Hello!
I have 5-7 routers that was hijacked and I lost access to it. There routers was never backuped and have pretty big configuration. Is there a way to restore it’s configuration ?
Thanks,
D.
No, you can only reset them completely and configure from scratch, this time, I suggest to follow these guidelines to protect against hijacking of any kind:
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
What about re-hijacking this ?
Since I can’t imagine how you lost access to yours, it is impossible to say how to do it again 
Possibly somebody simply guessed your password.
No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here http://forum.mikrotik.com/t/routeros-making-unaccounted-outbound-winbox-connections/117836/1
All routers that was backuped we already restored back with reset, but few routers is little bit difficult to restore…
Are they accessible in any way? I mean any open services there.
If these routers have an lcd screen and if its not locked and you have physical access, you can maybe restore a previously saved configuration via the lcd screen.
some VPN works with previous passwords. which other services should I try?
Will check, at least 2 of is has an LCD and it is not locked. Thanks.
Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it’s remaining open, you’ve got a chance to get the device back if there’s a vulnerable RouterOS version there. An attack vector depends on conditions there were before. So it’s interesting which of the management services were enabled then, and what has been changed since the attack. And the RouterOS version then and now.
Both winbox and web are open, but all passwords are changed or locked.
At least it reminds you (and others) to always make backups and/or exports…
Do you have any idea (e.g. from logs) who was the attacker? Was it 188.92.74.189 that was active first week of may?
There’s a tool called Router Scan, which recently got the winbox exploit implemented. I think, you’d give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren’t updated now, you have a chance.
Doesn’t Router Scan have vulnerabilities itself, or did I mistake it for a another tool… Forgive me if I’m speaking out of school here.
I don’t know, but there’s the default setting to automatically send out the results to the server, so it has to be configured properly first. It’s just a tool that does its job. If you know of any vulns there, please tell us, so I won’t suggest it further.
Seems that Router Scan do not help, not sure I got correct router scan… It only shows that my hijacked routers has 6.41 and 6.40.6 versions… The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome
The version should be beta, right from there: http://msk1.stascorp.com/routerscan/prerelease.7z
Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can’t load main page. When trying to connect from winbox it still reports incorrect login / password…
It’s hard to tell if it’s the same version. If you tried that prerelease.7z contents, then there can be some restriction in the firewall rules or in the services. Btw, there’s no need to specify 8291 port: RS tries to use HTTP on these ports.
It is latest needed version I think because the needed exploit is listed in the help.
Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit…