So I upgraded my Tik to 6.49.8 from 6.48.* about 48 hours ago. Within 24 hours after the upgrade my router was compromised.

Only found out when I was trying to connect to my VPN as I normally do daily.. Had been working fine with no security issues for at least a year..

A list of things that I found changed by the attack when I logged in..

• About 6 new firewall rules had been added to the top of the chain
  SSH service port was now open and had an active user account called "MikroTikSystem"
  Two new address lists had been added with many entries and used for the new firewall rules named "LOCAL" and "WL"
  And of course my backup was deleted that I had just created before upgrading

I must have caught it fairly early because that is all the changes I have found so far.. and SSH showed the user "MikroTikSystem" still active with about 10 active sessions when I was in panic mode

At the very least thought I should log this.. but wonder how this happened after I upgraded.. is SSH service port enabled after an upgrade? and how did the attacker gain access so easily without any account setup.. where did this account come from --> "MikroTikSystem"
After I was able to secure router the attacker gave up.. added a screen capture for some kind of reference..

please export the full conf.

The fact that you still have the ADMIN account active says a lot about why your router has been compromised,
and you don't even know when because often they are compromised in the past, then they are used after some time to not give in 'eye.

From the lack of evidence, but the only sure thing from the screenshot, that you have the admin account active,
I'm assuming it's because of your misconfiguration that they hacked it for you.

The first level of security is how the device is configured.

Cant argue that until I get around to exporting the config..

Perhaps it was already compromised and I did not know.. then by upgrading to the latest stable opened something by default giving unauth access..

I am on my tik regular/daily/weekly with winbox and I typically have a peak at my fw rules when logged in..
sometimes I just leave it open on my second monitor checking performance and usage..

All I can really say is I upgraded to latest stable, not to long after that; vpn stopped responding so I logged in and saw this
MikroTikSystemUser destroying everything.. was hoping maybe someone else came across something similar more specific to this
'MikroTikSystemUser' attack

Remove it from the network, post the config here,
Use netinstall to install a clean version......