All - my suspicion is that some of my Mikrotik (RB750Gs) routers during the vulnerability windows back in April/May that the User file was compromised/accessed. What I am seeing is that yesterday someone logged in with the admin credentials, created a new admin account called “adminf” and changed my admin credentials to only have “write” group privileges. The key attribute missing with the write group is that “privilege” right is removed, so I cannot factory reset, or do create a backup, etc. No other changes have been made (yet) to my routers and they are all functioning normally for the moment. This could be an internal issue, but so far the LOG files of the routers I have checked do not go back far enough to show when/what source IP was the last regular admin login..
First - has anybody else experienced this? Second, other than a truck roll to factory pin reset, I am looking for a way to regain full privileges access (either by creating a new admin account, or by discovering the password that was programmed for the new “adminf” account). Any/all suggestions would be appreciated.
Thanks!