Having read about people noticing unusual scripts in their filing system, I had a look at my core RB. Sadly I didn’t get screen grabs for all, but I’m fairly confident that:
No scripts on drive
Nothing in scheduler
Nothing in script list.
However I noticed the jobs tab in script list and looked at that. There were 2 jobs running. Later when I reconnected with Winbox there were 3.
So quick look at other Mikrotiks I have - no jobs. I replicate one of the features I had on the dodgy tik - SSPT server. That didn’t start jobs.
Interestingly I then connected to the dodgy tik from an Ubuntu VM with Wine + Winbox. No jobs running, but when I alert connect to dodgy tik with Win 10 real machine (the one hosting VM) 3 jobs start.
Subsequently I netistalled ROS and on the default config no jobs. The tik was from eBay (alarm bells I know) BUT I’m pretty confident I netinstalled OS on it previously - I have a couple of CAPs also from eBay so I had a session of flattening them all before configuring a CAPsMAN arrangement.
So my questions are:
Is it likely that the RB was compromised?
If so what harm could have resulted?
Is it likely that other connected RBs could have been attacked and compromised?
Are any attached computers likely to have been compromised?
Should I bin the dodgy RB (assuming it is) or can it be saved by netinstall. At the mo I don’t trust it.