ROS v6.43.x Hacked using same old vulnerability

hsabrey · February 11, 2019, 10:46am

hello
today i found my RB2011 been compromised using the same vulnerability and here is the photo attached.
this time they fitch a file from the internet which i do not what it is?
mean time the version is v6.43.7
the script added a file in the mikrotik and this it’s content

/ip socks access add src-address=5.188.0.0/15 action=allow
/ip socks access add src-address=192.243.0.0/16 action=allow
/ip socks access add src-address=5.9.0.0/16 action=allow
/ip socks access add src-address=5.104.0.0/16 action=allow
/ip socks access add src-address=0.0.0.0/0 action=deny

in the attached photo you may see that this socks IPs are added more than 53000 times due to the script runs every 15 second.

R1CH · February 11, 2019, 11:05am

Netinstall the latest version with known clean config and change all passwords. Either you didn’t change passwords or you didn’t netinstall, so attackers were able to get back onto your device.

Redmor · February 11, 2019, 8:44pm

Destroy RB and buy a new one.