Community discussions

 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Is there a way to restore config from hijacked mikrotik router?

Fri May 18, 2018 11:57 am

Hello!

I have 5-7 routers that was hijacked and I lost access to it. There routers was never backuped and have pretty big configuration. Is there a way to restore it's configuration ?


Thanks,
D.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23497
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Is there a way to restore config from hijacked mikrotik router?

Fri May 18, 2018 12:04 pm

No, you can only reset them completely and configure from scratch, this time, I suggest to follow these guidelines to protect against hijacking of any kind:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
No answer to your question? How to write posts
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Fri May 18, 2018 12:08 pm

What about re-hijacking this ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23497
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Is there a way to restore config from hijacked mikrotik router?

Fri May 18, 2018 12:09 pm

Since I can't imagine how you lost access to yours, it is impossible to say how to do it again :)
Possibly somebody simply guessed your password.
No answer to your question? How to write posts
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Fri May 18, 2018 12:15 pm

No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here viewtopic.php?f=2&t=132368

All routers that was backuped we already restored back with reset, but few routers is little bit difficult to restore...
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sat May 19, 2018 7:09 am

No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here viewtopic.php?f=2&t=132368
Are they accessible in any way? I mean any open services there.
 
networkfudge
Trainer
Trainer
Posts: 119
Joined: Mon May 20, 2013 2:47 pm

Re: Is there a way to restore config from hijacked mikrotik router?

Sat May 19, 2018 8:51 am

If these routers have an lcd screen and if its not locked and you have physical access, you can maybe restore a previously saved configuration via the lcd screen.
MTCNA MTCWE MTCRE MTCINE MTCTCE UWBS UWBA
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sat May 19, 2018 10:03 am

Are they accessible in any way? I mean any open services there.
some VPN works with previous passwords. which other services should I try?


If these routers have an lcd screen and if its not locked and you have physical access, you can maybe restore a previously saved configuration via the lcd screen.

Will check, at least 2 of is has an LCD and it is not locked. Thanks.
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sat May 19, 2018 3:12 pm

some VPN works with previous passwords. which other services should I try?
Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable RouterOS version there. An attack vector depends on conditions there were before. So it's interesting which of the management services were enabled then, and what has been changed since the attack. And the RouterOS version then and now.
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sat May 19, 2018 3:44 pm

some VPN works with previous passwords. which other services should I try?
Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable RouterOS version there. An attack vector depends on conditions there were before. So it's interesting which of the management services were enabled then, and what has been changed since the attack. And the RouterOS version then and now.
Both winbox and web are open, but all passwords are changed or locked.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4800
Joined: Mon Jun 08, 2015 12:09 pm

Re: Is there a way to restore config from hijacked mikrotik router?

Sat May 19, 2018 4:09 pm

At least it reminds you (and others) to always make backups and/or exports...
Do you have any idea (e.g. from logs) who was the attacker? Was it 188.92.74.189 that was active first week of may?
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sat May 19, 2018 4:09 pm

Both winbox and web are open, but all passwords are changed or locked.
There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.
 
Bovens
just joined
Posts: 1
Joined: Sat May 12, 2018 1:03 pm

Re: Is there a way to restore config from hijacked mikrotik router?

Sat May 19, 2018 5:22 pm

Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here.
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 12:32 am

Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here.
I don't know, but there's the default setting to automatically send out the results to the server, so it has to be configured properly first. It's just a tool that does its job. If you know of any vulns there, please tell us, so I won't suggest it further.
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 2:11 am

Both winbox and web are open, but all passwords are changed or locked.
There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you have a chance.
Seems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 2:25 am


Seems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome
The version should be beta, right from there: http://msk1.stascorp.com/routerscan/prerelease.7z
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 2:32 am

Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can't load main page. When trying to connect from winbox it still reports incorrect login / password...
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 2:40 am


Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can't load main page. When trying to connect from winbox it still reports incorrect login / password...
It's hard to tell if it's the same version. If you tried that prerelease.7z contents, then there can be some restriction in the firewall rules or in the services. Btw, there's no need to specify 8291 port: RS tries to use HTTP on these ports.
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 2:43 am

