We have some 6.38.5 clients that we failed to upgrade that have been comprimised. Current firmware copied directly or from /system package screen will show the new file, but it does not install with reboot.
Log shows that after winbox access, telnet was enabled and a number of scripts added, ran, and removed. A file ‘botv5.jpg’ was fetched.
Any suggestions?
Thanks
After this happens, It simply ignores the new .pkg when it’s rebooted.
I also did a /sys reset on one locally attached RB and it still will not load the firmware that is uploaded.
We had this happen yesterday as well we are running 6.39.2 but unsure now how to clean things up. I have disabled services ftp and ssh for the moment. How do we tell what scripts were run while compromised?
Don’t post same issue multiple times in different sections of this forum.
Sorry- wasn’t sure if this was right section to post this issue.
Hello,
At any rate, problems regarding infected routers have been discussed many times.
Please netinstall, change the detault admin account to something else and change the password.
Validate also that you have proper firewall filters.
Regards,
Sent from Tapatalk
This thread was the only one that came up in google search , the images link back here as well.
I guess your search was too precise. Had you tried “MikroTik infected” , you would have gotten much more.
Regards,
Sent from Tapatalk