Are they accessible in any way? I mean any open services there.No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here viewtopic.php?f=2&t=132368
some VPN works with previous passwords. which other services should I try?Are they accessible in any way? I mean any open services there.
If these routers have an lcd screen and if its not locked and you have physical access, you can maybe restore a previously saved configuration via the lcd screen.
Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable RouterOS version there. An attack vector depends on conditions there were before. So it's interesting which of the management services were enabled then, and what has been changed since the attack. And the RouterOS version then and now.some VPN works with previous passwords. which other services should I try?
Both winbox and web are open, but all passwords are changed or locked.Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable RouterOS version there. An attack vector depends on conditions there were before. So it's interesting which of the management services were enabled then, and what has been changed since the attack. And the RouterOS version then and now.some VPN works with previous passwords. which other services should I try?
There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.Both winbox and web are open, but all passwords are changed or locked.
Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here.There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give these fabulous weight loss pills for women a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.Both winbox and web are open, but all passwords are changed or locked.
I don't know, but there's the default setting to automatically send out the results to the server, so it has to be configured properly first. It's just a tool that does its job. If you know of any vulns there, please tell us, so I won't suggest it further.Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here.
Seems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcomeThere's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.Both winbox and web are open, but all passwords are changed or locked.
The version should be beta, right from there: http://msk1.stascorp.com/routerscan/prerelease.7zSeems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome
It's hard to tell if it's the same version. If you tried that prerelease.7z contents, then there can be some restriction in the firewall rules or in the services. Btw, there's no need to specify 8291 port: RS tries to use HTTP on these ports.Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can't load main page. When trying to connect from winbox it still reports incorrect login / password...
It is latest needed version I think because the needed exploit is listed in the help.It's hard to tell if it's the same version. If you tried that prerelease.7z contents, then there can be some restriction in the firewall rules or in the services. Btw, there's no need to specify 8291 port: RS tries to use HTTP on these ports.
Is 8291 port open at the hijacked devices?Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...
Yes, it's open. Winbox tells login incorrect when trying to connectIs 8291 port open at the hijacked devices?Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...
Do you have Telegram/Jabber/Twitter to directly contact me? I have an idea...Yes, it's open. Winbox tells login incorrect when trying to connect
Does this forum support personal messages? I have the telegram account, yes.Do you have Telegram/Jabber/Twitter to directly contact me?
Ok, I'm @jabberd there.I have the telegram account, yes.
I'm 250km from my main problem Seems that I have backup from all hijacked routers, but have no access to all.Have you tried the trick with the LCD screen?; I had success with it at a customer site once
If I were a hijacker, I'd restrict access by MAC telnet as well to protect my "business", so you might have to find out which IP address they've kept open for access, but maybe they actually haven't. Because honestly, if you paid the ransom the anonymous way they likely ask for, they could just say "thank you, stupid" and not give you anything in return, so why should they bother to keep a door open for themselves? Attempting to access the machine from every possible public IP address would likely take months, if not years, and would involve a trip to the site anyway, so better to skip this step and reconstruct the configuration. You can place another router next to the existing one and migrate customers one by one.Seems that jabberd found the way. Is is possible to use the same exploit, but hijackers limited the IP's user can log in, so it is needed to connect to hijacked router via MAC telnet, currently I',m trying to find the MAC telnet tool for windows...
Not in all cases, unfortunately, some hijacked routers are inaccessible via mac-telnet...Glad to hear that the attackers are less clever than I've expected.