Hi. This morning our CCR1016-12G was attacked but i have no idea how. It has the latest firmware installed. Did this after i found the router was compromised using the socks attack. Also changed the password when i installed the firmware and disabled socks as well as all other services except winbox, which i added a firewall rule to only except connections from the lan ports and ip's. Also have rule to only except dns from providers dns server and request only from lan side.
So, to the attack. We have a 300Mb/s fiber, connected to this router, that was totally flooded on the download side. Upload was a few mb/s higher, but not much. This in itself was a bit weird. I could however find nothing in sniffer, connection tracking or torch that indicated what was causing this kind of download speeds. The lan side was running at around 100Mb/s, indecating this was defnitley to the router, but cpu was only running around 32%. Almost looked like a bandwidth test was running from the router on the Wan side, but the bandwidth server is disabled. Only discrepancy i could find was that the web proxy was enabled, which i have disabled now.
This lasted for about two hours and then stopped. Everything running as expected now, and hopefully was a once off, but still. Would like to find out how and what and prevent it from happening again. Any suggestions would be appreciated.

Anything fishy in logs?

Your timeline is some unclear.
Did you change password when you upgraded, or today when you found out you was hacked?
If you change today, you may have been hacked a long time ago, then the used the password today.

If you have management open trough the internet, its just time before you get hacked.

1. Do not use default ports.
2. Use access rules
3. Use portknocking
4. Use VPN (best option)

1-3 can be used together.

- use remote syslog to analyze what is happening
- use torch to see what is causing the amount of traffic
- use packet sniffing for detailed packet info

of course
- do not use the admin user, create your own, disable admin
- change passwords of ALL users after you think you have been compromised
- update to latest ROS to clean unwanted stuff ..
- if unsure, perform a netinstall to wipe all and start over

- if unsure, perform a netinstall to wipe all and start over

... and don't use binary backup to restore configuration ... as you can never be sure when your router was actually compromised. Rather use ASCII configuration exports and check it thoroughly before applying.

Hi

Thanks for the quick response. Nothing strange in logs. Only some OSPF error logs. Probably just a route that changed.
Found a strange script about two weeks back. Upon investigation i found it to be the socks hack, but did not find any scheduler or php file or other changes, mentioned in the forum. This is when i made all the changes indicated, including password change and os update.
As mentioned, did try torch and connection tracking and did not find what was creating the traffic. Only port open currently to router is winbox and only from Lan port and ip. This is what is strange to me. Did expect to see something. Did however see the traffic was generated on the Wan port and not the Lan port, which indicated it must have been to the router.
Also have a spam list that is import each day, thought this might have been the problem, but this was done 1 in the morning and problems only started at 8.

We've worked with a number of clients that have had compromised routers. As others have suggested, the two best things you can possibly do are

1) Netinstall
2) Restore config from text

When we have done this, we have not seen any further issues with the routers

Thanks. Looks like Netinstall it is.