Community discussions

MikroTik App
 
Johannes33
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Dec 26, 2016 1:26 am

Got hacked, think I need help with configuring routerOS

Tue Sep 04, 2018 11:54 am

Hi.
I'm no longer able to log in with winbox to my router (RB3011).
When starting netflix they say that my traffic is being proxied or VPN:ed.
So I'm starting to think I have been hacked.
Since I'm not so knowledgeable I do not really know what this mean in terms of security breaches.
Any way. I was thinking of reseting and updating my routeros configuration, this is where you come in. I do not really have the skill set to make any better settings that I already have and I would not like to get hacked again so wondered if you could help me?

Since I'm doing it all again I also wondered if you could help me with modifying my settings to better suit me.
:
The architecture is this:
RB3011 connects to a unifi ap
an ethernet connection to a computer.
perhaps an ethernet connection to a boxee box

I would like the ethernet computer and the unifi DHCP to be on the same network.
I would like the computer to be on a static IP.
I would like to have a good firewall so this hacking business does not occur again.

Extras if you would like to go beyond.
It would be nice to have a guest login for people to use when they come here to visit, access to the internet only via wifi.
above and beyond:
I would like to be able to vpn my computer from someware else.

my configurationfile is this I think:
# may/27/2017 11:11:09 by RouterOS 6.35.4
# software id = E66J-P7EA
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] master-port=ether2_LAN name=ether3_UnifiAP
set [ find default-name=ether4 ] master-port=ether2_LAN name=ether4_boxee
set [ find default-name=ether5 ] master-port=ether2_LAN name=ether5_TEST
/interface vlan
add interface=ether2_LAN name=vlan11_Admin vlan-id=11
add interface=ether2_LAN name=vlan12_Users vlan-id=12
add interface=ether2_LAN name=vlan13_guests vlan-id=13
/ip pool
add name=dhcp ranges=192.168.99.21-192.168.99.250
add name=dhcp_pool2 ranges=192.168.11.21-192.168.11.250
add name=dhcp_pool3 ranges=192.168.12.21-192.168.12.250
add name=dhcp_pool4 ranges=192.168.13.21-192.168.13.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2_LAN lease-time=1h name=\
    dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan11_Admin lease-time=1h \
    name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=vlan12_Users lease-time=1h \
    name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=vlan13_guests lease-time=1h \
    name=dhcp4
/ip firewall connection tracking
set enabled=yes
/ip address
add address=192.168.99.1/24 interface=ether2_LAN network=192.168.99.0
add address=192.168.11.1/24 interface=vlan11_Admin network=192.168.11.0
add address=192.168.12.1/24 interface=vlan12_Users network=192.168.12.0
add address=192.168.13.1/24 interface=vlan13_guests network=192.168.13.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether1_WAN
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
add address=192.168.12.0/24 dns-server=192.168.12.1 gateway=192.168.12.1
add address=192.168.13.0/24 dns-server=192.168.13.1 gateway=192.168.13.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers="195.67.199.42,195.67.199.43,195.67.160.\
    3,195.67.183.153,208.67.222.222,208.67.220.220,8.8.8.8,8.8.4.4"
/ip firewall address-list
add address=192.168.99.0/24 list="Admin Lan"
add address=198.168.12.0/24 list=Users_12vlan
add address=198.168.11.0/24 list="Admin Wifi_11vlan"
add address=192.168.13.0/24 list=guests_13vlan
add address=192.168.0.0/16 list=support
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
    src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add chain=input comment="Accept to established connections" connection-state=\
    established
add chain=input comment="Accept to related connections" connection-state=\
    related
add chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=\
    icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system routerboard settings
set protected-routerboot=disabled
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Got hacked, think I need help with configuring routerOS

Tue Sep 04, 2018 3:59 pm

Problem is here: RouterOS 6.35.4

Reset your RB3011 to factory default.
Update it to the latest RouterOS 6.42.7 at time of writing this.
Check for any scripts, scheduled tasks or files that look like they shouldn't be there.
Change the admin details, create a new user for yourself, give yourself admin rights and then log in with those details, make the default admin read only or remove it.
Secure the router further by removing admin from the WAN and any services you don't need (for example I don't use webfig so turn off http and https) and ensure you are firewalled.

