Found a lot of topics related to hacking of Mikrotiks.

How do you know or suspect your Mikrotik has been hacked or tampered with?
Any examples of MTIKs which were hacked or tampered with by someone other than local admin?

New scripts were added?
New users created or existing ones modified?
New firewall rules added, existing ones changed?

CPU usage?
And of course you can check the ROS version manually and probably you know if there is any service available on the WAN site.

Sorry, removed.

I was thinking of creating a script which would check number of users, their names, number of scripts, when were they created/modified (if possible).
Script would run every 30-60 seconds and if there's a change it would send an email notification.

I was thinking of creating a script which would check number of users, their names, number of scripts, when were they created/modified (if possible).
Script would run every 30-60 seconds and if there's a change it would send an email notification.

If you are creating a honeypot to study malware, the above may make sense, but to sniff the Mikrotik's WAN traffic using an external sniffer and analyse it makes more sense.

If you want to detect any intrusion by just a script running on the Mikrotik itself, what will not make you happy is that the fact of the intrusion may not be noticeable in the configuration at all. The configuration is just a front-end to the linux running below, and some vulnerabilities in the past allowed the attackers to retrieve plaintext passwords from the device, so there was no need to create a new user.

Running own scripts, changing the DNS settings etc. are things which are easy to accomplish on machines which are not protected enough (many people keeping the default username admin with no password open for management access from WAN exist in the real world, so it is worth letting a herd of bots crawl the internet and try); more sophisticated attacks are possible too, and people exist who take this more complex way.

If you want to detect any intrusion by just a script running on the Mikrotik itself, what will not make you happy is that the fact of the intrusion may not be noticeable in the configuration at all. The configuration is just a front-end to the linux running below, and some vulnerabilities in the past allowed the attackers to retrieve plaintext passwords from the device, so there was no need to create a new user.

Basically, making such script is useless in that case, thanks

You wont get hacked if you use common sense and stick to the default firewall rules until one knows what one is doing.
THe obvious is change password and winbox port and limit access to the router admin on the LAN side.
On the wan side only access through VPN tunnel.
Thats about it, then can stop worrying and enjoy the internet.

Agree with you

how big of a risk if user test is created on Mikrotik with read rights only, no password.
Login to this user will be available only from a specific IP (which can be configured in user properties) through ssh from another Mikrotik

Login to this user will be available only from a specific IP (which can be configured in user properties) through ssh from another Mikrotik

Firewall rules are somewhat less prone to vulnerabilities than the per-user address restrictions as the latter work at application level while the former work at the network stack level. So permitting access to the SSH port only for items on a src-address-list in chain=input of the firewall should be safer than setting the same list of addresses under /ip service ssh or under /user.

Thanks for the tip, Mikrotik on which on which user test is set and to which I'll be connecting by ssh doesn't have any firewalls enabled,
it's running as AP only.