Community discussions

MikroTik App
 
flaszlo77
just joined
Topic Author
Posts: 6
Joined: Fri Nov 15, 2019 8:34 am

Sudden lost of all admin passwords and admin users

Fri Nov 15, 2019 8:39 am

Hello,

I want to share a very bad experience, from yesterday to today in 4 of my routers I lost my admin rights and users. I was careful: changed my default admin username and password, disabled services (ssh, ftp) it was yesterday. Today again: somebody deleted the password and my user, and reinstated the default admin without password. I checked to logs, but there is no any sign in request.

Does anybody has the same experience? What could be the best way to harden?

Thanks,
 
User avatar
karlisi
Member
Member
Posts: 433
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Sudden lost of all admin passwords and admin users

Fri Nov 15, 2019 10:02 am

Without details there is not much to recommend.
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
First, be sure to have latest RouterOS (long-term or stable channel, it doesn't matter).
Second, disallow access to router from Internet (including winbox, ssh, webfig), if such access is neded use VPN or restrict access to some trusted addresses only. There are other options. i.e. port-knock.
 
helipos
Member Candidate
Member Candidate
Posts: 132
Joined: Sat Jun 25, 2016 11:32 am

Re: Sudden lost of all admin passwords and admin users

Mon Nov 18, 2019 2:35 am

 
flaszlo77
just joined
Topic Author
Posts: 6
Joined: Fri Nov 15, 2019 8:34 am

Re: Sudden lost of all admin passwords and admin users

Mon Nov 18, 2019 10:18 am

Hey Guys,

I have some additional facts, what are very disturbing.

While that Mikrotik router is not a very important one, I played with it at the weekend.

I limited the service access to Winbox, made a new user, and using the device as a honeypot. I waited for 1,5 days, and bang... Suddenly the router cut the connection. When I tried to log back in, I was unable to do that with my new user. I tried the default admin,in without password. It was a success.

So my question is: how on Earth possible to do the following:
- hack thru the Winbox channel to the Mikrotik,
- delete the current administrator,
- set back the default admin user,
- delete all the log entries
- and OWN the Mikrotik router?
 
flaszlo77
just joined
Topic Author
Posts: 6
Joined: Fri Nov 15, 2019 8:34 am

Re: Sudden lost of all admin passwords and admin users

Mon Nov 18, 2019 10:22 am

Without details there is not much to recommend.
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
First, be sure to have latest RouterOS (long-term or stable channel, it doesn't matter).
Second, disallow access to router from Internet (including winbox, ssh, webfig), if such access is neded use VPN or restrict access to some trusted addresses only. There are other options. i.e. port-knock.
Thanks for the idea :)

The thing I try to understand what the hackers are doing? I know, I can limit them to do it, but maybe we found a security issue to solve.
 
User avatar
karlisi
Member
Member
Posts: 433
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 11:08 am

I suspect security holes in configuration. Post '/export hide-sensitive' here, perhaps we will see something in it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 5:29 pm

You have not noted your firmware version or provided your config.
However there is no need to do so. Your router is efffed at the moment.

The correct course (and only course) of action is to wipe your config at the lowest level.
Download the latest version of firmware - 6.45.7 I believe
USE NETINSTALL to install the downloaded firmware.

Stick with defaults and then configure your router as required.
Come back here if you need to change the firewall from defaults to get advice.
Also read the how to secure your router in the MiKrotik wiki.
 
User avatar
amojak
just joined
Posts: 22
Joined: Sat Nov 10, 2018 9:10 pm

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 9:10 pm

6.45.7 , why does upgrade refer to 6.55.6 ??

is this legit or some issue with your update servers?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 9:15 pm

Where did you see mentioned ROS 6.55? Official download page ( https://mikrotik.com/download ) currently only shows 6.44.6, 6.45.7, 6.46beta59 and 7.0beta3 ...
 
n21roadie
Forum Guru
Forum Guru
Posts: 1949
Joined: Fri Aug 07, 2009 10:36 pm
Location: Limerick,Ireland

