UPDATE:
I got hacked by someone who's IP traced to Hangzhou. This is neither a virus nor a bug. Unfortunately I can't really tell how they got in, but I if you notice weird behaviour like speed dropping, go to logs instantly, that's a lesson I learned. Although I still don't understand why they were bruteforcing the router if they already managed to create an account with full access.

Hello, I wanted to investigate why my CAPsMAN connected devices experienced very slow download and upload speed, logged in to my hAP using the standard admin account and then found out I can't access the terminal, port settings, connect via ssh and so on. The users table, instead of having a single admin account with full access has instead now "router" account, and admin, where admin got it's own access group, with rather limited (for an admin) access. I never accessed the router since configuring the CAPsMAN 2 weeks ago, and the only thing I did was install the Creators update on my main computer from which I manage everything (it is connected via eth04). Although it I should point out that this is the first time I did manual configuration NOT derived from the default (i.e. I pressed the "Delete configuration" after factory reset, then upgraded to RouterOS 6.38.1 and then configured that CAPsMAN).

Given the above, it looks like either unintended behaviour (can a RouterOS update on uncofigured create a user named "router" and change the admin access rights? Perhaps a bug in settings migration?) or some virus. I ran into another weird problem a month ago, where my old board U951-2HD was constantly dropping UDP packets and deleting the APR table every 5 seconds. A RouterOS update solved that issue for me last time, but now I can't even update because I can't gain full access to the router.

Any way I could avoid doing a factory reset for this?

Images:
Users table

Admin user group that I didn't create vs full rights user group

These changes are made manually by someone who had access to the router.

UPDATE:
Nope, I just got hacked. After reboot whatever they did to the logging got removed and I saw insane spam of login attempts with random usernames from an IP that traced to Hangzhou...
Question is how they managed to get in in the first place. I thought that RouterOS does not allow management connections from outer networks (i.e. device must be directly connected to router).

Wrong. If you use default config (with preconfigured WAN and LAN), RouterOS blocks connection attempts from WAN using firewall rule: If you start with blank configuration (either reset config with no default, or if you remove default config), you must add similar firewall rule (or set allowed networks for each service in IP->Services; but not everything can be limited there), otherwise everything is open for whole world.

Wrong. If you use default config (with preconfigured WAN and LAN), RouterOS blocks connection attempts from WAN using firewall rule:

Code: Select all

/ip firewall filter
add chain=input action=drop in-interface=<WAN>

If you start with blank configuration (either reset config with no default, or if you remove default config), you must add similar firewall rule (or set allowed networks for each service in IP->Services; but not everything can be limited there), otherwise everything is open for whole world.

Damn, son! I didn't know, I thought this kind of rule is hardcoded into the OS. Ok I added the rules, thanks!

Another good idea is to restrict access to services by ip (/ip service). Making services only available from local ip ranges / subnets will help against those attacks and btw did help vs. the current exploit either.

Another good idea is to restrict access to services by ip (/ip service). Making services only available from local ip ranges / subnets will help against those attacks and btw did help vs. the current exploit either.

Yes, that's what I did.

Sorry you got hacked. Several things can be done to make it harder for an internet based address to attack your router. Here are a few suggestions:
1) Of course if you don't need remote access, simply firewall any access from your internet port in the input chain completely.
2) If you do need remote access, determine what services you REALLY need from the internet, and permit only those.
3) Use non-standard ports for services that you really need.
4) If you only need remote access from a very few specific IP addresses, only allow those addresses. For example, most of the time I remote into mine is from work on a specific IP address. Limit access to only that address or addresses.
5) Use of port knocking adds another layer to making it harder for someone to get in. Change the ports from time to time. For example, I have a different Port Knock setup if I'm coming from the one allowed work address vs from any other IP on the internet. If I have to use the "from the internet" Port Knock procedure, I change the ports so even if someone captured what I was doing, it would not work for someone else later.
6) Use only secure formats for your remote access which makes it harder for a man in the middle attack to steal credentials. For example, I generally use WinBox - make sure the "Secure Mode" checkbox is selected.
7) Have a firewall rule that will detect and drop port scanner attempts. Have that log any drops.
Use complex passwords, and change them from time to time.
9) Don't use "standard" user account names for administrator access. Although this is not router related, but it amazes me how many attempts I see in my mail server logs for attempts to send mail via my mail server using accounts of: admin, administrator, MailAdmin, Mailadministrator, SuperUser, SU, PostMaster, and a few others. Guess what - none of those accounts exist.
None of these steps makes it impossible for someone to get in, but each one make it a little harder

After you have the various security layers operational, a couple more steps.
1) Check the logs regularly and look for anything that does not look right.
2) From a remote location, test your firewall with a port scanner and make SURE that every open port is accounted for. I use NMap and scan the most common 1000 ports, and after I'm satisfied with those results, then I scan all 65K ports. Make sure ANY port that is reported can be accounted for. There are also some websites that can do a port scan (but I've never used one so I can't recommend any). BTW, if you have a firewall rule set to detect and drop port scanners, you should disable that rule set prior to attempting an external port scan. Leaving a port scanner rule set turned on while you are running a port scan will give you some interesting results because you will end up with ports that should have been open not showing up because the port scanner rule set dropped it. Yes, that's how I learned that one. It did verify that the port scanner rule set worked however so it's not a bad idea to try a scan once with the port scanner rule set turned on just to make sure that works the way you want it to. REMEMBER to turn your port scanner rule set back on after your port scan attempt!
3) Next step I did is that I set up a script that sends me an E-Mail any time anyone logs in or out of the router. That way I will at least know that someone got in. I got the script from the Scripting section here on the forum (I think).
4) Make sure you have a backup of the router configuration, so if you really have to take the last resort and factory restore the router, you can restore your configuration easily. In my case I have the router create both a backup and script file every night. It then sends both of those files to me via E-Mail. That means that I have every night's backup files saved both on my primary PC as E-Mail attachments, and also in the Sent Mail folder on the cloud based E-Mail account that the router uses to send the E-Mail.

Any way I could avoid doing a factory reset for this?

Yes. You could use a Netwatch trick to gain full privileges and then remove the rogue user.

Any way I could avoid doing a factory reset for this?

Yes. You could use a Netwatch trick to gain full privileges and then remove the rogue user.

That thread... I saw those exact scripts among my files too! Thought they were pretty suspicious, but I tried to run that url from the script from a VM via a proxy and it said that the domain is on sale. Seems I am not the only one affected by this!