Community discussions

MikroTik App
 
drdog
just joined
Topic Author
Posts: 10
Joined: Sun Apr 02, 2017 4:02 am

Has my Mikrotik been hacked?

Tue May 16, 2023 3:48 pm

Having read about people noticing unusual scripts in their filing system, I had a look at my core RB. Sadly I didn’t get screen grabs for all, but I’m fairly confident that:
No scripts on drive
Nothing in scheduler
Nothing in script list.

However I noticed the jobs tab in script list and looked at that. There were 2 jobs running. Later when I reconnected with Winbox there were 3.

So quick look at other Mikrotiks I have - no jobs. I replicate one of the features I had on the dodgy tik - SSPT server. That didn’t start jobs.

Interestingly I then connected to the dodgy tik from an Ubuntu VM with Wine + Winbox. No jobs running, but when I alert connect to dodgy tik with Win 10 real machine (the one hosting VM) 3 jobs start.

Subsequently I netistalled ROS and on the default config no jobs. The tik was from eBay (alarm bells I know) BUT I’m pretty confident I netinstalled OS on it previously - I have a couple of CAPs also from eBay so I had a session of flattening them all before configuring a CAPsMAN arrangement.

So my questions are:

Is it likely that the RB was compromised?
If so what harm could have resulted?
Is it likely that other connected RBs could have been attacked and compromised?
Are any attached computers likely to have been compromised?
Should I bin the dodgy RB (assuming it is) or can it be saved by netinstall. At the mo I don’t trust it.
You do not have the required permissions to view the files attached to this post.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Has my Mikrotik been hacked?

Tue May 16, 2023 3:56 pm

For all questions the answer is: Yes, it's possible.

Just netinstall your routers if you are not sure about them.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Has my Mikrotik been hacked?

Tue May 16, 2023 5:59 pm

Keep in mind routerboot is just another disk partition, while unlikely it's possible for it to be compromised and allow malware to persist post-netinstall. In this case where the scheduler was used, it's more likely that RouterOS itself was compromised rather than the device itself.
 
drdog
just joined
Topic Author
Posts: 10
Joined: Sun Apr 02, 2017 4:02 am

Re: Has my Mikrotik been hacked?

Wed May 17, 2023 8:59 am

For all questions the answer is: Yes, it's possible.

Just netinstall your routers if you are not sure about them.
Thanks for taking the time to reply BartoszP. However your answer could be more informative than just, to paraphrase, “yes to everything”. If the RB was compromised it would be helpful to know what risks that bought to devices connected to the compromised Rb (other Mikrotiks, PCs, phones etc) and what about data security - what information could have been captured/mined?
 
drdog
just joined
Topic Author
Posts: 10
Joined: Sun Apr 02, 2017 4:02 am

Re: Has my Mikrotik been hacked?

Wed May 17, 2023 9:10 am

Keep in mind routerboot is just another disk partition, while unlikely it's possible for it to be compromised and allow malware to persist post-netinstall. In this case where the scheduler was used, it's more likely that RouterOS itself was compromised rather than the device itself.
Thanks RICH for highlighting this. 2 thoughts:
You suggest the scheduler was used - but it appeared to me that job creation was related to when Winbox connected from a Windows 10 computer but not when Winbox/Wine on an Ubuntu VM connected. I don’t know enough about these things however is the difference in behaviour significant? Does it point to something other than (just) the scheduler?

As for the routerboot partition - is it possible to look at this in a terminal session and remote (say SSH) to the RB and format/reinstall this partition?
 
Pea
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: Has my Mikrotik been hacked?

Wed May 17, 2023 10:01 am

As mentioned, do Netinstall and move on. Use new username and password after this.
https://wiki.mikrotik.com/wiki/Manual:Netinstall

Who is online

Users browsing this forum: Amazon [Bot] and 69 guests