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 10:04 pm

I had a similar experience with a backhaul router CCR1009-7G-1C-1S+ running 6.45.6 where one morning I couldn't login - tried the several admin user accounts and still unable to login!
At that stage I thought I had been locked out by a hacker!!
I decided to reset and just before doing this I tried the default login (admin + no password ) and hey presto got access to the router, so I quickly opened “users” as I wanted to create a admin user account but on opening all of the admin+ user accounts were missing only the default “admin” was there , I opened the log file which I had set for 1000 lines to disk had about 2 weeks of log details but it didn’t have any entry for deleting admin users, or any modifications to the router , nothing unusual listed?
I hardened security so that access for services was only granted to select number of ip’s
The unit worked OK for a week or so until once again admin + user accounts missing,
I have since taken this unit off the network and purchased CCR1009-7G-1S+ 7x GE, 1x Combo, 1x SFP+, USB
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sudden lost of all admin passwords and admin users

Tue Nov 19, 2019 10:40 pm

I had a similar experience with a backhaul router CCR1009-7G-1C-1S+ running 6.45.6 where one morning I couldn't login - tried the several admin user accounts and still unable to login!
At that stage I thought I had been locked out by a hacker!!
I decided to reset and just before doing this I tried the default login (admin + no password ) and hey presto got access to the router, so I quickly opened “users” as I wanted to create a admin user account but on opening all of the admin+ user accounts were missing only the default “admin” was there , I opened the log file which I had set for 1000 lines to disk had about 2 weeks of log details but it didn’t have any entry for deleting admin users, or any modifications to the router , nothing unusual listed?
I hardened security so that access for services was only granted to select number of ip’s
The unit worked OK for a week or so until once again admin + user accounts missing,
I have since taken this unit off the network and purchased CCR1009-7G-1S+ 7x GE, 1x Combo, 1x SFP+, USB
Obviously the work of leprechauns!!

The answer is the same, compromised unit or suspected compromise, the remedy is the same. Can you send me the unit you replaced because there is nothing wrong with it (will pay postage), but it is cursed if used in Ireland LOL.
 
Reinis
MikroTik Support
MikroTik Support
Posts: 87
Joined: Wed Jan 02, 2019 12:14 pm
Location: Latvia
Contact:

Re: Sudden lost of all admin passwords and admin users

Wed Nov 20, 2019 10:05 am

I limited the service access to Winbox, made a new user, and using the device as a honeypot. I waited for 1,5 days, and bang... Suddenly the router cut the connection. When I tried to log back in, I was unable to do that with my new user. I tried the default admin,in without password. It was a success.
If possible, please repeat the given scenario but now:
1) Setup the device as intended
2) Generate supout.rif file
3) Wait until the same issue appears
*) If you can, take note of the RouterOS system time (or approximate) and mention it in the e-mail.
4) Generate second supout.rif file

Now send both supout.rif files to support@mikrotik.com and describe the issue shortly
 
mnameu
just joined
Posts: 1
Joined: Tue Jul 16, 2019 1:50 pm

Re: Sudden lost of all admin passwords and admin users

Sun Jan 03, 2021 9:34 pm

Hi Reinis, i have similar issue on my 4011 for last year.. from time to time it just "forget" all users and create "admin" user without password. I can login to the router without password, everything seems normal, everything works, except i cannot do anything with filesystem - not possible to generate supout.rif file, not possible to export anything to disk.
I observed that it might be connected somehow with tikapp, since this kind of "lockdown" usually happens when I connect to 4011 from tablet / phone via tikapp...
And strange is that when i reboot device, everything is back to normal - admin is gone, my users are back...no more admin/no password connection possible.... very strange.

It happens sometime once a month, sometime every week - it depends how often I use tikapp to connect to router.
Any ideas? [already had ticket for that, unresolved - 2019092122001626]

If possible, please repeat the given scenario but now:
1) Setup the device as intended
2) Generate supout.rif file
3) Wait until the same issue appears
*) If you can, take note of the RouterOS system time (or approximate) and mention it in the e-mail.
4) Generate second supout.rif file

Now send both supout.rif files to support@mikrotik.com and describe the issue shortly
 
net4it
just joined
Posts: 1
Joined: Thu Mar 04, 2021 11:29 am

Re: Sudden lost of all admin passwords and admin users

Thu Mar 04, 2021 12:26 pm

We have exactly the same behaviour on a CCR1036-12G-4S since about 8 month. The system is in 24/7 in use since September 2017.
After a certain time (would say 1 - 2 month) we have the following situation:
- Users on hotspot can't login anymore
- userman page available but not accepting the login credentials
- login on the router only by "admin" without password
- userman database seems in a read-only mode
- filesystem read only as well
- Other user accounts on the router are inexistent
- Backup not possible because it can't be written
- No new graphing information during this time
- we are not using the tikapp

After a reboot of the router everything works fine.

