Hi all!
Here’s my situation.
I forgot to upgrade my router in time, so it became a part of the botnet. I’ve just upgraded the routerOS and also add the rules in firewall for 80 and 8291 ports.
But my public IP assigned to the router is in the spam list. And I found out that there is the traffic in the output chain to the mail servers on destination port 25.
I’ve blocked it also in the firewall, but is it possible to remove my router completely from the spam botnet? Or output connections to the 25 port is caused by something else?
Thanks for any help
https://blog.mikrotik.com/security/winbox-vulnerability.html
- Use “Export” command to see all your configuration and inspect for any abnormalities, such as unknown SOCKS proxy settings and scripts.
“/ip socks
set enabled=yes port=4145”
this is the reason?
Yes 
so just disable it and that’s all, or smth more needed?)
thanks
Maybe, maybe not. You may post your config here (/export hide-sensitive) for review.
Maybe. If you haven’t changed the credentials (all of them) for the router, then an attacker still has your user list. If you disable your firewall rules preventing access from the internet, they’ll log in again and set it up again.
It’s possible there are other issues that haven’t been greatly publicized yet. Perhaps you have a script that has been tampered with to reverse SSH tunnel back to a C&C server. I doubt it, but it is impossible to say.
What I’m getting at is best practice is to wipe the router and install a fresh known-good config on it.