I found my RB750 crashing due to running out of RAM this evening.Upon deeper investigation, it appeared that unauthorised access had been obtained to the router. Some firewall "drop" rules were disabled and there was a "mikrotik.php" file along with some scripts running.

I found the php file rather quickly although it took a little longer to locate the scripts.

I have upgraded from 6.38.1 to 6.42.6 (I understand there were some patched vulnerabilities) and have changed user passwords. I initially changed these after removing the file/scripts but found there was still a job running after the firmware upgrade. I subsequently changed user passwords again and have not seen it re-appear since.

Other than ensuring I lock down access to any admin interfaces from remote networks (these were a little more open than they should have been), is there anything else I can look for to ensure that I have cleared all traces of this malicious activity?

Had the same issue today. Half our customers were compromised.

Ouch. Well "at least" it's not just me. I've spent 3 hours on it and it seems to have subsided - for now, at least.

Router has now been up 1h6m and the best it has otherwise managed in the past 3.5 hours was 15 mins.

This is *not* fixed in the latest release. This is a new bug.

I am aware you removed this sentence. I just want to make sure - was it completely incorrect claim (ie new attack using old and fixed vulnerability) or is there even slight info suggesting, there might be another NEW vulnerability?

@sjoram: thanks for info! This might actually bring some light into another similar case.

This is *not* fixed in the latest release. This is a new bug.

I am aware you removed this sentence. I just want to make sure - was it completely incorrect claim (ie new attack using old and fixed vulnerability) or is there even slight info suggesting, there might be another NEW vulnerability?

@sjoram: thanks for info! This might actually bring some light into another similar case.

Well I thought it was, now I'm not so sure - but I cannot get any clarification.

We had routers on most firmwares affected. But if it is a compromised userlist which has been used from previous months to attempt to login via winbox, then this would explain it.

So many devices were hacked though I really don't know.

Both cases look identical.

Hello.
My routerboard is hacked two days in a row, every time i rolling back and now i turned off all services except winbox and firewalled it (access from src.adr.list). Will wait.
First time i thought, that my password was hacked or keylogged, but now i see, that a lot of customers affected.

Seems that case is a vulnerability solved at 6.42.1 update. I used 6.41.2 and my router got hacked, after reading that topic i updated (now) viewtopic.php?f=2&t=137147

There was a breach earlier /maybe month ago or so/ and I've changed name of admin account and disable it, create another user with full access, upgrade firmware's /both/ and...the new username was used to access two of my routers. IP address of mikrotik.php script /empty/ was - 95.154.216.164

Got at least one MT hacked also from 95.154.216.151 and mikrotik.php (empty it seems) uploaded.

the "mikrotik.php" is actually not uploaded file. It is downloaded using "fetch" but not deleted. Be glad that those hackers do this silly mistake again and again so we can easily notice that something is wrong.
The fetch has probably two purposes. Firstly it gives remote server notification, that device is hacked and ready to receive commands and secondly if fetched file contain some commands, it may be executed (so attacker actually does not need any remote access - any extra username or changed password, which would show that device is hacked.

Fortunately, I have the logs from my device being captured via syslog.

I am just trawling through these (1700 so far) and appear to have seen the first sign last night of when I noticed problems. This shows a SUCCESSFUL winbox login, followed by SOCKS config changes and scripts being added/removed.

However I can see entries in the logs from much earlier showing mikrotik.php being downloaded repeatedly.

I can find traces back as far as 21st relating to successful winbox logins also showing SOCKS/script changes that were not made during a genuine admin session.

I'm at 4550 syslog entries so far but will keep checking back for more.

I note that a possible exploit was to gain root access via telnet and load a script into flash to run on every boot. I observed after the firmware update/password change that a "job" was still running under scripts, but no script itself was showing, as was the case prior to firmware upgrade. I've not rebooted again since to see if this behaviour returns on next boot, but need to check this as I'm concerned the device may still be compromised. Any ideas?

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default?

By default, the internet port is protected and doesn't allow any type of access. If you do not trust your LAN, you should make your own rules, that is true.

There was a breach earlier /maybe month ago or so/ and I've changed name of admin account and disable it, create another user with full access, upgrade firmware's /both/ and...the new username was used to access two of my routers. IP address of mikrotik.php script /empty/ was - 95.154.216.164

Did you change your user/password AFTER the firmware upgrade? I also changed *before* but clearly those were also being compromised. So far, since changing *after* the upgrade, I've seen no further successful attempts.

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default?

When you are concerned about security, why did you not upgrade RouterOS for so long and not even after vulnerabilities have been found and patched?
There really is no excuse for running 6.38.1 on a visible device...
But indeed, as Normis also writes, you should not expose the admin interface to internet and also not to your local network when you have thousands
of subscribers there.
The default firewall protects from internet-side access but in your case it could be a good idea to reset to defaults and reconfigure as the default firewall
has improved but a firmware upgrade does not install the new default settings, it just keeps your existing settings which were generated from an old default.

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default?

When you are concerned about security, why did you not upgrade RouterOS for so long and not even after vulnerabilities have been found and patched?
There really is no excuse for running 6.38.1 on a visible device...
But indeed, as Normis also writes, you should not expose the admin interface to internet and also not to your local network when you have thousands
of subscribers there.
The default firewall protects from internet-side access but in your case it could be a good idea to reset to defaults and reconfigure as the default firewall
has improved but a firmware upgrade does not install the new default settings, it just keeps your existing settings which were generated from an old default.

You make a fair point regards not upgrading. I notice there is an RSS link on the download page on the web - it would be useful if there was some other method (email?) of notification when there are new releases/changelog.

This is on a home network so there are not "thousands" of subscribers on my LAN side, though I understand there may be for others.

It would appear that some of the default drop rules have been negated due to mis-configuration, which I will get fixed.

There have been a few other issues of functionality I've had of late with ROS, so I'm looking to spin up and explore an instance of an alternative platform.

You can sign up for email notifications from Mikrotik. I also follow Mikrotik's Twitter account and a non-Mikrotik Twitter account for release notices.

There's a subscription field at the bottom of the downloads page: https://mikrotik.com/download

Twitters: @mikrotik_com, @mikrotik_build

Sent from my Pixel XL using Tapatalk

https://blog.mikrotik.com now will have security announcements, it also has RSS feed for the specific "security" category.

I also got it and telnet,ssh,www service where disabled
even to version 6.41.3
which version is affected and how is it injected?

I believe mine may have been this:
http://www.networkinghowtos.com/howto/m ... x-service/

I have seen another post (which I will not reproduce here) detailing the exact steps required to perform the exploit. This leads me to believe my device may still be compromised as the attacker would have gained root access to the operating system and injected some code to run at every boot. I have killed the script set in scheduler to run on every boot, however my device has not been rebooted since the firmware upgrade.

I have a backup and I am planning to run a netinstall to format the flash and reinstall ROS as soon as I can get physical access to the device, probably at the weekend.

found same today, version was 6.39 and also added this script with 95.154.216.164, changed pass, updated routerboard and routeros

I believe mine may have been this:
http://www.networkinghowtos.com/howto/m ... x-service/

Like I said, this was fixed in April. We are not joking, when we suggest to keep your router up to date. And change the passwords once in a while, after upgrading.

Full details https://blog.mikrotik.com