We’ve updated the firmware after our Routerboard was compromised. We’re still getting blacklisted. After the firmware update we did not unfortunately reset our passwords. We’ve reset them accordingly. If we blow away the config and restore from a backup will any of the scripts or settings that the attacker used be restored? Reason I ask about restoring from back up is that the amount of configuration would require a few hours of work from an outside company. We understand if that is completely unnecessary but if we can restore from a backup and not reinfect ourselves we’d prefer to do that.
If you backed up from before the compromise, then the backup is safe to use. You can also export the compromised config and manually review it before importing it on a fresh router with changed passwords.
Thank you. It looks like there was IP socks and IP proxy in the config when I exported it out in the terminal. We got rid of that and that appears to have fixed the issue.