I have had a lot of devices hacked due to bad or no firewall configuration on those devices. The hostname is changed to “test”. Upon inspection, a script is added and run via the scheduler every 2 hours. Here is the script
Do the “/export” command and carefully inspect all the settings for anything you don’t recognize. Scripts, Scheduler entries, unknown IP addresses (in DNS menu, for example). The attackers sometimes change the input firewall rules too.
The nice article by Avast also has some tips:
If you manage to connect, the first thing to do is to close access to an external interface.
Look to see if you have any scripts, files, usernames, PPP secrets or scheduled jobs from the IOCs at the end of this article; if so, delete them. Start with scheduler as these tasks could be re-run, leading to re-configuration of the router again.
Disable web proxy, and SOCKS (if you don’t need them, or check their configuration otherwise), and check the firewall rules.
In the tools menu, check the packet sniffer.
If you don’t use PPTP server functionality, turn if off.
Check all user accounts, remove all suspicious ones, and set a strong password for the rest of them.
Now UPDATE THE FIRMWARE of the router to the latest version.
Not highly likely, but technically possible, although have not seen an example “in the wild”. There are published methods how to do that, but from what you posted, those are the “regular” hacks.
Netinstall is always the safest choice, but 90% chance that deleting all this stuff + upgrade + new password will resolve your current issue.
Seems that it is no longer functional, as I tried it, and did not see anything similar to a script. I think the domains have expired or have been seized.
Read this article here about more details on all this issue:
So, I got some routers that are “hacked” and has some stuff on them.
I try to clean them and then upgrade, but I cant, the upgrades wont get true. Is the only option to netinstall them?
Hello guys, is there any chance to get into hacked device and dump actual configuration?
I regret to tell you that that one of my RB3011 has been hacked this week even though it has ROS 6.43.4 on it and recommended security measures was applied (winbox access is restricted only from LAN).
Unfortunately the thing is that I only performed upgrade each time, because I simply didn’t see any evidence of changed configuration in the exported script from older ROS version.
Therefore, it would be pretty interesting for all of us, what is behind the “scenes”.
Currently Winbox login does not work, nor ssh.
What makes you so sure it is hacked, if you say only LAN was open and upgrade had been done?
If you don’t have ANY access to it, maybe it’s just “dead” (broken)?
Well, this suspected branch office router was still connected via SSTP tunel to the “main” router, therefore I had still full access to the remote site via SSTP tunel. I just couldn’t login into the router. Only what I got is typical wrong username/password message. So I had to turn it off and use only backup link.
Moreover, I saw in the statistics provided by my ISP, the outgoing traffic was ranging at 80% of uplink speed constantly in last few days. Which is not typical expected traffic shape from that branch office.
I am still wondering how this could happened.
Thank you for help.
hello I do not abloi well English, I want to know who can help me connect my sxt lite 5 station mode to an ap that a pirate clone the mac, I had it resolved by connect list, but the pirate cloned the mac and I can not connect ,please help
Credentials leaked in the past using some older, now closed, vulnerability could have been used to access the device if remote access to a management service (winbox, ssh, https) was still possible from outside (via the WAN interface).
If no management access was permitted from outside but it was from inside, a malware running on one of the LAN devices may have used the previously leaked credentials to connect from there, or may have made use of some vulnerability not publicly known yet.
If the bad guys have found a way to let their software survive an upgrade, they may have used that instead of just preventing the upgrade from happening as was reported several times recently (in these cases, when you’ve uploaded the .npk file, it disappeared so it wasn’t used after reboot).
So the only solution is netinstall, but even then, leaving management access open for anything in the LAN may not be safe.