Community discussions

 
brianlewis
Member Candidate
Member Candidate
Topic Author
Posts: 131
Joined: Tue Jul 20, 2004 10:54 am
Location: Irvine, CA

Firewall rules not working after hacker infection

Fri Oct 26, 2018 5:39 pm

CCR1009-8G-1S

Router was infected by hacker, had Socks enabled, scheduler running a script, service user account.

I’ve removed those but under FIREWALL the Bytes and Packets are staying ZERO. See attached M1.GIF

I can’t find anything out of the ordinary in the config.

I want to get firewall rules working again so I can lock down this router.
You do not have the required permissions to view the files attached to this post.
Last edited by brianlewis on Fri Oct 26, 2018 5:51 pm, edited 1 time in total.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 905
Joined: Sun Oct 01, 2006 11:44 pm

Re: Firewall rules not working after hacker infection

Fri Oct 26, 2018 5:49 pm

You should netinstall with a known good config. Once a router is compromised an attacker can get system level access that you cannot detect or repair from RouterOS UI.
 
brianlewis
Member Candidate
Member Candidate
Topic Author
Posts: 131
Joined: Tue Jul 20, 2004 10:54 am
Location: Irvine, CA

Re: Firewall rules not working after hacker infection

Fri Oct 26, 2018 5:53 pm

Looks like its working, had wrong 'address list subnet' for chain input so was confused why I had 0 bytes on filter rule #0
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Firewall rules not working after hacker infection

Sat Oct 27, 2018 5:03 am

If your router was compromised, netinstall it from zero. Use a known good export to restore (the backups would be easier - but there is no way to inspect what would be restored to the router), and go from there.

In other words: nuke'm from orbit - it's the only way!

Who is online

Users browsing this forum: No registered users and 73 guests