Community discussions

MikroTik App
 
flaszlo77
just joined
Topic Author
Posts: 6
Joined: Fri Nov 15, 2019 8:34 am

Sudden lost of all admin passwords and admin users

Fri Nov 15, 2019 8:39 am

Hello,

I want to share a very bad experience, from yesterday to today in 4 of my routers I lost my admin rights and users. I was careful: changed my default admin username and password, disabled services (ssh, ftp) it was yesterday. Today again: somebody deleted the password and my user, and reinstated the default admin without password. I checked to logs, but there is no any sign in request.

Does anybody has the same experience? What could be the best way to harden?

Thanks,
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 297
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Sudden lost of all admin passwords and admin users

Fri Nov 15, 2019 10:02 am

Without details there is not much to recommend.
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
First, be sure to have latest RouterOS (long-term or stable channel, it doesn't matter).
Second, disallow access to router from Internet (including winbox, ssh, webfig), if such access is neded use VPN or restrict access to some trusted addresses only. There are other options. i.e. port-knock.
---
Karlis
 
helipos
Member Candidate
Member Candidate
Posts: 105
Joined: Sat Jun 25, 2016 11:32 am

Re: Sudden lost of all admin passwords and admin users

Mon Nov 18, 2019 2:35 am

 
flaszlo77
just joined
Topic Author
Posts: 6
Joined: Fri Nov 15, 2019 8:34 am

Re: Sudden lost of all admin passwords and admin users

Mon Nov 18, 2019 10:18 am

Hey Guys,

I have some additional facts, what are very disturbing.

While that Mikrotik router is not a very important one, I played with it at the weekend.

I limited the service access to Winbox, made a new user, and using the device as a honeypot. I waited for 1,5 days, and bang... Suddenly the router cut the connection. When I tried to log back in, I was unable to do that with my new user. I tried the default admin,in without password. It was a success.

So my question is: how on Earth possible to do the following:
- hack thru the Winbox channel to the Mikrotik,
- delete the current administrator,
- set back the default admin user,
- delete all the log entries
- and OWN the Mikrotik router?
 
flaszlo77
just joined
Topic Author
Posts: 6
Joined: Fri Nov 15, 2019 8:34 am

Re: Sudden lost of all admin passwords and admin users

Mon Nov 18, 2019 10:22 am

Without details there is not much to recommend.
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
First, be sure to have latest RouterOS (long-term or stable channel, it doesn't matter).
Second, disallow access to router from Internet (including winbox, ssh, webfig), if such access is neded use VPN or restrict access to some trusted addresses only. There are other options. i.e. port-knock.
Thanks for the idea :)

The thing I try to understand what the hackers are doing? I know, I can limit them to do it, but maybe we found a security issue to solve.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 297
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 11:08 am

I suspect security holes in configuration. Post '/export hide-sensitive' here, perhaps we will see something in it.
---
Karlis
 
anav
Forum Guru
Forum Guru
Posts: 4596
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 5:29 pm

You have not noted your firmware version or provided your config.
However there is no need to do so. Your router is efffed at the moment.

The correct course (and only course) of action is to wipe your config at the lowest level.
Download the latest version of firmware - 6.45.7 I believe
USE NETINSTALL to install the downloaded firmware.

Stick with defaults and then configure your router as required.
Come back here if you need to change the firewall from defaults to get advice.
Also read the how to secure your router in the MiKrotik wiki.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
amojak
just joined
Posts: 17
Joined: Sat Nov 10, 2018 9:10 pm

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 9:10 pm

6.45.7 , why does upgrade refer to 6.55.6 ??

is this legit or some issue with your update servers?
 
mkx
Forum Guru
Forum Guru
Posts: 4317
Joined: Thu Mar 03, 2016 10:23 pm

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 9:15 pm

Where did you see mentioned ROS 6.55? Official download page ( https://mikrotik.com/download ) currently only shows 6.44.6, 6.45.7, 6.46beta59 and 7.0beta3 ...
BR,
Metod
 
n21roadie
Forum Guru
Forum Guru
Posts: 1896
Joined: Fri Aug 07, 2009 10:36 pm
Location: Limerick,Ireland

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 10:04 pm

I had a similar experience with a backhaul router CCR1009-7G-1C-1S+ running 6.45.6 where one morning I couldn't login - tried the several admin user accounts and still unable to login!
At that stage I thought I had been locked out by a hacker!!
I decided to reset and just before doing this I tried the default login (admin + no password ) and hey presto got access to the router, so I quickly opened “users” as I wanted to create a admin user account but on opening all of the admin+ user accounts were missing only the default “admin” was there , I opened the log file which I had set for 1000 lines to disk had about 2 weeks of log details but it didn’t have any entry for deleting admin users, or any modifications to the router , nothing unusual listed?
I hardened security so that access for services was only granted to select number of ip’s
The unit worked OK for a week or so until once again admin + user accounts missing,
I have since taken this unit off the network and purchased CCR1009-7G-1S+ 7x GE, 1x Combo, 1x SFP+, USB
 
anav
Forum Guru
Forum Guru
Posts: 4596
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 10:40 pm

I had a similar experience with a backhaul router CCR1009-7G-1C-1S+ running 6.45.6 where one morning I couldn't login - tried the several admin user accounts and still unable to login!
At that stage I thought I had been locked out by a hacker!!
I decided to reset and just before doing this I tried the default login (admin + no password ) and hey presto got access to the router, so I quickly opened “users” as I wanted to create a admin user account but on opening all of the admin+ user accounts were missing only the default “admin” was there , I opened the log file which I had set for 1000 lines to disk had about 2 weeks of log details but it didn’t have any entry for deleting admin users, or any modifications to the router , nothing unusual listed?
I hardened security so that access for services was only granted to select number of ip’s
The unit worked OK for a week or so until once again admin + user accounts missing,
I have since taken this unit off the network and purchased CCR1009-7G-1S+ 7x GE, 1x Combo, 1x SFP+, USB
Obviously the work of leprechauns!!

The answer is the same, compromised unit or suspected compromise, the remedy is the same. Can you send me the unit you replaced because there is nothing wrong with it (will pay postage), but it is cursed if used in Ireland LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Reinis
MikroTik Support
MikroTik Support
Posts: 77
Joined: Wed Jan 02, 2019 12:14 pm
Location: Latvia
Contact:

Re: Sudden lost of all admin passwords and admin users

Wed Nov 20, 2019 10:05 am

I limited the service access to Winbox, made a new user, and using the device as a honeypot. I waited for 1,5 days, and bang... Suddenly the router cut the connection. When I tried to log back in, I was unable to do that with my new user. I tried the default admin,in without password. It was a success.
If possible, please repeat the given scenario but now:
1) Setup the device as intended
2) Generate supout.rif file
3) Wait until the same issue appears
*) If you can, take note of the RouterOS system time (or approximate) and mention it in the e-mail.
4) Generate second supout.rif file

Now send both supout.rif files to support@mikrotik.com and describe the issue shortly

Who is online

Users browsing this forum: george72 and 57 guests