It's hard to tell if it's the same version. If you tried that prerelease.7z contents, then there can be some restriction in the firewall rules or in the services. Btw, there's no need to specify 8291 port: RS tries to use HTTP on these ports.
It is latest needed version I think because the needed exploit is listed in the help.
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 2:47 am

Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 4:54 am

Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...
Is 8291 port open at the hijacked devices?
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 10:05 am

Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...
Is 8291 port open at the hijacked devices?
Yes, it's open. Winbox tells login incorrect when trying to connect
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 12:56 pm


Yes, it's open. Winbox tells login incorrect when trying to connect
Do you have Telegram/Jabber/Twitter to directly contact me? I have an idea...
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 1:01 pm

Do you have Telegram/Jabber/Twitter to directly contact me?
Does this forum support personal messages? I have the telegram account, yes.
 
networkfudge
Trainer
Trainer
Posts: 119
Joined: Mon May 20, 2013 2:47 pm

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 1:04 pm

Have you tried the trick with the LCD screen?; I had success with it at a customer site once
MTCNA MTCWE MTCRE MTCINE MTCTCE UWBS UWBA
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 1:07 pm


I have the telegram account, yes.
Ok, I'm @jabberd there.
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 1:08 pm

Have you tried the trick with the LCD screen?; I had success with it at a customer site once
I'm 250km from my main problem :( Seems that I have backup from all hijacked routers, but have no access to all.
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 5:53 pm

Seems that jabberd found the way. Is is possible to use the same exploit, but hijackers limited the IP's user can log in, so it is needed to connect to hijacked router via MAC telnet, currently I',m trying to find the MAC telnet tool for windows...
 
sindy
Forum Guru
Forum Guru
Posts: 2406
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 9:14 pm

Seems that jabberd found the way. Is is possible to use the same exploit, but hijackers limited the IP's user can log in, so it is needed to connect to hijacked router via MAC telnet, currently I',m trying to find the MAC telnet tool for windows...
If I were a hijacker, I'd restrict access by MAC telnet as well to protect my "business", so you might have to find out which IP address they've kept open for access, but maybe they actually haven't. Because honestly, if you paid the ransom the anonymous way they likely ask for, they could just say "thank you, stupid" and not give you anything in return, so why should they bother to keep a door open for themselves? Attempting to access the machine from every possible public IP address would likely take months, if not years, and would involve a trip to the site anyway, so better to skip this step and reconstruct the configuration. You can place another router next to the existing one and migrate customers one by one.

The hijackers are totally safe - no one will spend the effort to track down a kidnapper of "a piece of plastic". So the most efficient approach is to deny access, request the money and wait for them. If the money arrive, perfect, if they don't, well, they haven't spent that much effort so the loss is not painful. Both branches of the alghoritm continue by "do nothing", because any other action would bring only a risk of being tracked, no benefit.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 9:39 pm

Router is not something you will sell later. They even did not closed the hole they used to get in.
 
User avatar
jabberd
just joined
Posts: 24
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 11:18 pm

There was the only user at the device with a subnet 199.0.0.0/8 added as allowed one. It's rather easy then to find a proxy host within this range. Luckily, the vulnerability worked still, and in combination with the working pptp server it has become possible to find inside the OP's network an another RouterOS device, from which mac-telnet connection is possible.
 
sindy
Forum Guru
Forum Guru
Posts: 2406
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a way to restore config from hijacked mikrotik router?

Sun May 20, 2018 11:29 pm

Glad to hear that the attackers are less clever than I've expected.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
gosha
Member Candidate
Member Candidate
Topic Author
Posts: 147
Joined: Mon Jul 19, 2004 3:14 pm
Location: Tallinn, Estonia

Re: Is there a way to restore config from hijacked mikrotik router?

Mon May 21, 2018 1:19 am

Glad to hear that the attackers are less clever than I've expected.
Not in all cases, unfortunately, some hijacked routers are inaccessible via mac-telnet...

Who is online

Users browsing this forum: maximan and 43 guests