We have about 8 Mikrotik router's in lights out remote locations. All routers are on 6.46.3
There are NVR's behind the router which are accessed remotely. 1 or 2 locations have a computer also.
About 4 of the got hacked.
From what we can see the hacker was attempting to send out emails , bitnija reported back to our ISP with links to logs etc.

We got back into the routers , disabled SSH , restricted Winbox & web access to our Ips & FQDNS
Removed any settings , users, modifications and address list setup by hackers. Changed our password and setup web access to random port. Have not changed Winbox port.
We primarily use Mikrotik for dude monitoring. Winbox and Dude use the same port
1. Will changing the Winbox port affect Dude access ?
2. Is there something else we should check , basically do the hackers modify the OS, to leave a backdoor , which will give them access again despite the steps we took above or are we safe now ?

I can't comment on Dude access as we do not use it. If you are restricting external access by means of an address lists there is not really a need to change the port(s).

It depends on how determined/clever the hackers were as not everything in the underlying OS is exposed through Winbox or CLI. The only way to be really sure the device is not still compromised is to use netinstall which completely erases the internal flash, and then reconfigure from an export (.rsc) rather than backup (.backup) file.

2. Is there something else we should check

Check that IP > Web Proxy has not been setup
Check that a VPN user hasn't been created.

To prevent future hacks, you should set up a default deny rule for the input chain (but not limit it to just the WAN, consider your LAN as untrusted too). ** Before you make a default deny rule for the input chain, set up the allow rule for Winbox or you'll lock yourself out of it.

But do consider a netinstall as a way to ensure you removed any malicious settings.

Its not clear to me that you were accessing the Routers remotely via VPN.
That is the way to do it, by accessing the LAN, and from the LAN then to the router. Restricting by external IPs is not security.

Its not clear to me that you were accessing the Routers remotely via VPN.
That is the way to do it, by accessing the LAN, and from the LAN then to the router. Restricting by external IPs is not security.

No , not by VPN , sites are remote , we are virtual . Most sites have the ISP modem , Mikrotik router with live WAN IP , NVR and Cameras. The dude agent on the router reports back to our main Dude router. Basically all we want is to know if and when the NVR or one of the cameras go down so we can send a tech out to check.

I can't comment on Dude access as we do not use it. If you are restricting external access by means of an address lists there is not really a need to change the port(s).

It depends on how determined/clever the hackers were as not everything in the underlying OS is exposed through Winbox or CLI. The only way to be really sure the device is not still compromised is to use netinstall which completely erases the internal flash, and then reconfigure from an export (.rsc) rather than backup (.backup) file.

Unfortunately we only have .backup , we learnt about the export option after your post , we will now do that too. Having said that , other than the fact that the hack could have happened before the backup , is three any other concern ?

Thank you

Having said that , other than the fact that the hack could have happened before the backup , is three any other concern ?

The hack very probably happened due to inadequate firewall settings. By simply restoring (mediocre) config you'll be vulnerable to same attack again. What you can do is to restore backup only to create config export (make sure router is offline during this step). After that, keeping router offline,

• netinstall the unit,
• perform factory reset,
• make sure that you have a sound firewall set up. Default firewall rules, available on SOHO units running recent ROS versions, are pretty good. If your router (did not specify what router models you're using) comes with blank default firewall ruleset, you'll have to fetch default settings elsewhere ... but stay away from random internet tutorials, they are mostly useless or dangerous)
• make minimum changes, needed for your particular use case. At this step consider creating a VPN (IPsec) between remote routers and central one and use that for Dude connections.

Only after that router can be placed online again.