Community discussions

 
vstman
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sat Mar 27, 2010 9:05 pm

Mikrotik Routers Compromised......please READ

Wed Jul 25, 2018 7:03 pm

Just found all our routers are hacked. Hackers leaves scripts behind that allow php. Passwords compromised? Not sure how hacker got in since some routers have different passwords so???

php is a seeding thing, right?

Check your logs and work backwards to undo the hackers scripts, schedule, and firewall rules. Hacker also adds a new user called Service. Also enables SSH ports, ect.

After cleaning update to newest firmware, reboot.

Mikrotik?
 
R1CH
Forum Veteran
Forum Veteran
Posts: 895
Joined: Sun Oct 01, 2006 11:44 pm

Re: Mikrotik Routers Compromised......please READ

Wed Jul 25, 2018 7:26 pm

If you weren't running latest RouterOS you will have been compromised by various exploits, safest way forward is netinstall (and change all passwords).
 
msatter
Forum Guru
Forum Guru
Posts: 1232
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik Routers Compromised......please READ

Wed Jul 25, 2018 8:17 pm

Mikrotik has now a blog.mikrotik.com in which security matters are addressed.

When I look at the most recent posting th advise is to upgrade to v6.38.5:

- Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.

An earlier posting suggest to update 6.40.8 and that the latest secure version of RouterOS.

I strongly advise to have a fixed notice on blog which linked to in every article to that notice. This notice should state for bugfixed/current/RC the minimal recommended version of RouterOS.

I also would like to see a static notification at the top in Winbox box the last minimal recommended version of RouterOS. If the router accessed by Winbox runs on a lower than recommended version of RouterOS then display that recommendation in the title of every window opened inside Winbox.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Mikrotik Routers Compromised......please READ

Wed Jul 25, 2018 8:38 pm

I'm really shocked by the number of admins that NEVER update firmware!
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1395
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Mikrotik Routers Compromised......please READ

Wed Jul 25, 2018 8:57 pm

I'm really shocked by the number of admins that NEVER update firmware!

Agree, what I also find funny is that they obviously do not log into forum regularly, if hey did, they would have known about these vulnerabilities, but as soon as they get hacked, then they can't post fast enough on the forum
MTCNA, MTCTCE, MTCRE & MTCINE
 
Sob
Forum Guru
Forum Guru
Posts: 4655
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik Routers Compromised......please READ

Wed Jul 25, 2018 9:24 pm

As they say, "if it works, don't touch it, stupid!", so I'm not shocked at all. It's nice to stay up to date, but who will appreciate it? Nobody, really. But you can be sure that everybody will scream as loud as they can, when upgrade goes bad. It also depends on who's the user/admin. Someone like ISP should manage, because it's their living. But some small company not dealing primarily with networks? Unlikely.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1740
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Mikrotik Routers Compromised......please READ

Wed Jul 25, 2018 11:35 pm

I'm really shocked by the number of admins that NEVER update firmware!

Agree, what I also find funny is that they obviously do not log into forum regularly, if hey did, they would have known about these vulnerabilities, but as soon as they get hacked, then they can't post fast enough on the forum

totally agree
 
vstman
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sat Mar 27, 2010 9:05 pm

Re: Mikrotik Routers Compromised......please READ

Thu Jul 26, 2018 3:22 am

had 6.42.1 on them and update after I test on Office routers.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24205
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Routers Compromised......please READ  [SOLVED]

Thu Jul 26, 2018 7:55 am

Change password after upgrade. If they got your password 6-12 months ago, they still have the password in their database. This is the second wave, when they use the password. Even if you have a new version now, they still have a database of passwords!

All details were published months ago:
https://blog.mikrotik.com
No answer to your question? How to write posts

Who is online

Users browsing this forum: No registered users and 95 guests