I’ve seen this before on some devices: there was also the user “router” with full privileges (with unknown password), and “admin” with newly created “admin” group with reduced privileges.
Also check firewall, you should have a default deny rule for inbound connections on the WAN. Consider not allowing router admin access from WAN. Don’t leave the default admin password as nothing, malware inside the network can log into the router and configure whatever it wants.
If you have the “router” user with full privileges, and have your “admin” set to “admin” group with reduced set of privileges (ssh, telnet, policy are disabled), you may try to log in with admin and add a netwatch up rule for 127.0.0.1 with something like this:
/user set admin group=full
So there’ll be no need to make a configuration reset.
Thank you Jabberd for your Netwatch line - it allowed me as admin to get my Router to work with New Terminal and SSH login - both of which I was logged out. I only had my router with no password on the WAN for minutes and yet got broken into - amazed how quickly that happened.
HI
But looking on another way
This netwach trick is some kind of exploit
If some tech have limited privileges on group that him belong, he can promote the group tu full access.
Hi! We found exactly the same today in a router with 6.43.2 (but it was with no Firewall rules during an hour )
Do you know if the “netwatch trick” can be still done to recover privileges in the admin account? We can enter with admin but there is a “router” user with full privileges and we do not know the password.
The router is in a remote location so it would be a big inconvenience to go there to fix this.
Old thread, I know, but I think its worth bumping.
I had same thing happen to me. There were 2 ptty scripts in my scheduler. I had my router exposed to WAN with default username only a matter of minutes but didnt notice the script until a few days later. I deleted scripts, the admin user, the new router user they created, and changed my password.
As it had been discussed in other threads, the safest thing to do when one notices that router has been compromised, is to export configuration (the ASCII part using /export command), review the config for signs of anything weird, then netinstall the router (this is the only method that really removes everything), start from factory defaults (SOHO routers have quite sensible default firewall filter settings) and adjust only what’s clearly needed.
Ok thanks for the heads up. I noticed after I posted this a few more scripts and a few other things inside my router that I had to delete. Since, this Mikrotik is being used as a DMZ between the internet and my firewall, I figured I may be ok and wont worry about the reconfiguration. But I think you’re right, I should do a thorough wipe regardless. Thanks again
)