We have several different MT routers in use:
CCR1036-8G-2S+, RB4011iGS+5HacQ2HnD, CRS125-24G-1S-2HnD, CCR1009-7G-1C-1S+, CRS109-8G-1S-2HnD, 2011L, 2011LS, 1100AHx2

But only this CCR1036-12G-4S is showing that behaviour.

There are three differences to the other routers:
- Dude is installed and active (but nothing configured)
- hotspot is installed and is in use
- userman is installed and is in use

Within the next few weeks I will migrate the config to a new CCR1036-12G-4S to find out if it is a hardware problem or not.
Later on I will upgrade the system to last Long Term OS if this behaviour is not changing (System is still on 6.42.3)

Hi Reinis, i have similar issue on my 4011 for last year.. from time to time it just "forget" all users and create "admin" user without password. I can login to the router without password, everything seems normal, everything works, except i cannot do anything with filesystem - not possible to generate supout.rif file, not possible to export anything to disk.
I observed that it might be connected somehow with tikapp, since this kind of "lockdown" usually happens when I connect to 4011 from tablet / phone via tikapp...
And strange is that when i reboot device, everything is back to normal - admin is gone, my users are back...no more admin/no password connection possible.... very strange.

It happens sometime once a month, sometime every week - it depends how often I use tikapp to connect to router.
Any ideas? [already had ticket for that, unresolved - 2019092122001626]
Last edited by net4it on Thu Mar 04, 2021 12:30 pm, edited 1 time in total.
 
luiskcrs
just joined
Posts: 2
Joined: Thu Jul 06, 2017 10:46 pm

Re: Sudden lost of all admin passwords and admin users

Thu Apr 15, 2021 1:11 pm

This is happening to me with a RB1100 Dude Edition. It was working as expected since mora a year ago, but last week and today lost all users and passwords. Just Admin default user.
I can not find any record in log or history, script or anything else as evidence of such change.

I am just running in this router:
- OSPF as rounting protocol
- The Dude.
- Some Simple Queues
- Some firewall rules to protect the router from attacks.

I have just found that the HDD is full... so I am going to see if the problem is related to this.

Regards
 
riyadiari
just joined
Posts: 2
Joined: Mon Sep 19, 2011 11:05 am

Re: Sudden lost of all admin passwords and admin users

Fri May 07, 2021 3:01 am

Today it's happening to me. after about 115 days uptime, the password become default / no password,
cannot backup, cannot make support.rif , mikrotik disk is 40% free
CPU temp < 45° ambient temp < 29°
mikrotik version 6.47. CCR1009-7G-1C (about 3 years old). no suspicious log/access from outside
running only some firewall mangle and nat,, simple queue, PPPoE server, hotspot server
No DUDE, no routing OSPF igmp, etc

after reboot everything back to normal. but the password reverts to the one before it happens,/ change/ default.
and all the statistic graphing is lost except for the cpu-memory-disk graph.
now try to upgrade to v6.48.2 let see what happens next...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Sudden lost of all admin passwords and admin users

Fri May 07, 2021 8:12 am

riyadiari, something like this could happen in rare cases if the CCR flash disk is corrupted. The fix is to Netinstall the device and then upgrade RouterBOOT from within the latest RouterOS version.
 
mstephens
just joined
Posts: 11
Joined: Tue Jul 05, 2011 5:35 pm

Re: Sudden lost of all admin passwords and admin users

Wed May 26, 2021 12:17 am

We are having the same problem as riyadiari. 2 CCR 1016's. Working fine then try to login to it, blank password. We tried rebooting one came up with the message kernal problem. Ran Netinstall and it has been fine for about a week. Another brand new CCR1016 same problem. We are going to replace both routers. What a shame, they are not cheap, in remote areas and running a lot of traffic. Even after a netinstall you cannot write to anything with any of the scripts. Will get them out of service and onto a bench for testing. Scary, when these things are in production.
 
regin
just joined
Posts: 3
Joined: Wed Aug 31, 2022 9:01 pm
Location: Votuporanga

Re: Sudden lost of all admin passwords and admin users

Tue Feb 27, 2024 8:12 pm

Good Afeternoon

The same things are happening with my rb. I have a 4011 routerboard with the same problems. I have an open ticket with support number SUP-144744 awaiting a response, but so far I have not received any response.

Who is online

Users browsing this forum: Bing [Bot], ccrsxx, mkx, Qalderu, rano, rplant, sted and 70 guests