which then allows them to spread malware further. The other type is such that attacker instalks malicious code into ROS. I’ve never seen any proof that this kind of attacks happen, however behaviour reported by some users strongly indicate it’s possible.
It is possible to recover from first type of exploits by cleaning up configuration or by restoring device from known clean backup (binary backups are next to impossible to verify though). But it does take some expertise to find and eliminate all malicious config (some of it might seem legitimate but it may not be in particular use case). And restoring config from backup would mean device is still vulnerable afterwards. Recovery from second type of attack (malicious code installed in ROS) is only possible by doing netinstall (which formats flash). In both cases I’d suggest to configure device from scratch, but taking a solid default config as base (default config on lower and mid-end devices is decent, high-end devices come without config from factory).
Thank you very much for the easy Explanation , i think i’ll go with restoring the last successful configuration that i made , and will edit the configuration to close all of the previuos wholes like ssh , telnet etc.. . and will check after that , i’m little confused because i don’t know where the virsu is injected , and some employees here their mentality are not that good they aren’t helping , also the eqiupment here is not helping that much the strongest device that i have is this Mikrotik after that nothing only 3 cisco switches and nothing . is there a way that i can track which device is injected with the virus through an IP or something from Mikrotik ?
because i know the ip that leads to the spyware page and blocking it in mikrotik do nothing
With all these premises, there is little to say, a generic forum, on anything, cannot help.
You MUST hire someone who can work on all of these things, not just the MikroTik related part.
Installing something on an INFECTED computer is absolutely useless (obviously it depends).
Chat without facts, it doesn’t do any good.
If who you should hire should do your job, well, there is little to add…
sorry but who said it dosen't help , i'm learning from others here what should i do , and i'm the one who's responsible for everything that are related to IT here including troubleshooting and things like that so it's my job . the attacker came through a mikrotik device and that's why i'm asking what to do here to fix what happened and to avoid future attacks which now i know how to do about it .
