Page 1 of 1

Is there a way to restore config from hijacked mikrotik router?

Posted: Fri May 18, 2018 11:57 am
by gosha
Hello!

I have 5-7 routers that was hijacked and I lost access to it. There routers was never backuped and have pretty big configuration. Is there a way to restore it's configuration ?


Thanks,
D.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Fri May 18, 2018 12:04 pm
by normis
No, you can only reset them completely and configure from scratch, this time, I suggest to follow these guidelines to protect against hijacking of any kind:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Fri May 18, 2018 12:08 pm
by gosha
What about re-hijacking this ?

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Fri May 18, 2018 12:09 pm
by normis
Since I can't imagine how you lost access to yours, it is impossible to say how to do it again :)
Possibly somebody simply guessed your password.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Fri May 18, 2018 12:15 pm
by gosha
No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here viewtopic.php?f=2&t=132368

All routers that was backuped we already restored back with reset, but few routers is little bit difficult to restore...

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sat May 19, 2018 7:09 am
by jabberd
No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here viewtopic.php?f=2&t=132368
Are they accessible in any way? I mean any open services there.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sat May 19, 2018 8:51 am
by networkfudge
If these routers have an lcd screen and if its not locked and you have physical access, you can maybe restore a previously saved configuration via the lcd screen.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sat May 19, 2018 10:03 am
by gosha
Are they accessible in any way? I mean any open services there.
some VPN works with previous passwords. which other services should I try?


If these routers have an lcd screen and if its not locked and you have physical access, you can maybe restore a previously saved configuration via the lcd screen.

Will check, at least 2 of is has an LCD and it is not locked. Thanks.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sat May 19, 2018 3:12 pm
by jabberd
some VPN works with previous passwords. which other services should I try?
Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable RouterOS version there. An attack vector depends on conditions there were before. So it's interesting which of the management services were enabled then, and what has been changed since the attack. And the RouterOS version then and now.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sat May 19, 2018 3:44 pm
by gosha
some VPN works with previous passwords. which other services should I try?
Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable RouterOS version there. An attack vector depends on conditions there were before. So it's interesting which of the management services were enabled then, and what has been changed since the attack. And the RouterOS version then and now.
Both winbox and web are open, but all passwords are changed or locked.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sat May 19, 2018 4:09 pm
by pe1chl
At least it reminds you (and others) to always make backups and/or exports...
Do you have any idea (e.g. from logs) who was the attacker? Was it 188.92.74.189 that was active first week of may?

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sat May 19, 2018 4:09 pm
by jabberd
Both winbox and web are open, but all passwords are changed or locked.
There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sat May 19, 2018 5:22 pm
by Bovens
Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 12:32 am
by jabberd
Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here.
I don't know, but there's the default setting to automatically send out the results to the server, so it has to be configured properly first. It's just a tool that does its job. If you know of any vulns there, please tell us, so I won't suggest it further.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 2:11 am
by gosha
Both winbox and web are open, but all passwords are changed or locked.
There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.
Seems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 2:25 am
by jabberd

Seems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome
The version should be beta, right from there: http://msk1.stascorp.com/routerscan/prerelease.7z

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 2:32 am
by gosha
Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can't load main page. When trying to connect from winbox it still reports incorrect login / password...

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 2:40 am
by jabberd

Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can't load main page. When trying to connect from winbox it still reports incorrect login / password...
It's hard to tell if it's the same version. If you tried that prerelease.7z contents, then there can be some restriction in the firewall rules or in the services. Btw, there's no need to specify 8291 port: RS tries to use HTTP on these ports.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 2:43 am
by gosha
It's hard to tell if it's the same version. If you tried that prerelease.7z contents, then there can be some restriction in the firewall rules or in the services. Btw, there's no need to specify 8291 port: RS tries to use HTTP on these ports.
It is latest needed version I think because the needed exploit is listed in the help.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 2:47 am
by gosha
Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 4:54 am
by jabberd
Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...
Is 8291 port open at the hijacked devices?

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 10:05 am
by gosha
Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...
Is 8291 port open at the hijacked devices?
Yes, it's open. Winbox tells login incorrect when trying to connect

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 12:56 pm
by jabberd

Yes, it's open. Winbox tells login incorrect when trying to connect
Do you have Telegram/Jabber/Twitter to directly contact me? I have an idea...

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 1:01 pm
by gosha
Do you have Telegram/Jabber/Twitter to directly contact me?
Does this forum support personal messages? I have the telegram account, yes.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 1:04 pm
by networkfudge
Have you tried the trick with the LCD screen?; I had success with it at a customer site once

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 1:07 pm
by jabberd

I have the telegram account, yes.
Ok, I'm @jabberd there.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 1:08 pm
by gosha
Have you tried the trick with the LCD screen?; I had success with it at a customer site once
I'm 250km from my main problem :( Seems that I have backup from all hijacked routers, but have no access to all.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 5:53 pm
by gosha
Seems that jabberd found the way. Is is possible to use the same exploit, but hijackers limited the IP's user can log in, so it is needed to connect to hijacked router via MAC telnet, currently I',m trying to find the MAC telnet tool for windows...

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 9:14 pm
by sindy
Seems that jabberd found the way. Is is possible to use the same exploit, but hijackers limited the IP's user can log in, so it is needed to connect to hijacked router via MAC telnet, currently I',m trying to find the MAC telnet tool for windows...
If I were a hijacker, I'd restrict access by MAC telnet as well to protect my "business", so you might have to find out which IP address they've kept open for access, but maybe they actually haven't. Because honestly, if you paid the ransom the anonymous way they likely ask for, they could just say "thank you, stupid" and not give you anything in return, so why should they bother to keep a door open for themselves? Attempting to access the machine from every possible public IP address would likely take months, if not years, and would involve a trip to the site anyway, so better to skip this step and reconstruct the configuration. You can place another router next to the existing one and migrate customers one by one.

The hijackers are totally safe - no one will spend the effort to track down a kidnapper of "a piece of plastic". So the most efficient approach is to deny access, request the money and wait for them. If the money arrive, perfect, if they don't, well, they haven't spent that much effort so the loss is not painful. Both branches of the alghoritm continue by "do nothing", because any other action would bring only a risk of being tracked, no benefit.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 9:39 pm
by gosha
Router is not something you will sell later. They even did not closed the hole they used to get in.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 11:18 pm
by jabberd
There was the only user at the device with a subnet 199.0.0.0/8 added as allowed one. It's rather easy then to find a proxy host within this range. Luckily, the vulnerability worked still, and in combination with the working pptp server it has become possible to find inside the OP's network an another RouterOS device, from which mac-telnet connection is possible.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Sun May 20, 2018 11:29 pm
by sindy
Glad to hear that the attackers are less clever than I've expected.

Re: Is there a way to restore config from hijacked mikrotik router?

Posted: Mon May 21, 2018 1:19 am
by gosha
Glad to hear that the attackers are less clever than I've expected.
Not in all cases, unfortunately, some hijacked routers are inaccessible via mac-telnet...