DNS server changed automatically to
192.200.110.106

Upgrade RouterOS and make sure you protect it. Looks like somebody has accessed it:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

After upgrade, change your password and follow other steps in above link.

DNS server changed automatically to
192.200.110.106

I have same problem on one device, the same IP address in DNS. Maybe Bug?

Odesláno z mého Redmi Note 2 pomocí Tapatalk

More likely the same malware.

More likely the same malware.

what malware ?name?

Hard to say. There are several around, and since the noticeable changes in configuration may have happened later than the actual infection, you cannot even say when it happened.

According to the statement of Normis in this thread and some additional details provided elsewhere, an upgrade removes any malware because it removes any files which should not be there. So if the change has happened while you were running 6.40.8 or 6.42.2 and above, it could be a malware exploiting yet undiscovered vulnerability, or some gap in your firewall rules (the malware can also reach the router from the LAN side, so closing access to 'Tik's management only from WAN interfaces may not be enough). A spontaneous activity of RouterOS is by far the least likely one given that only the DNS setting has changed and to a non-random value.

No malware. Vulnerability. I believe it is this one: viewtopic.php?f=21&t=133533
There were reports from several users claiming same result - changed DNS after unknown admin miraculously "guessed" password and logged in remotely (for example viewtopic.php?t=134793 )

However, it might be something new... hopefully not. Mikrotik had already too much bad luck this year

In my understanding, a vulnerability is a property of an operating system or application which can be exploited to gain access to a device. Whether this results in just modifying the device settings or installing some software there (malware) is a separate story. But unless @nikaymhz (in Nepal) and @yarda (in Czech) have a common enemy who knows their public IP addresses and has exploited the vulnerability manually, their boxes were most likely visited by some bot running elsewhere which is a malware itself.

All this is to say that I cannot see a reason to strictly discriminate between "vulnerability" and "malware" in this particular scenario, and that the "vulnerability" you suspect is sufficient to do anything you want with the router, from asking a ransom for admin password to installing a software which will erase the bootloader and reboot.

Only the gentlemen know what versions did they run when that happened and how they were protected at that moment. There used to be times my ISP was leaving Winbox port open to the world on WAN on the 'Tiks they were installing at customers, but guess what, they no longer do so.

1) Vulnerability is the problem in RouterOS, that allowed somebody to install files into your device, if this device had no firewall on the public (internet) interface.
2) Malware is the file that the attacker installed, through the vulnerability

If you have firewall, or if you have upgraded your router within the last few months, you are safe.
If you see random DNS server entry changes, and are running old RouterOS, then upgrade device to:

a) delete malware
b) close vulnerability

No malware. Vulnerability. I believe it is this one: viewtopic.php?f=21&t=133533
There were reports from several users claiming same result - changed DNS after unknown admin miraculously "guessed" password and logged in remotely (for example viewtopic.php?t=134793 )

However, it might be something new... hopefully not. Mikrotik had already too much bad luck this year

dam! i thought i'm the only one. currently running v6.39.3 x86 routerOS. it's the log i exported out, the day of the attack is yesterday. i noticed today, when someone complaining that DNS didn't work. i change my password now, let's see if i get another attack.

ok, i think, it is somehow connected to the dude. this time, i separated my user name. the one i use to login winbox, and the one the dude enter router. and yesterday, i got another attack from the dude username.

You are running vulnerable version, so no surprise that someone can change your settings when they can get all your usernames and passwords.
It was mentioned in this topic, upgrade, change passwords, add firewall...
viewtopic.php?f=21&t=133533

dam! i thought i'm the only one. currently running v6.39.3 x86 routerOS.

There is your problem! You should update it!
And another thing: you should fix your firewall so people cannot login from internet.
Allow login only from your local network or via a VPN when that is not possible.

You are running vulnerable version, so no surprise that someone can change your settings when they can get all your usernames and passwords.
It was mentioned in this topic, upgrade, change passwords, add firewall...
viewtopic.php?f=21&t=133533

dam! i thought i'm the only one. currently running v6.39.3 x86 routerOS.

There is your problem! You should update it!
And another thing: you should fix your firewall so people cannot login from internet.
Allow login only from your local network or via a VPN when that is not possible.

Yes, i was actually expecting the second attack. i need to know if it is somehow connected to dude or not. i update the ROS today, let's see if it is fixed.

Did you change all your passwords after update?