Hello,
I want to share a very bad experience, from yesterday to today in 4 of my routers I lost my admin rights and users. I was careful: changed my default admin username and password, disabled services (ssh, ftp) it was yesterday. Today again: somebody deleted the password and my user, and reinstated the default admin without password. I checked to logs, but there is no any sign in request.
Does anybody has the same experience? What could be the best way to harden?
Thanks,
Without details there is not much to recommend.
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
First, be sure to have latest RouterOS (long-term or stable channel, it doesn’t matter).
Second, disallow access to router from Internet (including winbox, ssh, webfig), if such access is neded use VPN or restrict access to some trusted addresses only. There are other options. i.e. port-knock.
Wonder if its related to this.
https://forum.mikrotik.com./viewtopic.php?f=2&t=153035&sid=c15f37400419f7d734948018bbeba2fa
Hey Guys,
I have some additional facts, what are very disturbing.
While that Mikrotik router is not a very important one, I played with it at the weekend.
I limited the service access to Winbox, made a new user, and using the device as a honeypot. I waited for 1,5 days, and bang… Suddenly the router cut the connection. When I tried to log back in, I was unable to do that with my new user. I tried the default admin,in without password. It was a success.
So my question is: how on Earth possible to do the following:
Thanks for the idea 
The thing I try to understand what the hackers are doing? I know, I can limit them to do it, but maybe we found a security issue to solve.
I suspect security holes in configuration. Post ‘/export hide-sensitive’ here, perhaps we will see something in it.
You have not noted your firmware version or provided your config.
However there is no need to do so. Your router is efffed at the moment.
The correct course (and only course) of action is to wipe your config at the lowest level.
Download the latest version of firmware - 6.45.7 I believe
USE NETINSTALL to install the downloaded firmware.
Stick with defaults and then configure your router as required.
Come back here if you need to change the firewall from defaults to get advice.
Also read the how to secure your router in the MiKrotik wiki.
6.45.7 , why does upgrade refer to 6.55.6 ??
is this legit or some issue with your update servers?
Where did you see mentioned ROS 6.55? Official download page ( https://mikrotik.com/download ) currently only shows 6.44.6, 6.45.7, 6.46beta59 and 7.0beta3 …
I had a similar experience with a backhaul router CCR1009-7G-1C-1S+ running 6.45.6 where one morning I couldn’t login - tried the several admin user accounts and still unable to login!
At that stage I thought I had been locked out by a hacker!!
I decided to reset and just before doing this I tried the default login (admin + no password ) and hey presto got access to the router, so I quickly opened “users” as I wanted to create a admin user account but on opening all of the admin+ user accounts were missing only the default “admin” was there , I opened the log file which I had set for 1000 lines to disk had about 2 weeks of log details but it didn’t have any entry for deleting admin users, or any modifications to the router , nothing unusual listed?
I hardened security so that access for services was only granted to select number of ip’s
The unit worked OK for a week or so until once again admin + user accounts missing,
I have since taken this unit off the network and purchased CCR1009-7G-1S+ 7x GE, 1x Combo, 1x SFP+, USB
Obviously the work of leprechauns!!
The answer is the same, compromised unit or suspected compromise, the remedy is the same. Can you send me the unit you replaced because there is nothing wrong with it (will pay postage), but it is cursed if used in Ireland LOL.
If possible, please repeat the given scenario but now:
Now send both supout.rif files to support@mikrotik.com and describe the issue shortly
Hi Reinis, i have similar issue on my 4011 for last year.. from time to time it just “forget” all users and create “admin” user without password. I can login to the router without password, everything seems normal, everything works, except i cannot do anything with filesystem - not possible to generate supout.rif file, not possible to export anything to disk.
I observed that it might be connected somehow with tikapp, since this kind of “lockdown” usually happens when I connect to 4011 from tablet / phone via tikapp…
And strange is that when i reboot device, everything is back to normal - admin is gone, my users are back…no more admin/no password connection possible… very strange.
It happens sometime once a month, sometime every week - it depends how often I use tikapp to connect to router.
Any ideas? [already had ticket for that, unresolved - 2019092122001626]
We have exactly the same behaviour on a CCR1036-12G-4S since about 8 month. The system is in 24/7 in use since September 2017.
After a certain time (would say 1 - 2 month) we have the following situation:
After a reboot of the router everything works fine.
We have several different MT routers in use:
CCR1036-8G-2S+, RB4011iGS+5HacQ2HnD, CRS125-24G-1S-2HnD, CCR1009-7G-1C-1S+, CRS109-8G-1S-2HnD, 2011L, 2011LS, 1100AHx2
But only this CCR1036-12G-4S is showing that behaviour.
There are three differences to the other routers:
Within the next few weeks I will migrate the config to a new CCR1036-12G-4S to find out if it is a hardware problem or not.
Later on I will upgrade the system to last Long Term OS if this behaviour is not changing (System is still on 6.42.3)
This is happening to me with a RB1100 Dude Edition. It was working as expected since mora a year ago, but last week and today lost all users and passwords. Just Admin default user.
I can not find any record in log or history, script or anything else as evidence of such change.
I am just running in this router:
I have just found that the HDD is full… so I am going to see if the problem is related to this.
Regards
Today it’s happening to me. after about 115 days uptime, the password become default / no password,
cannot backup, cannot make support.rif , mikrotik disk is 40% free
CPU temp < 45° ambient temp < 29°
mikrotik version 6.47. CCR1009-7G-1C (about 3 years old). no suspicious log/access from outside
running only some firewall mangle and nat, simple queue, PPPoE server, hotspot server
No DUDE, no routing OSPF igmp, etc
after reboot everything back to normal. but the password reverts to the one before it happens,/ change/ default.
and all the statistic graphing is lost except for the cpu-memory-disk graph.
now try to upgrade to v6.48.2 let see what happens next…
riyadiari, something like this could happen in rare cases if the CCR flash disk is corrupted. The fix is to Netinstall the device and then upgrade RouterBOOT from within the latest RouterOS version.
We are having the same problem as riyadiari. 2 CCR 1016’s. Working fine then try to login to it, blank password. We tried rebooting one came up with the message kernal problem. Ran Netinstall and it has been fine for about a week. Another brand new CCR1016 same problem. We are going to replace both routers. What a shame, they are not cheap, in remote areas and running a lot of traffic. Even after a netinstall you cannot write to anything with any of the scripts. Will get them out of service and onto a bench for testing. Scary, when these things are in production.
Good Afeternoon
The same things are happening with my rb. I have a 4011 routerboard with the same problems. I have an open ticket with support number SUP-144744 awaiting a response, but so far I have not received any response.
Hi, we’ve noticed a similar issue on our router. Similarly, the issue is most often noticed when trying to log in from the mobile app. Were you able to figure out what it could be?