Possibly infected routerboard?

Hello.
It there any chance to reset admin password on RB952-ui? Second client has the same problem with his RB in short time - rb suddenly start sending a lot of traffic outside. With first client we just reset settings and upload new firmware, and problem disappeared - we thought it was an coincidence.. But now I want to check what’s happened with this device, but client hasn’t password.

Any method to reset password/dump settings without resetting? I haven’t backup of this device. Winbox shows firmware 6.37.3.

You can’t view settings if you don’t have password. Netinstall should reset the password and all other things.
Most likely RouterBOARD is not sending anything, it is forwarding from clients internal network.

I have not seen an infected RouterOS device, so chances are close to zero. Most likely a unprotected device (wrongly configured firewall) + infected client PC.

All devices was unplugged from routerboard, only routerboard was connected, and routerboard sends about 20 mbps during few hours.

If your device has no firewall, it could be used as a DNS relay, for anyone on the internet.

And what does /tool torch or /tool packet-sniffer did show? what kind od traffic was that?

It’s possible - first client has a lot of traffic to DNS port on his routerboard. And nmap shows 53 port open on second device, and show all ports so I think there’s no firewall. Maybe it’s a good idea to do not open DNS by default

macgaiver: Second client has a lot of connections to port 443 to remote hosts.

WAN port is protected in default configuration, so you can have DNS open for attacks only if you made router unsecure by modifying configuration.

OK, thx for info. Now i’m trying to break password by brute force. I will write if I find something.

… several months later…


Just use Netinstall and start over.

Hehe. I have time, and only 300k dictionary, client has our router, so I will try