Unhacking Your MikroTik Router

Several vulnerabilities and exploits have recently plagued MikroTIk users. Specifically, these vulnerabilities affected the RouterOS webfig configuration interface, if no firewall was put in place to protect it. Granted, you can be critical of MikroTik but after all, running without a firewall is a user problem not a MikroTik problem.

MikroTik fixed the vulnerability in the following RouterOS releases:

  • 6.37.5 in the Bugfix channel
  • 6.38.5 in the Current channel

The vulnerability in question was exploited by several malicious tools and affected users of RouterOS who had not upgraded RouterOS above the mentioned versions, and had opened the www service port (TCP port 80) to untrusted networks.

Many users may have unknowingly had their credentials compromised BEFORE their router was upgraded, but not yet actually hacked. This means many upgraded and thought they were completely safe until a few weeks ago when strange behaviors may have been observed. Specifically what we have seen is IP blacklisting by game sites like Playstation and XBox, slow speeds, inability to manage the router and so on. The telltale sign of this hack is viewing the system log and it is only one line long. If this has happened to you, the best solution is to clean up the config to remove the hack, export the config, check the config closely and then Netinstall the router and import the config. Again, this is the most drastic but the safest approach. Here are the things we have seen done by the hacker you will need to clean up:

/system logging

Reset it to 1000 lines

/ip firewall filter

Remove this rule and enable your drop rule if disabled

/ip socks

Disable it

/system scheduler

Delete any scheduled entries you didn’t add. Look for one that starts a script named “port 54321”

/system script

Delete this script

/system users

The hack adds a user “system”, delete that

I saw one router thad had a ppp user added. I can’t remember the user name but check that as well.

Those are the things we have found in many routers so get your routers cleaned up, change the passwords, add a real set of firewall rules (http://mikrotikconfig.com is a good place to star) and be safe.

Steve Discher

Steve Discher was born in Apple Valley, California and today makes his home in College Station, Texas with his wife and three children. He is a 1987 graduate of Texas A-M University and owns ISP Supplies, a wireless distribution company, and conducts MikroTik training classes. His hobbies include flying his Piper Cub and RV camping with his family.

Recent Posts

  • Creating Trunk and Access Ports on MikroTik CRS3xx Series Switches

    The switch menu and configuration interface is significantly different on the CRS3xx versus the CRS1xx or CRS2xx series switches and if you are trying to configure VLANs, the process is totally different. Here is a quick HowTo for configuring VLANs …

  • Ubiquiti Unifi Video NVR Upgrade Fails

    Yesterday I got tired of the nagging “Update Available” on my Ubiquiti Video NVR so I went through the upgrade process in the web GUI. It failed with Error 400. I tried several times, several browsers, same error. I then …

  • Using MikroTik LHG as a UE With a Baicells eNodeB

    This has been a dream for a long time, and a DIY project for those industrious individuals willing to cobble it together, but now it is a reality in a production device. First of all why would you want to …

See More News