**Then worry about your config.
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Got hacked, think I need help with configuring routerOS

Thu Sep 06, 2018 6:24 pm

after all upgrading and password changing. this would be a good start
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
close ports, services that you don't need;
lock down ports services you do need by allowing known IP as source IP.
 
JimTrentMQ
just joined
Posts: 1
Joined: Sat Sep 08, 2018 1:54 am

Re: Got hacked, think I need help with configuring routerOS

Sat Sep 08, 2018 2:06 am

We did everything mentioned last night (without seeing this forum), but we still cannot get to Netflix or Amazon Prime. My guests are very upset. We just bought a new router and plan to reconfigure tonight to try to get it working again. We have isolated it to the router since a connection directly to our ISP allows us to connect to Netflix. Any other ideas? We did have the cryptocurrency mining on our router plus another unknown script. We are not sure why going back to square one (a factory reset) did not solve the problem - we uploaded a backup file from Nov 2017. Still to no success. If there is an easy fix, please let us know.
 
Johannes33
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Dec 26, 2016 1:26 am

Re: Got hacked, think I need help with configuring routerOS

Sun Sep 09, 2018 8:54 pm

Hi,
Thanks for the help.
I removed the mirkotik.php that was a known sign of being hacked
I used the howto and I tried to follow your comments Steveocee.
I'm still a little bit unsure about if all is well with my system or not.
I still have the error message that Netflix senses that my traffic is being routed trough a proxy or vpn.
So I have some follow up questions and I will post my settings so if any of you could see if you see something suspicions it would be great.
To the questions:
1)First thing first, I ran traceroute to see where I go when I connect to a server 30 km away. It seems that I go to the capital in my country, about 620 km away and then back, I do not know if this is normal or not.
2) I used the default settings script when I reinstalled routerOS.
Could that script have been hacked so I'm still hacked?
3) I can see 2 directories when examining the file list. They are called pub and skins. I do not know how to access these, hence I do not know if they hide malicious code. How can I access these? Could a hacker have put something there?

Now I will post my code with row numbers.
 
   1 
  2 # sep/09/2018 12:26:43 by RouterOS 6.42.7
  3 # software id = E66J-P7EA
  4 #
  5 # model = RouterBOARD 3011UiAS
  6 # serial number = ###
  7 /interface bridge
  8 add admin-mac=### auto-mac=no comment=defconf name=bridge
  9 /interface list
 10 add comment=defconf name=WAN
 11 add comment=defconf name=LAN
 12 /interface wireless security-profiles
 13 set [ find default=yes ] supplicant-identity=MikroTik
 14 /ip pool
 15 add name=default-dhcp ranges=192.168.88.10-192.168.88.254
 16 /ip dhcp-server
 17 add address-pool=default-dhcp disabled=no interface=bridge name=defconf
 18 /interface bridge port
 19 add bridge=bridge comment=defconf interface=ether2
 20 add bridge=bridge comment=defconf interface=ether3
 21 add bridge=bridge comment=defconf interface=ether4
 22 add bridge=bridge comment=defconf interface=ether5
 23 add bridge=bridge comment=defconf interface=ether6
 24 add bridge=bridge comment=defconf interface=ether7
 25 add bridge=bridge comment=defconf interface=ether8
 26 add bridge=bridge comment=defconf interface=ether9
 27 add bridge=bridge comment=defconf interface=ether10
 28 add bridge=bridge comment=defconf interface=sfp1
 29 /ip neighbor discovery-settings
 30 set discover-interface-list=none
 31 /interface list member
 32 add comment=defconf interface=bridge list=LAN
 33 add comment=defconf interface=ether1 list=WAN
 34 /ip address
 35 add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
 36 /ip dhcp-client
 37 add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
 38 /ip dhcp-server network
 39 add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
 40 /ip dns
 41 set allow-remote-requests=yes
 42 /ip dns static
 43 add address=192.168.88.1 name=router.lan
 44 /ip firewall address-list
 45 add address=192.168.0.0/16 list=allowed_to_router
 46 add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
 47 add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
 48 add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
 49 add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
 50 add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
 51 add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
 52 add address=224.0.0.0/4 comment=Multicast list=not_in_internet
 53 add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
 54 add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
 55 add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
 56 add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
 57 add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
 58 add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
 59 add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
 60 add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
 61 /ip firewall filter
 62 add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
 63 add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
 64 add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
 65 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
 66 add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
 67 add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
 68 add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
 69 add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
 70 add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
 71 add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
 72 add action=accept chain=input comment=" default  configuration" connection-state=established,related
 73 add action=accept chain=input src-address-list=allowed_to_router
 74 add action=drop chain=input
 75 add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
 76 add action=accept chain=forward comment="Established, Related" connection-state=established,related
 77 add action=drop chain=forward comment="Drop  invalid" connection-state=invalid log=yes log-prefix=invalid
 78 add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge
 79 add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
 80 add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
 81 add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes log-prefix=LAN_!LAN src-address=!192.168.0.0/16
 82 /ip firewall nat
 83 add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
 84 /ip service
 85 set telnet disabled=yes
 86 set ftp disabled=yes
 87 set www disabled=yes
 88 set ssh disabled=yes
 89 set api disabled=yes
 90 set winbox address=192.168.0.0/16
 91 set api-ssl disabled=yes
 92 /system clock
 93 set time-zone-name=Europe/Stockholm
 94 /system routerboard settings
 95 set silent-boot=no
 96 /system scheduler
 97 add interval=1d name=schedule_autoupdate on-event="/system package update\r\
 98     \ncheck-for-updates once\r\
 99     \n:delay 1s;\r\
100     \n:if ( [get status] = \"New version is available\") do={ install }" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=04:12:50
101 /tool bandwidth-server
102 set enabled=no
103 /tool mac-server
104 set allowed-interface-list=LAN
105 /tool mac-server mac-winbox
106 set allowed-interface-list=LAN
107 

