I have a router, both have version 7.10.
I normally logged in as usual but suddenly I have not been able to change any critical setting or open a terminal. I cannot backup or restore settings. Now I see that there is a user System and it has full rights. By default admin users has normal rights but I cannot open terminal/backup settings etc.
I dont know if my router is hacked or there is a default user named as System. Can anyone give me aa idea ?
By default there is no user System. So your router is likely hacked.
Netinstall router and use textual config export as reminder what was configured. If you only have binary backup, then restore it after netinstall, do configuration export and netinstall it again, after that proceed with manual configuration.
While configuring router keep in mind that hacking attempts can come from your LAN. And don’t allow easy access to management interfaces from internet, security and ease of use are mutually completely contradictory.
Well, thanks, I wanted to get the Textual config. Ill try this netinstall thing. Many thanks.
Hi,
I am not able to see any Textual Config option. Can you please help me in this regard. Where can I export the existing configuration so that I can check what the user configured before hacking. Is that also possible to get the password of the users?
Regards
No, it is too late for all that.
You should have saved the backup and export files BEFORE this happened…
Now, the best thing is to netinstall, remove the checkmark for “keep old configuration”, and start over from defaults.
But I havent done anything. Its the first screen I am getting.
So now my only chance is to reset the router?
just for my knowledge, can you please also tell me what is the scenario on which the textual configuration is exportable ?
Thanks in advance
read the fine manual https://help.mikrotik.com/docs/display/ROS/Configuration+Management
When you still have admin access to the router you can use the /export command.
/export show-sensitive file=routername
Then you download the routername.rsc file from the router and save it.
Sorry but there is no method to recover lost access to the router and keep the configuration.
You need to apply the usual practices in IT: document what you do and make backups.
“The “Keep old configuration” process involves downloading the configuration database from the router, reinstalling the router (including disk formatting), and uploading the configuration files back to it. However, it’s important to note that this process solely applies to the configuration itself and does not impact the files, including databases like the User Manager database, Dude database, and others.”
https://help.mikrotik.com/docs/display/ROS/Netinstall#:~:text=The%20"Keep%20old,database%2C%20and%20others.
Maybe this is your last chance to regain access to your device again without losing your whole config.
This was not possible as I was restricted from Terminal access. In fact, that is how I came to know that my rights are not my rights anymore. Everything else was permitted (except SSH, TELNET, Terminal, Backup Upload and download and User Group Changing)
In general, if a system has been hacked, you can have no faith in its configuration. As you say, because you couldn’t run terminal, you couldn’t export the current (suspect) configuration.
But your problems started before you were hacked. Every time in the past that you made a change, you needed to perform an export (and/or a backup) and copied them to a computer. Unfortunately disaster recovery requires you to pre-guess the disaster and prepare for it. I’m sorry, but I don’t think there is anything else you can do.
Netinstall and learn a lesson the hard way.
Yes, you can get the config again but that will include your loss of access!
So not useful to do that.
The only thing that can be useful before netinstall is look around in the user interface if you can see things that were configured, and make note of them.
After the reinstall you can do these configs again.
But do NOT copy the old settings for the firewall! They were bad. Don’t follow firewall configuration advice from Youtube videos.
Most video creators are completely clueless and do things that “make it work” but open the firewall as a result.
If user accounts are part of the configuration files then yes: no access even after keep configuration setting.
I did - its bitter tasting medicine.
But healthy again afterwards 