How do I check if my Mikrotik is infected

stenlyto · April 6, 2014, 8:31am

Hello there,

Two weeks ago I fired one of my my employee
He had the passwords for all my stations. Before I decided to fire him, I changed the passwords, but by mistake I forgot two change the pas to two important routers…
yesterday I saw that the log in one of them is missing and I assume he has logged in and do some changes …
Any suggestions, where should I look for hack and thing like that…

I can do reset config, but not now… I need to go physically to the device…
I checked almost everything, noting seems to be infected… but in google you can find so much ways to do something bad…
Is there anything useful that I can do to check…
last night I disabled all the ports in the router and left it alone to the internet and tried to torch the wan interface to see if there are any connection to somewhere, there are non…
is there anything else that can be checked ?

Lakis · April 6, 2014, 11:48am

dont be hysterical
if you reboot unit, the log will be empty - unless it is set to be stored
without password and user there is no way u can log in to MT OS

stenlyto · April 6, 2014, 7:24pm

if it is rebooted NOT from command, it will say
*system,error,critical router was rebooted without proper shut down
the router gets power from UPS and other devices connected to the router on the same power have a long uptime
So the router was rebooted by command…
I know, as u know, as everybody know that if you do changes everything is going into the log, but to remove log u reboot… → in my case, because I haven’t configure the logging write!
I’m not “hysterical”, I’m just learning from my mistakes…

For me and my company its good to deliver nice and safe services to my clients… I’m always considering the unexpected!!!

So I am just asking for suggestions where to look for “infections”
answering this may help others in the time as well !

Lakis · April 6, 2014, 9:22pm

well I cant deny what u say
but if router was reboot by command /system reboot there will be in log “system info: router rebooted”

sometimes I get error like what u describe
system error critical: router was rebooted without proper shut down

this can be case by kernel panic, high cpu usage or another 100 different reasons

just put new password and check if somewhere is created VPN

stenlyto · April 7, 2014, 5:58am

That was what I was asking
any others ?
I already went there and did reset config…
Am just curious how to catch viruses done on mikrotik, cause in google you can find lots of scripts and mechanism for sending passwords and things like that…
Now I just want to make myself an algorithm of what I should check to sleep well when I have doubts for any of my devices

nick3dos · April 7, 2014, 7:12am

also check in System → Users for any stored SSH Keys and SSH Private Keys and delete anything is not yours…

TheWiFiGuy · April 7, 2014, 12:44pm

Also check System → History to see any previous logins and what commands / settings where changed.