Community discussions

MUM Europe 2020
 
braidiano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Dec 11, 2010 1:29 am

hidden/ghost script

Wed Jan 30, 2019 1:13 pm

Hello,

we done a netinstall on a router after we dicovery some hidden script. There is no script on the system-> script lists, but we found some execution in Jobs section.
After netinstall, I enforced the firewall rules, and blocked also winbox in input and output chain (previous winbox was only blocked by IP filter on ip->services) and all ports are blocked, excepts winbox and other ports but only from our office IP, both in input and output filter chains.

But tomorrow I found already the hidden scripts execution:
hidden_jobs.png
So, i wondering if there is some zero day exploit that install the scripts bypassing the firewall rules, and how can I clean the router? This is a remote router, and is very difficult to do a 2nd netinstall in less that one week.
You do not have the required permissions to view the files attached to this post.
 
alexanwar
just joined
Posts: 2
Joined: Tue Aug 07, 2018 10:38 am

Re: hidden/ghost script

Wed Jan 30, 2019 2:04 pm

probably you have terminal session open, either from telnet, ssh or winbox. change your admin password if you suspect unauthorized access to your router.
 
markos222
just joined
Posts: 6
Joined: Tue Dec 15, 2015 9:15 pm

Re: hidden/ghost script

Wed Jan 30, 2019 10:47 pm

HI,

when you open terminal window on winbox it opens a new job on scripts, when you close it it desapears

Markos
 
braidiano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Dec 11, 2010 1:29 am

Re: hidden/ghost script

Thu Jan 31, 2019 1:38 pm

Thank you! I dont know that when you open a new terminal it opens a new job..

Who is online

Users browsing this forum: Bing [Bot] and 130 guests