There was a WinBox expolit that allowed outsiders to somehow capture user/pwd. Make sure you upgrade FW, wipe files from storage, add a clean config and change user/pwd. You may also want to block all input to the MT except from a whitelist of IP addresses you add to your firewall.
On Tue, Sep 25, 2018 at 3:22 PM TJ Trout <[email protected]> wrote: > These are mostly customer routers on old firmware ~v5-v6, they are on the > latest stable/current which I thought cured the exploit, the stuff I am > seeing is usually socks or webproxy enabled for reflection attacks or smtp > spam. > > I restored the configs back to virgin and they got back in again somehow, > I'm going to see if somehow any of the above recommendations were the > cause... > > On Tue, Sep 25, 2018 at 1:13 PM Jon Langeler <[email protected]> > wrote: > >> From what version to what versions? >> >> Jon Langeler >> Michwave Technologies, Inc. >> >> >> > On Sep 25, 2018, at 3:52 PM, TJ Trout <[email protected]> wrote: >> > >> > I had many mikrotiks exploited, we cleaned them up and disabled all >> services except winbox and http, updated to the latest firmware and changed >> passwords. >> > >> > Most have input firewall and are unaffected but the ones sitting on the >> internet seem to keep getting compromised >> > >> > Any idea why this could still be occurring? My ASSumption is that the >> latest release cures the exploit from happening again but I'm confused why >> this keeps reoccurring? >> > >> > Thanks >> > >> > TJ >> > -- >> > AF mailing list >> > [email protected] >> > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> -- >> AF mailing list >> [email protected] >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