4) When following the howto secure my Mkirotik I ran in to some problems.
It seams that one of the commands is wrong with version 6.42.7 so I tried something similar which I think do the same thing.
In the how to:
/user set 0 allowed-address=x.x.x.x/yy
generates error about the syntax.
I used instead
/user set 0 address=192.168.0.0/16
user 0 is the user with admin privileges.
could that be the same thing? I can't find any settings in my .rsc file that corresponds to this command. What should I do?

5) By removing the services I do not need, do you mean "/ip service print" and then remove the services I do not need or is it other services also?
If you mean other services also could you post the command to see those?

6) I deviated on one more thing from the howto, I used an other syntax for addresses:
howto:
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
I used:
/ip firewall address-list
add address=192.168.0.0/16 list=allowed_to_router
Do you think it will be a problem?

7) Line 100 in my rsc file, should it not end with a "\r\" ? (does that mean <Return> btw?)

8) I thought my routerOS was a hard installation to brake so I used my windows 7 partition without firewall for a long time during the time I was being hacked and my linux mint 19 partition for a short while w/o firewall. I can run some antivirus software in windows, but I do not know how to secure the os:s more than that. Do you have any suggestions? I was thinking the routing to vpn or proxy might reside in the os:s, if I do not find it in the RouterOS. Is it bad practice to be without firewall when I'm firewalled on my mikrotik?

Thanks

/Johannes
Last edited by Johannes33 on Fri Sep 14, 2018 12:58 pm, edited 1 time in total.
 
flynno
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Aug 27, 2014 8:11 pm

Re: Got hacked, think I need help with configuring routerOS

Mon Sep 10, 2018 5:26 pm

Hi Johannes33,

pub and skins are OK in the files, just look out for the mikrotik.php file, also any scripts or schedulers you did not add yourself.
Go to IP > SOCK and disable if active.

Go to Users and delete any user you did not add, make a new user in a different name other than "admin" create a strong password use a long random numbers, letters etc... and save it safe on your comp.

Disable bandwidth server
Add firewall rule to block dns requests from outside the network since you have it dns request allow

/ip firewall filter
add chain=input in-interface=ether1_WAN protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1_WAN protocol=tcp dst-port=53 action=drop

If you need the SSH port I changed it to 2022, you can enable it if required
In terminal copy paste below;
/ip service disable www
/ip service disable www-ssl
/ip service disable telnet
/ip service disable ftp
/ip service set ssh port=2022
/ip service disable ssh
/ip settings set tcp-syncookies=yes
/ip settings set rp-filter=strict
/ip ssh set strong-crypto=yes
/system note set show-at-login=yes
/system note set note="Authorized administrators only. Access to this device is monitored."

Block all access to winbox except support address ip list

/ip firewall address-list
add address=192.168.0.0/16 list=support

These rules will add the IP of the hackers trying to access the winbox to a list for 10 days and block access to winbox unless it's a support IP address
and drop all IP's that are not support IPs from trying to access.

