Hello!

I have 5-7 routers that was hijacked and I lost access to it. There routers was never backuped and have pretty big configuration. Is there a way to restore it's configuration ?


Thanks,
D.

What about re-hijacking this ?

No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here viewtopic.php?f=2&t=132368

All routers that was backuped we already restored back with reset, but few routers is little bit difficult to restore...

No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here viewtopic.php?f=2&t=132368

Are they accessible in any way? I mean any open services there.

If these routers have an lcd screen and if its not locked and you have physical access, you can maybe restore a previously saved configuration via the lcd screen.

Are they accessible in any way? I mean any open services there.

some VPN works with previous passwords. which other services should I try?

If these routers have an lcd screen and if its not locked and you have physical access, you can maybe restore a previously saved configuration via the lcd screen.

Will check, at least 2 of is has an LCD and it is not locked. Thanks.

some VPN works with previous passwords. which other services should I try?

Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable RouterOS version there. An attack vector depends on conditions there were before. So it's interesting which of the management services were enabled then, and what has been changed since the attack. And the RouterOS version then and now.

some VPN works with previous passwords. which other services should I try?

Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable RouterOS version there. An attack vector depends on conditions there were before. So it's interesting which of the management services were enabled then, and what has been changed since the attack. And the RouterOS version then and now.

Both winbox and web are open, but all passwords are changed or locked.

At least it reminds you (and others) to always make backups and/or exports...
Do you have any idea (e.g. from logs) who was the attacker? Was it 188.92.74.189 that was active first week of may?

Both winbox and web are open, but all passwords are changed or locked.

There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.

Both winbox and web are open, but all passwords are changed or locked.

There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give these fabulous weight loss pills for women a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.

Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here.

Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here.

I don't know, but there's the default setting to automatically send out the results to the server, so it has to be configured properly first. It's just a tool that does its job. If you know of any vulns there, please tell us, so I won't suggest it further.

Both winbox and web are open, but all passwords are changed or locked.

There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.

Seems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome

Seems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome

The version should be beta, right from there: http://msk1.stascorp.com/routerscan/prerelease.7z

Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can't load main page. When trying to connect from winbox it still reports incorrect login / password...

Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can't load main page. When trying to connect from winbox it still reports incorrect login / password...

It's hard to tell if it's the same version. If you tried that prerelease.7z contents, then there can be some restriction in the firewall rules or in the services. Btw, there's no need to specify 8291 port: RS tries to use HTTP on these ports.

It's hard to tell if it's the same version. If you tried that prerelease.7z contents, then there can be some restriction in the firewall rules or in the services. Btw, there's no need to specify 8291 port: RS tries to use HTTP on these ports.

It is latest needed version I think because the needed exploit is listed in the help.

Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...

Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...

Is 8291 port open at the hijacked devices?

Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...

Is 8291 port open at the hijacked devices?

Yes, it's open. Winbox tells login incorrect when trying to connect

Yes, it's open. Winbox tells login incorrect when trying to connect

Do you have Telegram/Jabber/Twitter to directly contact me? I have an idea...

Do you have Telegram/Jabber/Twitter to directly contact me?

Does this forum support personal messages? I have the telegram account, yes.

Have you tried the trick with the LCD screen?; I had success with it at a customer site once

I have the telegram account, yes.

Ok, I'm @jabberd there.

Have you tried the trick with the LCD screen?; I had success with it at a customer site once

I'm 250km from my main problem Seems that I have backup from all hijacked routers, but have no access to all.

Seems that jabberd found the way. Is is possible to use the same exploit, but hijackers limited the IP's user can log in, so it is needed to connect to hijacked router via MAC telnet, currently I',m trying to find the MAC telnet tool for windows...

Seems that jabberd found the way. Is is possible to use the same exploit, but hijackers limited the IP's user can log in, so it is needed to connect to hijacked router via MAC telnet, currently I',m trying to find the MAC telnet tool for windows...

If I were a hijacker, I'd restrict access by MAC telnet as well to protect my "business", so you might have to find out which IP address they've kept open for access, but maybe they actually haven't. Because honestly, if you paid the ransom the anonymous way they likely ask for, they could just say "thank you, stupid" and not give you anything in return, so why should they bother to keep a door open for themselves? Attempting to access the machine from every possible public IP address would likely take months, if not years, and would involve a trip to the site anyway, so better to skip this step and reconstruct the configuration. You can place another router next to the existing one and migrate customers one by one.

The hijackers are totally safe - no one will spend the effort to track down a kidnapper of "a piece of plastic". So the most efficient approach is to deny access, request the money and wait for them. If the money arrive, perfect, if they don't, well, they haven't spent that much effort so the loss is not painful. Both branches of the alghoritm continue by "do nothing", because any other action would bring only a risk of being tracked, no benefit.

Router is not something you will sell later. They even did not closed the hole they used to get in.

There was the only user at the device with a subnet 199.0.0.0/8 added as allowed one. It's rather easy then to find a proxy host within this range. Luckily, the vulnerability worked still, and in combination with the working pptp server it has become possible to find inside the OP's network an another RouterOS device, from which mac-telnet connection is possible.

Glad to hear that the attackers are less clever than I've expected.

Glad to hear that the attackers are less clever than I've expected.

Not in all cases, unfortunately, some hijacked routers are inaccessible via mac-telnet...