hidden/ghost script

braidiano · January 30, 2019, 11:13am

Hello,

we done a netinstall on a router after we dicovery some hidden script. There is no script on the system-> script lists, but we found some execution in Jobs section.
After netinstall, I enforced the firewall rules, and blocked also winbox in input and output chain (previous winbox was only blocked by IP filter on ip->services) and all ports are blocked, excepts winbox and other ports but only from our office IP, both in input and output filter chains.

But tomorrow I found already the hidden scripts execution:

So, i wondering if there is some zero day exploit that install the scripts bypassing the firewall rules, and how can I clean the router? This is a remote router, and is very difficult to do a 2nd netinstall in less that one week.

alexanwar · January 30, 2019, 12:04pm

probably you have terminal session open, either from telnet, ssh or winbox. change your admin password if you suspect unauthorized access to your router.

markos222 · January 30, 2019, 8:47pm

HI,

when you open terminal window on winbox it opens a new job on scripts, when you close it it desapears

Markos

braidiano · January 31, 2019, 11:38am

Thank you! I dont know that when you open a new terminal it opens a new job..