Just found all our routers are hacked. Hackers leaves scripts behind that allow php. Passwords compromised? Not sure how hacker got in since some routers have different passwords so???

php is a seeding thing, right?

Check your logs and work backwards to undo the hackers scripts, schedule, and firewall rules. Hacker also adds a new user called Service. Also enables SSH ports, ect.

After cleaning update to newest firmware, reboot.

Mikrotik?

If you weren't running latest RouterOS you will have been compromised by various exploits, safest way forward is netinstall (and change all passwords).

Mikrotik has now a blog.mikrotik.com in which security matters are addressed.

When I look at the most recent posting th advise is to upgrade to v6.38.5:

- Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.

An earlier posting suggest to update 6.40.8 and that the latest secure version of RouterOS.

I strongly advise to have a fixed notice on blog which linked to in every article to that notice. This notice should state for bugfixed/current/RC the minimal recommended version of RouterOS.

I also would like to see a static notification at the top in Winbox box the last minimal recommended version of RouterOS. If the router accessed by Winbox runs on a lower than recommended version of RouterOS then display that recommendation in the title of every window opened inside Winbox.

I'm really shocked by the number of admins that NEVER update firmware!

I'm really shocked by the number of admins that NEVER update firmware!

Agree, what I also find funny is that they obviously do not log into forum regularly, if hey did, they would have known about these vulnerabilities, but as soon as they get hacked, then they can't post fast enough on the forum

As they say, "if it works, don't touch it, stupid!", so I'm not shocked at all. It's nice to stay up to date, but who will appreciate it? Nobody, really. But you can be sure that everybody will scream as loud as they can, when upgrade goes bad. It also depends on who's the user/admin. Someone like ISP should manage, because it's their living. But some small company not dealing primarily with networks? Unlikely.

I'm really shocked by the number of admins that NEVER update firmware!

Agree, what I also find funny is that they obviously do not log into forum regularly, if hey did, they would have known about these vulnerabilities, but as soon as they get hacked, then they can't post fast enough on the forum

totally agree

had 6.42.1 on them and update after I test on Office routers.

Change password after upgrade. If they got your password 6-12 months ago, they still have the password in their database. This is the second wave, when they use the password. Even if you have a new version now, they still have a database of passwords!

All details were published months ago:
https://blog.mikrotik.com