Several vulnerabilities and exploits have recently plagued MikroTIk users. Specifically, these vulnerabilities affected the RouterOS webfig configuration interface, if no firewall was put in place to protect it. Granted, you can be critical of MikroTik but after all, running without a firewall is a user problem not a MikroTik problem.
MikroTik fixed the vulnerability in the following RouterOS releases:
- 6.37.5 in the Bugfix channel
- 6.38.5 in the Current channel
The vulnerability in question was exploited by several malicious tools and affected users of RouterOS who had not upgraded RouterOS above the mentioned versions, and had opened the www service port (TCP port 80) to untrusted networks.
Many users may have unknowingly had their credentials compromised BEFORE their router was upgraded, but not yet actually hacked. This means many upgraded and thought they were completely safe until a few weeks ago when strange behaviors may have been observed. Specifically what we have seen is IP blacklisting by game sites like Playstation and XBox, slow speeds, inability to manage the router and so on. The telltale sign of this hack is viewing the system log and it is only one line long. If this has happened to you, the best solution is to clean up the config to remove the hack, export the config, check the config closely and then Netinstall the router and import the config. Again, this is the most drastic but the safest approach. Here are the things we have seen done by the hacker you will need to clean up:
/system logging
Reset it to 1000 lines
/ip firewall filter
Remove this rule and enable your drop rule if disabled
/ip socks
Disable it
/system scheduler
Delete any scheduled entries you didn’t add. Look for one that starts a script named “port 54321”
/system script
Delete this script
/system users
The hack adds a user “system”, delete that
I saw one router thad had a ppp user added. I can’t remember the user name but check that as well.
Those are the things we have found in many routers so get your routers cleaned up, change the passwords, add a real set of firewall rules (http://mikrotikconfig.com is a good place to star) and be safe.