/ip firewall filter
add chain=input action=accept protocol=tcp src-address-list=support dst-port=8291 log=no comment="allow support IP winbox"
add chain=input action=drop protocol=tcp src-address-list=!support dst-port=8291 log=no comment="Block all access to the winbox - except to support list"
add chain=input action=add-src-to-address-list protocol=tcp src-address-list=!support address-list=winbox hacker address-list-timeout=1w3d dst-port=8291 log=no comment="Add winbox hackers IP to list"
add chain=input action=drop protocol=tcp src-address-list=winbox hacker dst-port=8291 log=no comment="Drop winbox hackers IP to winbox 8291"
add chain=input action=drop src-address-list=winbox hacker log=no comment="Drop winbox hackers IP address list"
 
Johannes33
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Dec 26, 2016 1:26 am

Re: Got hacked, think I need help with configuring routerOS

Wed Sep 12, 2018 1:52 pm

I think I need to do something.
I'm still hacked I think.
netflix reports me as being behind a vpn or proxy.
but when I bypass the rb 3011 I do not have that problem.
As you can see from previous posts I reseted the router and used factory default script. problem is perhaps it was hacked before when I was hacked.
And did securing.
my output from
/system default-configuration print :
 script: #| RouterMode:
                    #|  * WAN port is protected by firewall and enabled DHCP client
                    #|  * Ethernet interfaces (except WAN port ether1) are part of L>
                    #| LAN Configuration:
                    #|     IP address 192.168.88.1/24 is set on bridge (LAN port)
                    #|     DHCP Server: enabled;
                    #| WAN (gateway) Configuration:
                    #|     gateway:  ether1 ;
                    #|     ip4 firewall:  enabled;
                    #|     NAT:   enabled;
                    #|     DHCP Client: enabled;
                    #|     DNS: enabled;
                    
                    :log info Starting_defconf_script_;
                    #--------------------------------------------------------------->
                    # Apply configuration.
                    # these commands are executed after installation or configuratio>
                    #--------------------------------------------------------------->
                    :if ($action = "apply") do={
                    # wait for interfaces
                    :local count 0; 
                    :while ([/interface ethernet find] = "") do={ 
                    :if ($count = 30) do={
                    :log warning "DefConf: Unable to find ethernet interfaces";
                    /quit;
Now I need your help.
What should i do now?
How can I fix this?
I was thinking perhaps download the script for the original settings and then reset and so on. I have not found the original script somewhere to be downloaded though.
But I don't know if it is enough. I do not know what is in the directories pub and skins. Can't it be something malicious?

Well all help appreciated I'm in a jam here.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Got hacked, think I need help with configuring routerOS

Wed Sep 12, 2018 2:31 pm

that is not the correct command to output.

/export hide-sensitive
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Got hacked, think I need help with configuring routerOS

Wed Sep 12, 2018 2:34 pm

Also, when you bypass the rb 3011, you potentially get assigned another WAN IPv6 and/or IPv6 address which would explain the difference from the Netflix side.
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Got hacked, think I need help with configuring routerOS

Thu Sep 13, 2018 1:01 am

For the mikrotik.php virus, Winbox may still work if you connect via mac address. Check IP > Web Proxy, disable it. Go to IP > Firewall, NAT. Delete redirect rule. Go to System > Scripts, delete the bad scripts. Check System > Scheduler too. Even after you secure your router with firewall, upgrade the OS and change your password, the settings may come back. If a factory reset still doesn't get you the ability to connect via Winbox via IP, then try a NetInstall.
 
Johannes33
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Dec 26, 2016 1:26 am

Re: Got hacked, think I need help with configuring routerOS

Fri Sep 14, 2018 10:32 am

Well here is where I'm right now.
system:
RouterBOARD 3011UiAS
ROS v. 6.43
Firmware v. 3.41
firmwaretype ipq8060

problem:
Can't connect to Netflix when connected to the mikrotik.
This has been the problem since I got hacked. And it persists.
Can not use .rsc files to restore the system I get a error: "Failed to restore system configuration file not found". I have had the same error since the hack. I only use winbox, both files I add using drag and drop and the upload button gets the "file not found" error.

