Based on those versions you listed, it sounds like the Winbox vulnerability described here: https://forum.mikrotik.com/viewtopic.php?t=133533
Password complexity isn't really the issue since they could connect and download the unencrypted user database file. Firewall off Winbox and/or upgrade. Run 6.40.8+ for bugfix or 6.42.1+ for current. On Mon, Jul 16, 2018 at 11:01 PM Nate Burke <n...@blastcomm.com> wrote: > I just happened to be looking through the Logs of a couple Mikrotiks > that I didn't have Winbox Firewalled off From the outside world. Someone > from the outside world logged into winbox today. I had what I 'thought' > were strong passwords on them. The only active service on the router is > the Winbox Service. > > The only changes that were made was they enabled the 'socks' server, and > added input firewall rule for the socks port. They were in and out of > the router in a matter of seconds, so it looks like it was scripted > somehow. > > I'm going through now and changing passwords and verifying all routers > are locked from the outside. On the routers that I've found this on, > all the logins were sourced from this same IP Address. So far the > affected routers I've found were running versions 6.39-6.41.3 > > Might be a good time to check your logs and access controls. > > > jul/15 02:29:14 system,info,account user admin logged in from > 194.40.240.254 via winbox > jul/15 02:29:17 system,info,account user admin logged in from > 194.40.240.254 via telnet > jul/15 02:29:18 system,info socks config changed by admin > jul/15 02:29:18 system,info filter rule added by admin > jul/15 02:29:19 system,info,account user admin logged out from > 194.40.240.254 via winbox > jul/15 02:29:19 system,info,account user admin logged out from > 194.40.240.254 via telnet > > > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com