Router hacked from outside

syntxerr · August 18, 2015, 9:18pm

Hey Guys,

Well - my router was hacked and I just want to know what damage could have been done? I recently upgraded, and my old router by default locked it self out from the outside world (my first rb) - this one doest have appeared to have done so.
I just blocked access to 22, 23 from the net and in the last minute have 32 failed connection attempts. I see in the log there were some successful ones.

Where should I look for damage? Can I browse the file system to see if any scripts were planted?

Can I dump certain config (such as only dhcp reservations) then restore only those, which will allow a simple factory default?

TIA!

lordkappa · August 19, 2015, 9:16am

You did your due dilligence and kept backups of your working configurations, right?

Just do a reset and load your backup configuration… Don’t forget to lock it down this time.

Seriously though, if you don’t have a backup from before the hack, I wouldn’t use any configuration settings currently on the router. The work it would take to check through every setting to make sure it hasn’t been tampered with would take just as long as starting over.

normis · August 19, 2015, 9:18am

First of all, why did you have no firewall on the public port? If you disable any acess on the gateway interface, you will not be hackable

gogusrl · August 19, 2015, 1:22pm

I’m wondering if and what they did on it if they got access. beside setting up a vpn / proxy I’m not sure what else they could do.

Do a /export compact file=filename and upload it somewhere is possible.

jarda · August 22, 2015, 5:31am

First thing ever is to create another admin user and set own strong password. Then remove the default admin from the system. Then set a firewall. And just after that you can connect a device to Internet.

pe1chl · August 23, 2015, 8:02am

Why do you want to set a different user and remove the normal admin?
What is the advantage of that?
Maybe you think the hacker would then have to “guess” the name of the admin?
No, because the name will be put in the login screen by default…

BartoszP · August 23, 2015, 8:54am

Which “login screen” ?

change admin name
turn-off WWW, FTP services…all unused ones
move ssh access port to nonstandard one eg. 60022
change WinBox access port to nonstandard…
block access from WAN: make filters to access router from outside only for particular IP addresses or even MAC addresses

then you will be more than safe

andriys · August 23, 2015, 10:41am

WebFig login screen always puts “admin” (literally) on the login screen. There’s no way to change that, I guess.
WinBox remembers you last login name, but that name is stored on your local box (laptop or PC), not the router itself.

pe1chl · August 23, 2015, 3:12pm

Maybe I am confused with Ubiquiti. I know for sure that that one always puts the actual admin name on
the login screen by default. I am not sure about MikroTik.

However, it is never a good idea to put admin access on the internet side. When you need to admin from the
internet, setup a VPN.

syntxerr · September 22, 2015, 2:07am

Thanks for the feedback, sadly no backup was made. I poked around and it doesnt look like anything else was change / I blocked ssh from the outside world.

I didnt do it, as in past it was always part of the default config that was applied at startup. For some reason, it didnt do it for my PPPoE connection and someone (TONS of ssh attempts made) got in. I got some spambot reports from my ISP during that period so I assume they just setup a smtp relay and were firing off emails.

Also no default password, its just my office with a couple of guys Im not worried about changing anything

bwbb · September 22, 2015, 3:25am

Ubiquiti does -not- display the username. Where are you claiming to have encountered this?

Sent from my mobile device.