Thanks for the ideaWithout details there is not much to recommend.
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
First, be sure to have latest RouterOS (long-term or stable channel, it doesn't matter).
Second, disallow access to router from Internet (including winbox, ssh, webfig), if such access is neded use VPN or restrict access to some trusted addresses only. There are other options. i.e. port-knock.
Obviously the work of leprechauns!!I had a similar experience with a backhaul router CCR1009-7G-1C-1S+ running 6.45.6 where one morning I couldn't login - tried the several admin user accounts and still unable to login!
At that stage I thought I had been locked out by a hacker!!
I decided to reset and just before doing this I tried the default login (admin + no password ) and hey presto got access to the router, so I quickly opened “users” as I wanted to create a admin user account but on opening all of the admin+ user accounts were missing only the default “admin” was there , I opened the log file which I had set for 1000 lines to disk had about 2 weeks of log details but it didn’t have any entry for deleting admin users, or any modifications to the router , nothing unusual listed?
I hardened security so that access for services was only granted to select number of ip’s
The unit worked OK for a week or so until once again admin + user accounts missing,
I have since taken this unit off the network and purchased CCR1009-7G-1S+ 7x GE, 1x Combo, 1x SFP+, USB
If possible, please repeat the given scenario but now:I limited the service access to Winbox, made a new user, and using the device as a honeypot. I waited for 1,5 days, and bang... Suddenly the router cut the connection. When I tried to log back in, I was unable to do that with my new user. I tried the default admin,in without password. It was a success.