

Know when you know, spread the word and share this post to your friends. I can see that there are a lot of attempts from the different IP addresses to use the port 4145T on my routers and all those attempts are blocked. Regardless your device is attacked or not, you should raise your vigilance and monitor your Internet links for any suspicious activities. Just replace the name of your WAN interface and you’re good to go. ip firewall filter add chain=input in-interface=pppoe-out1 protocol=udp dst-port=53 action=drop place-before=1įor your convenience, you can download it from this location. ip firewall filter add chain=input in-interface=pppoe-out1 protocol=tcp dst-port=80 action=drop place-before=1

Execute it and it will do the magic: /system scheduler remove I wrote the simple script that will solve the problem in the minute.

Rename it to any other name except root or superuser. Therefore, do not use anymore admin as the account name. I also noticed that this address 95.154.216.163 (located in UK, according to this site) is active and there were attempts to login on many routers with the admin account. Therefore, the latest rule ( drop all other traffic) will be nullified. This attack will also disable all the rules that have the drop action. Your firewall is compromised and disabled. Consequently, there will be a lot of connections over the WAN link through this port. The scheduled task named scrip3_ that execute this scriptĪdditionally, you will see that the IP SOCKS service is enabled on port 4145.You can see that your router is attacked if you see: A few of mine routers with the RouterOS versions 6.38.5, 6.39.x, 6.40.x or even 6.42.3 were attacked. Although this blog claims that this vulnerability is fixed in the RouterOS version 6.38.5, I found that many routers that are not updated to the latest version are infected. This attack exploits vulnerabilities in the Web service. The unknown file named mikrotik.php appears between the files and you have a new script named script3_. I had a few phone calls from my friends during the past few days related to the new hacker attack on the Mikrotik routers.
