We already submit to the support
v7.22.2 is avaliable, but you using v6.48.3, released in May 2021.
our v6.49.19 is also occuring the same, so?
Nah, just fire the one in charge of securing the routers.
4 Likes
just let us know if you have any insight, dont be like that.
we will do the same if it occurs ONLY at our network
Insight: your device has been compromised.
6 Likes
That doesn't invalidate my suggestion, just multiply it.
Which one of you responsible for those networks is MikroTik certified?
And how did you come to the conclusion that the PPPoE service was hacked? (whatever that means).
Config export before and after the compromise?
You can label comments thumbs-down but that does not change anything: they are true.
Your router has been hacked, people have added “socks” service (port 1080) and are using it to exploit your connection to send malicious traffic.
Probably admin ports are open from the outside, maybe password was weak or otherwise a security issue was exploited. Your best bet is to /export the config, reinstall the router (netinstall), set it up again using cut/paste of VALID parts of the config, and make sure you have a proper firewall that does not allow connects to winbox, webfig, telnet, ssh and api from the internet.
1 Like
Replace it immediately with backup router: assuming you have one ready.
Netinstall + installation of the verified config from backup if any exists.
Who cares about the RouterOS version?
What do you expect from a device that doesn't have a firewall at all?
Whoever set it up is incompetent.
Mistakes happen, even to me, especially to me, but it's one thing to make a mistake or forget a rule, and another to have none at all.
As for the "thumbs down" sign, well, that's exactly where is on this moment on your network... "down"...
2 Likes
Indonesia has 52 MikroTik consultants listed on the website.
I'm sure that they can sort this out.
52!
And 23 trainers.
Note: It's recommended NOT to delete the admin user,
but to assign it an impossible password and place it in a group that has no permissions. Otherwise...
How did they "hack" your router?
Simply,
they injected the admin username and password, full group, into the dialog with Radius, or into Radius itself,
and then accessed your device... because in AAA/Radius, at the very least,
it was selected that these can also be users who log in to RouterOS...
Can be played a "lot of games" without a firewall configured...
1 Like
Why so mean, they clearly had some firewall rules 
I also don’t understand why people are so mean. The situation is clear: the router has been hacked, and it has to be recovered. It probably was because of a configuration error, but there is no need to point to “certified consultants” when the OP does not ask who could do a better job. Even certified consultants can make mistakes.
2 Likes
Why not?
Did I post something something with the title "PPPOE Service Hacked?" does the title imply that there's a bug with the PPPoE service and someone abused it? maybe, proof? none. Why post at all?
1 Like
Honestly, I would have to dig out much more into all the firewalls rules. Also which services are open, and what permissions do they have. It is highly unlikely that you have been compromised due to PPPoE, at most hijacked. PPPoE cannot itself change the network config of the router, it is just protocol for layer 2 tunneling. Personally, based on the little information I have, I would do the following:
- Disconnect the compromised routers (if possible).
- Check them out offline and check all the possible access and firewalls rules.
- Retire the v6 routers if you can and upgrade to version 7 LTS. Version 6 is “already retired” (you can use but I wouldn’t recommend it unless you clearly an explanation).
As a bonus, if you can afford it, try to get some training from a certified trainer. And also use some tools like NetBox or Nautobot and git to have a history of changes over the router so you can see what went wrong exactly at which time.
Let me know if you need any help.
Problem with PPPoE service can be trivial - no limits on sessions per host / max sessions per user.
In that case, these connections may be made by compromised/faulty CPE devices resulting duplicated sessions or some error in RADIUS server.
Also notable is L2 protection - accept 0x8863, 0x8864 / drop else.
MAC address limit on ONTs, switches, bridge firewall filters.
2 Likes
The gist of this whole topic?
Take your entire network offline, every single device,
and perform a netinstall on every device.
I'm not being drastic, probably, with the compromised radius-based authentication
and the madness of deleting the admin user, all the devices are compromised...
Obviously don't import the .backups,
but use the export.rsc files manually, reading what you are applying, so as to avoid surprises...
But this time, before putting them back online, set a default firewall...
even the default one is more than enough.
We do have firewall at our border and blocks all the forwarding ports used at Distribution router like winbox,etc , and also all the ports we used contains allowed address.
What im asking is, the pppoe service likely seem to be down and up at the same time, dynamic queue stuck and not removed and this cause the dial connection cannot establish with the server. Im just asking, so if anyone said so, will do as the say. And also after posted this we do shut the network connected to our router and do some upgrades.
Then again, thank you for yall for reply our post. This help us very much, and Im sorry for the thumbs down before.
This looks like a coordinated attack exploiting a vulnerability — possibly CVE related to the RouterOS management interface.
Key indicators:
- Firewall rules added by non-existent "admin" user
- Ports 1080 (SOCKS), 7777, 8888 (common backdoor ports)
- Affecting multiple routers across different networks
- Started simultaneously on April 26, 2026
Immediate actions:
- Remove the suspicious firewall rules
- Check /ip/socks — if enabled, disable it immediately
- Check /system/scheduler and /system/script for malicious entries
- Check /file for any unknown files
- Change ALL passwords
- Update to latest RouterOS stable (V7)
- Restrict /ip/service to specific management IPs only
- Block ports 1080, 7777, 8888 on input chain
For V6 routers — consider upgrading to V7 ASAP since MikroTik is no longer actively patching V6.
I'd also recommend reporting this to MikroTik support directly and checking the CVE database for recent RouterOS vulnerabilities.
This is NOT a configuration issue — this is an active exploit being used in the wild.
4 Likes