Unhacking Your MikroTik Router

Several vulnerabilities and exploits have recently plagued MikroTIk users.  Specifically, these vulnerabilities affected the RouterOS webfig configuration interface, if no firewall was put in place to protect it.  Granted, you can be critical of MikroTik but after all, running without a firewall is a user problem not a MikroTik problem.

MikroTik fixed the vulnerability in the following RouterOS releases:

  • 6.37.5 in the Bugfix channel
  • 6.38.5 in the Current channel

The vulnerability in question was exploited by several malicious tools and affected users of RouterOS who had not upgraded RouterOS above the mentioned versions, and had opened the www service port (TCP port 80) to untrusted networks.

Many users may have unknowingly had their credentials compromised BEFORE their router was upgraded, but not yet actually hacked.  This means many upgraded and thought they were completely safe until a few weeks ago when strange behaviors may have been observed.  Specifically what we have seen is IP blacklisting by game sites like Playstation and XBox, slow speeds, inability to manage the router and so on.  The telltale sign of this hack is viewing the system log and it is only one line long.  If this has happened to you, the best solution is to clean up the config to remove the hack, export the config, check the config closely and then Netinstall the router and import the config.  Again, this is the most drastic but the safest approach.  Here are the things we have seen done by the hacker you will need to clean up:

/system logging

Reset it to 1000 lines

/ip firewall filter

Remove this rule and enable your drop rule if disabled

/ip socks

Disable it

/system scheduler

Delete any scheduled entries you didn’t add.  Look for one that starts a script named “port 54321”

/system script

Delete this script

/system users

The hack adds a user “system”, delete that

I saw one router thad had a ppp user added. I can’t remember the user name but check that as well.

Those are the things we have found in many routers so get your routers cleaned up, change the passwords, add a real set of firewall rules (http://mikrotikconfig.com is a good place to star) and be safe.

This entry was posted in MikroTik, News by Steve Discher. Bookmark the permalink.

About Steve Discher

Steve Discher was born in Apple Valley, California and today makes his home in College Station, Texas with my wife and three children. He is a 1987 graduate of Texas A&M University and own ISP Supplies, a wireless distribution company, and conducts MikroTik training classes. His hobbies include flying my Piper Cub and RV camping with my family.

Leave a Reply