Tried solutions:
I did all solutions offline to not risk interference from hackers.
1)Factory reset with default settings using the reset button. And after following the howto "https://wiki.mikrotik.com/wiki/Manual:S ... our_Router"
Did not work
2)I did a netinstall with, with fresh files, and updated the firmware with a file from mikrotik and went through the securing wiki.
Did not alter any thing.

Comments:
So I do wonder if really netinstall wiped everything from the hackers.
I did update the firmware, should that not have deleted any reminiscence in the routerBOOT section, if the hackers put something there?
If the hackers put malicious code in the alternative bootloader could that section be hacked so it uses that even if I update the primary bootloader.
Is the "file not found" just a bug in the new routerOS version or is it that I did not get all of the code the hackers put there?
Could I still have some thing from the hackers left on my mikrotik?
Hence can I whipe the router more profoundly than with a netinstall.
Could the default settings I use be hacked or are they bundled with the file for routerOS that download when I do the netinstall?
I looked at the partitions I only have one.

/Johannes
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Got hacked, think I need help with configuring routerOS

Fri Sep 14, 2018 10:40 am

Johannes, what commands are you entering, when you get "file not found"?

I suggest emailing support@mikrotik.com with the RSC file, and more details about where you see the error. It might be due to incorrectly entered command
 
Johannes33
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Dec 26, 2016 1:26 am

Re: Got hacked, think I need help with configuring routerOS

Fri Sep 14, 2018 10:58 am

Hi nomis.

Yes I was considering to send an email but I bought the HW a year ago so I did not know if my question would be accepted.

Well about the command: I have tried two ways:
The GUI right click file and restore
and
/system backup load name=filename password="my admin login password".
I did use double quotation marks around my password otherwise it was not accepted.

I will send an email.

But still does netinstall and uppdating the firmware delete all possibility that the hackers could have left something?
Could the default config be hacked or is it bundled with the ROS file that I downloaded to do the netinstall?
Last edited by Johannes33 on Fri Sep 14, 2018 11:04 am, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Got hacked, think I need help with configuring routerOS

Fri Sep 14, 2018 10:59 am

Yes, it will be accepted.
That is the wrong command to restore an RSC file, you are trying to restore a backup file, but you have an export file. Different things.

You need

/import file=name

in the terminal
 
Johannes33
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Dec 26, 2016 1:26 am

Re: Got hacked, think I need help with configuring routerOS

Fri Sep 14, 2018 11:10 am

Ok thank you for the correction.
I'm still a newbie since I did not touch the router since I set it up a year ago.
It is my home router and I do not work with routerOS on a daily basis.
 
Johannes33
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Dec 26, 2016 1:26 am

Re: Got hacked, think I need help with configuring routerOS

Fri Sep 14, 2018 11:29 am

> /import
file-name: test.rsc
failure: already have interface with such name

>/import file-name=test.rsc
failure: already have interface with such name

It did not work. Did I do something wrong?
Ok perhaps I need to factory reset without default settings then add the settings.
rsc is like a script file is it not? So it does not wipe the settings but adds the settings that I supply in it?

But still I would like to know:
Does netinstall and uppdating the firmware delete all possibility that the hackers could have left something?
Could the default config be hacked or is it bundled with the ROS file that I downloaded to do the netinstall?
Last edited by Johannes33 on Fri Sep 14, 2018 11:33 am, edited 2 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Got hacked, think I need help with configuring routerOS

Fri Sep 14, 2018 11:31 am

Netinstall gives the option to restore config from an RSC file like you have. Try that. It will only apply the config in your file, no defaults.
 
Johannes33
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Dec 26, 2016 1:26 am

Re: Got hacked, think I need help with configuring routerOS

Fri Sep 14, 2018 12:07 pm

Ok.
The problem is that since I'm a newbie I do not trust my skills to do a config myself. I think all my saved .rsc files are from configs I did. I mean I got hacked because I did not have any restriction in my config about winbox access from wan.
So I would like to use the default settings and build on your wiki how to make my router secure so I will not have this problem again.
The only thing is that I do not know if I can be secure about using the default setting as a base since I do not know if it came bundled with the routerOS file I downloaded or could have been subjected to hacks if it was on the RB during the time the hackers had control over it.
I'm a little worried that the default setting is compromised since I still got the error from Netflix.
I attach my default settings if you would like to take a look.
Is there a way to download the default settings from mirkotik homepage?
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: kkeyser and 42 guests